Skip to content

Commit f98a78a

Browse files
authored
Merge pull request #7 from Bert-JanP/dev-v2
Dev v2
2 parents 6081f87 + e4758c6 commit f98a78a

File tree

2 files changed

+143
-17
lines changed

2 files changed

+143
-17
lines changed

DFIR-Script.ps1

Lines changed: 141 additions & 17 deletions
Original file line numberDiff line numberDiff line change
@@ -1,13 +1,49 @@
1+
<#
2+
.DESCRIPTION
3+
The DFIR Script is a tool to perform incident response via PowerShell on compromised devices with an Windows Operating System (Workstation & Server). The content that the script can collect depends on the permissions of the user that executes the script, if executed with admin privileges more forensic artifacts can be collected.
4+
5+
The collected information is saved in an output directory in the current folder, this is by creating a folder named 'DFIR-_hostname_-_year_-_month_-_date_'. This folder is zipped at the end to enable easy collection.
6+
7+
This script can be integrated with Defender For Endpoint via Live Response sessions (see https://github.com/Bert-JanP/Incident-Response-Powershell).
8+
9+
The script outputs the results as CSV to be imported in SIEM or data analysis tooling, the folder in which those files are located is named 'CSV Results (SIEM Import Data)'.
10+
11+
.EXAMPLE
12+
Run Script without any parameters
13+
.\DFIR-Script.ps1
14+
.EXAMPLE
15+
Define custom search window, this is done in days. Example below collects the Security Events from the last 10 days.
16+
.\DFIR-Script.ps1 -sw 10
17+
18+
.LINK
19+
Integration Defender For Endpoint Live Response:
20+
https://github.com/Bert-JanP/Incident-Response-Powershell
21+
22+
Individual PowerShell Incident Response Commands:
23+
https://github.com/Bert-JanP/Incident-Response-Powershell/blob/main/DFIR-Commands.md
24+
25+
.NOTES
26+
Any additional notes or information about the script or function.
27+
28+
29+
#>
30+
31+
param(
32+
[Parameter(Mandatory=$false)][int]$sw = 2 # Defines the custom search window, this is done in days.
33+
)
34+
35+
36+
$Version = '2.0.0'
137
$ASCIIBanner = @"
238
_____ _ _ _ _____ ______ _____ _____
339
| __ \ | | | | | | | __ \ | ____| |_ _| | __ \
440
| |__) | ___ __ __ ___ _ __ ___ | |__ ___ | | | | | | | | | |__ | | | |__) |
541
| ___/ / _ \ \ \ /\ / / / _ \ | '__| / __| | '_ \ / _ \ | | | | | | | | | __| | | | _ /
642
| | | (_) | \ V V / | __/ | | \__ \ | | | | | __/ | | | | | |__| | | | _| |_ | | \ \
7-
|_| \___/ \_/\_/ \___| |_| |___/ |_| |_| \___| |_| |_| |_____/ |_| |_____| |_| \_\
43+
|_| \___/ \_/\_/ \___| |_| |___/ |_| |_| \___| |_| |_| |_____/ |_| |_____| |_| \_\`n
844
"@
945
Write-Host $ASCIIBanner
10-
Write-Host "`n"
46+
Write-Host "Version: $Version"
1147
Write-Host "By twitter: @BertJanCyber, Github: Bert-JanP"
1248
Write-Host "===========================================`n"
1349

@@ -26,23 +62,33 @@ else {
2662
Write-Host "Creating output directory..."
2763
$CurrentPath = $pwd
2864
$ExecutionTime = $(get-date -f yyyy-MM-dd)
29-
$FolderCreation = "$CurrentPath\DFIR-$env:computername-$ExecutionTime"
65+
$FolderCreation = "D:\Github\DFIR-$env:computername-$ExecutionTime"
66+
#$FolderCreation = "$CurrentPath\..\DFIR-$env:computername-$ExecutionTime"
3067
mkdir -Force $FolderCreation | Out-Null
3168
Write-Host "Output directory created: $FolderCreation..."
3269

3370
$currentUsername = (Get-WmiObject Win32_Process -f 'Name="explorer.exe"').GetOwner().User
3471
$currentUserSid = Get-ItemProperty 'HKLM:\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList\*' | Where-Object {$_.PSChildName -match 'S-1-5-21-\d+-\d+\-\d+\-\d+$' -and $_.ProfileImagePath -match "\\$currentUsername$"} | ForEach-Object{$_.PSChildName}
3572
Write-Host "Current user: $currentUsername $currentUserSid"
3673

74+
#CSV Output for import in SIEM
75+
$CSVOutputFolder = "$FolderCreation\CSV Results (SIEM Import Data)"
76+
mkdir -Force $CSVOutputFolder | Out-Null
77+
Write-Host "SIEM Export Output directory created: $CSVOutputFolder..."
78+
3779
function Get-IPInfo {
3880
Write-Host "Collecting local ip info..."
3981
$Ipinfoutput = "$FolderCreation\ipinfo.txt"
4082
Get-NetIPAddress | Out-File -Force -FilePath $Ipinfoutput
83+
$CSVExportLocation = "$CSVOutputFolder\IPConfiguration.csv"
84+
Get-NetIPAddress | ConvertTo-Csv -NoTypeInformation | Out-File -FilePath $CSVExportLocation -Encoding UTF8
4185
}
4286
function Get-ShadowCopies {
4387
Write-Host "Collecting Shadow Copies..."
4488
$ShadowCopy = "$FolderCreation\ShadowCopies.txt"
4589
Get-CimInstance Win32_ShadowCopy | Out-File -Force -FilePath $ShadowCopy
90+
$CSVExportLocation = "$CSVOutputFolder\ShadowCopy.csv"
91+
Get-CimInstance Win32_ShadowCopy | ConvertTo-Csv -NoTypeInformation | Out-File -FilePath $CSVExportLocation -Encoding UTF8
4692
}
4793

4894
function Get-OpenConnections {
@@ -51,6 +97,8 @@ function Get-OpenConnections {
5197
mkdir -Force $ConnectionFolder | Out-Null
5298
$Ipinfoutput = "$ConnectionFolder\OpenConnections.txt"
5399
Get-NetTCPConnection -State Established | Out-File -Force -FilePath $Ipinfoutput
100+
$CSVExportLocation = "$CSVOutputFolder\OpenTCPConnections.csv"
101+
Get-NetTCPConnection -State Established | ConvertTo-Csv -NoTypeInformation | Out-File -FilePath $CSVExportLocation -Encoding UTF8
54102
}
55103

56104
function Get-AutoRunInfo {
@@ -59,13 +107,17 @@ function Get-AutoRunInfo {
59107
mkdir -Force $AutoRunFolder | Out-Null
60108
$RegKeyOutput = "$AutoRunFolder\AutoRunInfo.txt"
61109
Get-CimInstance Win32_StartupCommand | Select-Object Name, command, Location, User | Format-List | Out-File -Force -FilePath $RegKeyOutput
110+
$CSVExportLocation = "$CSVOutputFolder\AutoRun.csv"
111+
Get-CimInstance Win32_StartupCommand | Select-Object Name, command, Location, User | ConvertTo-Csv -NoTypeInformation | Out-File -FilePath $CSVExportLocation -Encoding UTF8
62112
}
63113

64114
function Get-InstalledDrivers {
65115
Write-Host "Collecting Installed Drivers..."
66116
$AutoRunFolder = "$FolderCreation\Persistence"
67117
$RegKeyOutput = "$AutoRunFolder\InstalledDrivers.txt"
68118
driverquery | Out-File -Force -FilePath $RegKeyOutput
119+
$CSVExportLocation = "$CSVOutputFolder\Drivers.csv"
120+
(driverquery) -split "\n" -replace '\s\s+', ',' | Out-File -Force $CSVExportLocation -Encoding UTF8
69121
}
70122

71123
function Get-ActiveUsers {
@@ -74,13 +126,17 @@ function Get-ActiveUsers {
74126
mkdir -Force $UserFolder | Out-Null
75127
$ActiveUserOutput = "$UserFolder\ActiveUsers.txt"
76128
query user /server:$server | Out-File -Force -FilePath $ActiveUserOutput
129+
$CSVExportLocation = "$CSVOutputFolder\ActiveUsers.csv"
130+
(query user /server:$server) -split "\n" -replace '\s\s+', ',' | Out-File -Force -FilePath $CSVExportLocation -Encoding UTF8
77131
}
78132

79133
function Get-LocalUsers {
80134
Write-Host "Collecting Local users..."
81135
$UserFolder = "$FolderCreation\UserInformation"
82136
$ActiveUserOutput = "$UserFolder\LocalUsers.txt"
83137
Get-LocalUser | Format-Table | Out-File -Force -FilePath $ActiveUserOutput
138+
$CSVExportLocation = "$CSVOutputFolder\LocalUsers.csv"
139+
Get-LocalUser | ConvertTo-Csv -NoTypeInformation | Out-File -FilePath $CSVExportLocation -Encoding UTF8
84140
}
85141

86142
function Get-ActiveProcesses {
@@ -89,6 +145,7 @@ function Get-ActiveProcesses {
89145
New-Item -Path $ProcessFolder -ItemType Directory -Force | Out-Null
90146
$UniqueProcessHashOutput = "$ProcessFolder\UniqueProcessHash.csv"
91147
$ProcessListOutput = "$ProcessFolder\ProcessList.csv"
148+
$CSVExportLocation = "$CSVOutputFolder\Processes.csv"
92149

93150
$processes_list = @()
94151
foreach ($process in (Get-WmiObject Win32_Process | Select-Object Name, ExecutablePath, CommandLine, ParentProcessId, ProcessId))
@@ -108,28 +165,38 @@ function Get-ActiveProcesses {
108165
}
109166

110167
($processes_list | Select-Object Proc_Path, Proc_Hash -Unique).GetEnumerator() | Export-Csv -NoTypeInformation -Path $UniqueProcessHashOutput
168+
($processes_list | Select-Object Proc_Path, Proc_Hash -Unique).GetEnumerator() | Export-Csv -NoTypeInformation -Path $CSVExportLocation
111169
($processes_list | Select-Object Proc_Name, Proc_Path, Proc_CommandLine, Proc_ParentProcessId, Proc_ProcessId, Proc_Hash).GetEnumerator() | Export-Csv -NoTypeInformation -Path $ProcessListOutput
170+
112171
}
113172

114173
function Get-SecurityEventCount {
115-
Write-Host "Collecting stats Security Events last 48 hours..."
174+
param(
175+
[Parameter(Mandatory=$true)][String]$sw
176+
)
177+
Write-Host "Collecting stats Security Events last $sw days..."
116178
$SecurityEvents = "$FolderCreation\SecurityEvents"
117179
mkdir -Force $SecurityEvents | Out-Null
118180
$ProcessOutput = "$SecurityEvents\EventCount.txt"
119-
$SecurityEvents = Get-EventLog -LogName security -After (Get-Date).AddDays(-2)
181+
$SecurityEvents = Get-EventLog -LogName security -After (Get-Date).AddDays(-$sw)
120182
$SecurityEvents | Group-Object -Property EventID -NoElement | Sort-Object -Property Count -Descending | Out-File -Force -FilePath $ProcessOutput
121183
}
122184

123185
function Get-SecurityEvents {
124-
Write-Host "Collecting Security Events last 48 hours..."
186+
param(
187+
[Parameter(Mandatory=$true)][String]$sw
188+
)
189+
Write-Host "Collecting Security Events last $sw days..."
125190
$SecurityEvents = "$FolderCreation\SecurityEvents"
126191
mkdir -Force $SecurityEvents | Out-Null
127192
$ProcessOutput = "$SecurityEvents\SecurityEvents.txt"
128-
get-eventlog security -After (Get-Date).AddDays(-2) | Format-List * | Out-File -Force -FilePath $ProcessOutput
193+
get-eventlog security -After (Get-Date).AddDays(-$sw) | Format-List * | Out-File -Force -FilePath $ProcessOutput
194+
$CSVExportLocation = "$CSVOutputFolder\SecurityEvents.csv"
195+
get-eventlog security -After (Get-Date).AddDays(-$sw) | ConvertTo-Csv -NoTypeInformation | Out-File -FilePath $CSVExportLocation -Encoding UTF8
129196
}
130197

131-
function Get-EVTXFiles {
132-
Write-Host "Collecting Important EVTX Files..."
198+
function Get-EventViewerFiles {
199+
Write-Host "Collecting Important Event Viewer Files..."
133200
$EventViewer = "$FolderCreation\Event Viewer"
134201
mkdir -Force $EventViewer | Out-Null
135202
$evtxPath = "C:\Windows\System32\winevt\Logs"
@@ -155,12 +222,16 @@ function Get-OfficeConnections {
155222
Write-Host "Collecting connections made from office applications..."
156223
$ConnectionFolder = "$FolderCreation\Connections"
157224
$OfficeConnection = "$ConnectionFolder\ConnectionsMadeByOffice.txt"
225+
$CSVExportLocation = "$CSVOutputFolder\OfficeConnections.csv"
226+
158227

159228
if($UserSid) {
160-
Get-ItemProperty -Path "registry::HKEY_USERS\$UserSid\SOFTWARE\Microsoft\Office\16.0\Common\Internet\Server Cache*" -erroraction 'silentlycontinue' | Out-File -Force -FilePath $OfficeConnection
229+
Get-ChildItem -Path "registry::HKEY_USERS\$UserSid\SOFTWARE\Microsoft\Office\16.0\Common\Internet\Server Cache" -erroraction 'silentlycontinue' | Out-File -Force -FilePath $OfficeConnection
230+
Get-ChildItem -Path "registry::HKEY_USERS\$UserSid\SOFTWARE\Microsoft\Office\16.0\Common\Internet\Server Cache" -erroraction 'silentlycontinue' | ConvertTo-Csv -NoTypeInformation | Out-File -FilePath $CSVExportLocation -Encoding UTF8
161231
}
162232
else {
163-
Get-ItemProperty -Path HKCU:\SOFTWARE\Microsoft\Office\16.0\Common\Internet\Server Cache* -erroraction 'silentlycontinue' | Out-File -Force -FilePath $OfficeConnection
233+
Get-ChildItem -Path HKCU:\SOFTWARE\Microsoft\Office\16.0\Common\Internet\Server Cache -erroraction 'silentlycontinue' | Out-File -Force -FilePath $OfficeConnection
234+
Get-ChildItem -Path HKCU:\SOFTWARE\Microsoft\Office\16.0\Common\Internet\Server Cache -erroraction 'silentlycontinue' | Out-File -Force -FilePath $OfficeConnection | Out-File -FilePath $CSVExportLocation -Encoding UTF8
164235
}
165236
}
166237

@@ -172,12 +243,16 @@ function Get-NetworkShares {
172243
Write-Host "Collecting Active Network Shares..."
173244
$ConnectionFolder = "$FolderCreation\Connections"
174245
$ProcessOutput = "$ConnectionFolder\NetworkShares.txt"
246+
$CSVExportLocation = "$CSVOutputFolder\NetworkShares.csv"
175247

176248
if($UserSid) {
249+
write-host $UserSid
177250
Get-ItemProperty -Path "registry::HKEY_USERS\$UserSid\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\" -erroraction 'silentlycontinue' | Format-Table | Out-File -Force -FilePath $ProcessOutput
251+
Get-ItemProperty -Path "registry::HKEY_USERS\$UserSid\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\" -erroraction 'silentlycontinue' | ConvertTo-Csv -NoTypeInformation | Out-File -FilePath $CSVExportLocation -Encoding UTF8
178252
}
179253
else {
180-
Get-ChildItem -Path HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\ | Format-Table | Out-File -Force -FilePath $ProcessOutput
254+
Get-ChildItem -Path HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\ -erroraction 'silentlycontinue' | Format-Table | Out-File -Force -FilePath $ProcessOutput
255+
Get-ChildItem -Path HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\ -erroraction 'silentlycontinue' | ConvertTo-Csv -NoTypeInformation | Out-File -FilePath $CSVExportLocation -Encoding UTF8
181256
}
182257
}
183258

@@ -186,33 +261,43 @@ function Get-SMBShares {
186261
$ConnectionFolder = "$FolderCreation\Connections"
187262
$ProcessOutput = "$ConnectionFolder\SMBShares.txt"
188263
Get-SmbShare | Out-File -Force -FilePath $ProcessOutput
264+
$CSVExportLocation = "$CSVOutputFolder\SMBShares.csv"
265+
Get-SmbShare | ConvertTo-Csv -NoTypeInformation | Out-File -FilePath $CSVExportLocation -Encoding UTF8
189266
}
190267

191268
function Get-RDPSessions {
192269
Write-Host "Collecting RDS Sessions..."
193270
$ConnectionFolder = "$FolderCreation\Connections"
194271
$ProcessOutput = "$ConnectionFolder\RDPSessions.txt"
272+
$CSVExportLocation = "$CSVOutputFolder\RDPSessions.csv"
195273
qwinsta /server:localhost | Out-File -Force -FilePath $ProcessOutput
274+
(qwinsta /server:localhost) -split "\n" -replace '\s\s+', ',' | Out-File -FilePath $CSVExportLocation -Encoding UTF8
196275
}
197276

198277
function Get-RemotelyOpenedFiles {
199278
Write-Host "Collecting Remotly Opened Files..."
200279
$ConnectionFolder = "$FolderCreation\Connections"
201280
$ProcessOutput = "$ConnectionFolder\RemotelyOpenedFiles.txt"
281+
$CSVExportLocation = "$CSVOutputFolder\RemotelyOpenedFiles.csv"
202282
openfiles | Out-File -Force -FilePath $ProcessOutput
283+
(openfiles) -split "\n" -replace '\s\s+', ',' | Out-File -FilePath $CSVExportLocation -Encoding UTF8
203284
}
204285

205286
function Get-DNSCache {
206287
Write-Host "Collecting DNS Cache..."
207288
$ConnectionFolder = "$FolderCreation\Connections"
208289
$ProcessOutput = "$ConnectionFolder\DNSCache.txt"
209290
Get-DnsClientCache | Format-List | Out-File -Force -FilePath $ProcessOutput
291+
$CSVExportLocation = "$CSVOutputFolder\DNSCache.csv"
292+
Get-DnsClientCache | ConvertTo-Csv -NoTypeInformation | Out-File -FilePath $CSVExportLocation -Encoding UTF8
210293
}
211294

212295
function Get-PowershellHistory {
213296
Write-Host "Collecting Powershell History..."
214297
$PowershellHistoryOutput = "$FolderCreation\PowershellHistory.txt"
215298
history | Out-File -Force -FilePath $PowershellHistoryOutput
299+
$CSVExportLocation = "$CSVOutputFolder\PowerShellHistory.csv"
300+
history | ConvertTo-Csv -NoTypeInformation | Out-File -FilePath $CSVExportLocation -Encoding UTF8
216301
}
217302

218303
function Get-RecentlyInstalledSoftwareEventLogs {
@@ -221,13 +306,17 @@ function Get-RecentlyInstalledSoftwareEventLogs {
221306
mkdir -Force $ApplicationFolder | Out-Null
222307
$ProcessOutput = "$ApplicationFolder\RecentlyInstalledSoftwareEventLogs.txt"
223308
Get-WinEvent -ProviderName msiinstaller | where id -eq 1033 | select timecreated,message | FL *| Out-File -Force -FilePath $ProcessOutput
309+
$CSVExportLocation = "$CSVOutputFolder\InstalledSoftware.csv"
310+
Get-WinEvent -ProviderName msiinstaller | where id -eq 1033 | select timecreated,message | ConvertTo-Csv -NoTypeInformation | Out-File -FilePath $CSVExportLocation -Encoding UTF8
224311
}
225312

226313
function Get-RunningServices {
227314
Write-Host "Collecting Running Services..."
228315
$ApplicationFolder = "$FolderCreation\Applications"
229316
$ProcessOutput = "$ApplicationFolder\RecentlyInstalledSoftwareEventLogs.txt"
230317
Get-Service | Where-Object {$_.Status -eq "Running"} | format-list | Out-File -Force -FilePath $ProcessOutput
318+
$CSVExportLocation = "$CSVOutputFolder\RunningServices.csv"
319+
Get-Service | Where-Object {$_.Status -eq "Running"} | ConvertTo-Csv -NoTypeInformation | Out-File -FilePath $CSVExportLocation -Encoding UTF8
231320
}
232321

233322
function Get-ScheduledTasks {
@@ -236,22 +325,27 @@ function Get-ScheduledTasks {
236325
mkdir -Force $ScheduledTaskFolder| Out-Null
237326
$ProcessOutput = "$ScheduledTaskFolder\ScheduledTasksList.txt"
238327
Get-ScheduledTask | Where-Object {$_.State -ne "Disabled"} | Format-List | Out-File -Force -FilePath $ProcessOutput
328+
$CSVExportLocation = "$CSVOutputFolder\ScheduledTasks.csv"
329+
Get-ScheduledTask | Where-Object {$_.State -ne "Disabled"} | ConvertTo-Csv -NoTypeInformation | Out-File -FilePath $CSVExportLocation -Encoding UTF8
239330
}
240331

241332
function Get-ScheduledTasksRunInfo {
242333
Write-Host "Collecting Scheduled Tasks Run Info..."
243334
$ScheduledTaskFolder = "$FolderCreation\ScheduledTask"
244335
$ProcessOutput = "$ScheduledTaskFolder\ScheduledTasksListRunInfo.txt"
336+
$CSVExportLocation = "$CSVOutputFolder\ScheduledTasksRunInfo.csv"
245337
Get-ScheduledTask | Where-Object {$_.State -ne "Disabled"} | Get-ScheduledTaskInfo | Out-File -Force -FilePath $ProcessOutput
338+
Get-ScheduledTask | Where-Object {$_.State -ne "Disabled"} | Get-ScheduledTaskInfo | ConvertTo-Csv -NoTypeInformation | Out-File -FilePath $CSVExportLocation -Encoding UTF8
246339
}
247340

248341
function Get-ConnectedDevices {
249342
Write-Host "Collecting Information about Connected Devices..."
250343
$DeviceFolder = "$FolderCreation\ConnectedDevices"
251344
New-Item -Path $DeviceFolder -ItemType Directory -Force | Out-Null
252345
$ConnectedDevicesOutput = "$DeviceFolder\ConnectedDevices.csv"
253-
254346
Get-PnpDevice | Export-Csv -NoTypeInformation -Path $ConnectedDevicesOutput
347+
$CSVExportLocation = "$CSVOutputFolder\ConnectedDevices.csv"
348+
Get-PnpDevice | ConvertTo-Csv -NoTypeInformation | Out-File -FilePath $CSVExportLocation -Encoding UTF8
255349
}
256350

257351
function Get-ChromiumFiles {
@@ -311,6 +405,34 @@ function Get-FirefoxFiles {
311405
}
312406
}
313407

408+
function Get-MPLogs {
409+
Write-Host "Collecting MPLogs..."
410+
$MPLogFolder = "$FolderCreation\MPLogs"
411+
New-Item -Path $MPLogFolder -ItemType Directory -Force | Out-Null
412+
$MPLogLocation = "C:\ProgramData\Microsoft\Windows Defender\Support"
413+
Copy-Item -Path $MPLogLocation -Destination $MPLogFolder -Recurse
414+
}
415+
416+
function Get-DefenderExclusions {
417+
Write-Host "Collecting Defender Exclusions..."
418+
$DefenderExclusionFolder = "$FolderCreation\DefenderExclusions"
419+
New-Item -Path $DefenderExclusionFolder -ItemType Directory -Force | Out-Null
420+
Get-MpPreference | Select-Object -ExpandProperty ExclusionPath | Out-File -Force -FilePath "$DefenderExclusionFolder\ExclusionPath.txt"
421+
Get-MpPreference | Select-Object -ExpandProperty ExclusionExtension | Out-File -Force -FilePath "$DefenderExclusionFolder\ExclusionExtension.txt"
422+
Get-MpPreference | Select-Object -ExpandProperty ExclusionIpAddress | Out-File -Force -FilePath "$DefenderExclusionFolder\ExclusionIpAddress.txt"
423+
Get-MpPreference | Select-Object -ExpandProperty ExclusionProcess | Out-File -Force -FilePath "$DefenderExclusionFolder\ExclusionProcess.txt"
424+
425+
$CSVExportLocation = "$CSVOutputFolder\DefenderExclusions.csv"
426+
$ExclusionPaths = (Get-MpPreference | Select-Object -ExpandProperty ExclusionPath) -join "`n"
427+
$ExclusionExtensions = (Get-MpPreference | Select-Object -ExpandProperty ExclusionExtension) -join "`n"
428+
$ExclusionIPAddresses = (Get-MpPreference | Select-Object -ExpandProperty ExclusionIpAddress) -join "`n"
429+
$ExclusionProcesses = (Get-MpPreference | Select-Object -ExpandProperty ExclusionProcess) -join "`n"
430+
431+
# Combine all results into a single array
432+
$combinedData = $ExclusionPaths, $ExclusionExtensions, $ExclusionIPAddresses, $ExclusionProcesses
433+
$combinedData -split "\n" -replace '\s\s+', ',' | Out-File -FilePath $CSVExportLocation -Encoding UTF8
434+
}
435+
314436
function Zip-Results {
315437
Write-Host "Write results to $FolderCreation.zip..."
316438
Compress-Archive -Force -LiteralPath $FolderCreation -DestinationPath "$FolderCreation.zip"
@@ -348,12 +470,14 @@ function Run-WithoutAdminPrivilege {
348470
}
349471

350472
#Run all functions that do require admin priviliges
351-
Function Run-WithAdminPrivilges {
352-
Get-SecurityEventCount
353-
Get-SecurityEvents
473+
function Run-WithAdminPrivilges {
474+
Get-SecurityEventCount $sw
475+
Get-SecurityEvents $sw
354476
Get-RemotelyOpenedFiles
355477
Get-ShadowCopies
356-
Get-EVTXFiles
478+
Get-EventViewerFiles
479+
Get-MPLogs
480+
Get-DefenderExclusions
357481
}
358482

359483
Run-WithoutAdminPrivilege -UserSid $currentUserSid -Username $currentUsername

0 commit comments

Comments
 (0)