PowerShell in Forensic Investigations

This is meant to be a short post about PowerShell as an aid in forensic investigations. We will not dive into what a proper forensic investigation looks like, we will just assume that somehow we have access to the compromised machine (a Windows Server 2012 R2 VM was used for our tests) -or a copy of it- and will be showcasing some nice features of PowerShell that can be quite useful, and hopefully will help us to discern what happened in the compromised system. This is not meant to be an introduction to PowerShell either, basic knowledge of it is assumed.

When we face a breach in our systems, we want to retrieve as much information as possible to help us build a timeline of the intrusion, and hopefully figure out how the attackers gained access to our system and what parts of it they had access to. For this matter, PowerShell can prove very useful. Windows has integrated it in its newest operating systems, and steadily become Microsoft’s preferred method for managing their core products. For example, the latest versions of Exchange, SharePoint, and even Windows Server 2012 can be managed almost entirely via PowerShell. In fact, many of the GUI management tools Microsoft provides for these applications are simply performing PowerShell operations in the background.

Without further ado, let’s get down to business. A number of PowerShell cmdlets are described below that will help you getting vital information from the compromised system.

Network Information

Powershell provides a complete set of network related cmdlets (https://technet.microsoft.com/en-us/library/hh826123.aspx). Some of them can be really useful for out topic:

– Get-NetTCPConnection: “The Get-NetTCPConnection cmdlet gets current TCP connections. Use this cmdlet to view TCP connection properties such as local or remote IP address, local or remote port, and connection state.”

The following example lists all the established TCP connections in our system:

PS C:\> Get-NetTCPConnection –State Established

 

– Get-NetRoute: “The Get-NetRoute cmdlet gets IP route information from the IP routing table, including destination network prefixes, next hop IP addresses, and route metrics.”

System Processes

– Get-Process: “The Get-Process cmdlet gets the processes on a local or remote computer. By default, Get-Process returns a process object that has detailed information about the process and supports methods that let you start and stop the process. You can also use the parameters of Get-Process to get file version information for the program that runs in the process and to get the modules that the process loaded.”

In the following example, all the active processes are shown:

PS C:\> Get-Process

 

If we wanted to get more detailed information about one of this processes, i.e.: “wlms”, we could do that by just appending the process name to the command, and then passing the data to the Format-List cmdlet, which displays all available properties (*) of the “wlms” process object.

PS C:\> Get-Process wlms | format-list *

Windows Event Logs

– Get-EventLog: “The Get-EventLog cmdlet gets events and event logs on the local and remote computers.”

In the following example we first get a list of all the available event logs by using the “-list” flag:

PS C:\> Get-EventLog -list

 

We can use this list to retrieve the name of the available events and pass them again to “Get-EventLog” and thus get the actual logs:

PS C:\> Get-EventLog -list | %{ Get-EventLog $_.Log}

 

– Get-WinEvent: “The Get-WinEvent cmdlet gets events from event logs, including classic logs, such as the System and Application logs, and the event logs that are generated by the Windows Event Log technology introduced in Windows Vista. It also gets events in log files generated by Event Tracing for Windows (ETW).”

The use of this cmdlet is very similar to the one showed before, but it also includes event logs generated by the newest versions of Windows. The following command can be used to list the Security,Application and System event logs:

PS C:\> Get-WinEvent -LogName "Security","System","Application"

Users and Groups

– Get-ADuser: “The Get-ADUser cmdlet gets a user object or performs a search to retrieve multiple user objects.”

The following example lists all the available users in the domain:

PS C:\> Get-ADUser -Filter *

 

– Get-ADGroup: “The Get-ADGroup cmdlet gets a group or performs a search to retrieve multiple groups from an Active Directory.”

In the example below we can see how to use this cmdlet to get a list of all the groups in the domain:

PS C:\> Get-ADGroup -Filter *

Combining the previous cmdlets with some PowerShell magic it is possible to get a nice list of AD groups with their members:

PS C:\ > ForEach ($Group in (Get-ADGroup -Filter *)) { Get-ADGroupMember $Group | Select @{Label="Group";Expression={$Group.Name}},Name,SamAccountName }

Start-Up Processes

Another useful thing to remember when carrying out a forensic investigation is to check for strange start-up processes. This can be easily done with the “Get-CIMInstance” and its ability to access CIM instances of a class from a CIM server.
PS C:\ > Get-CimInstance win32_service -Filter "startmode = 'auto'"

Recently Modified Files
Using the “Get-ChildItem” we can retrieve the items and child items in one or more specified locations. By doing so recursively and then applying a filter to the modified date of the file it is possible to get a list of files modified within a certain period of time, for the following example we will use within the last 7 days:
PS C:\ > Get-ChildItem -Recurse C:\ | ? {$_.lastwritetime -gt (Get-Date).AddDays(-7)}

Miscellaneous
PoweShell has a very interesting and relatively new management platform called WinRM. From a PowerShell standpoint, WinRM provides the platform that allows for running PowerShell commands directly on remote machines. WinRM is included by default on Vista and higher, and can be installed on XP and Server 2003 R2. However, the WinRM service is not running by default on workstation platforms (Vista/7/8), though it is started automatically on Server 2008 and 2012. For more information please refer to the official documentation.

Another point to mention is that PowerShell provides multiple cmdlets to export the output of its commands and store them in a convenient way. Some of these cmdlets are:
– “Export-Csv”: https://technet.microsoft.com/en-us/library/ee176825.aspx
– “Export-Clixml”: https://technet.microsoft.com/en-us/library/ee176824.aspx
– “Out-File”: https://technet.microsoft.com/en-us/library/ee176924.aspx

To summarize, PowerShell is a growing and evolving technology that can provide users with very powerful features. In this blog entry we have quickly gone through some useful cmdlets that PowerShell brings and that hopefully will help in our forensic investigations.


Find out how we can help with your cyber challenge

Please enter your contact details using the form below for a free, no obligation, quote and we will get back to you as soon as possible. Alternatively, you can email us directly at [email protected]