1
+ <#
2
+ . DESCRIPTION
3
+ The DFIR Script is a tool to perform incident response via PowerShell on compromised devices with an Windows Operating System (Workstation & Server). The content that the script can collect depends on the permissions of the user that executes the script, if executed with admin privileges more forensic artifacts can be collected.
4
+
5
+ The collected information is saved in an output directory in the current folder, this is by creating a folder named 'DFIR-_hostname_-_year_-_month_-_date_'. This folder is zipped at the end to enable easy collection.
6
+
7
+ This script can be integrated with Defender For Endpoint via Live Response sessions (see https://github.com/Bert-JanP/Incident-Response-Powershell).
8
+
9
+ The script outputs the results as CSV to be imported in SIEM or data analysis tooling, the folder in which those files are located is named 'CSV Results (SIEM Import Data)'.
10
+
11
+ . EXAMPLE
12
+ Run Script without any parameters
13
+ .\DFIR-Script.ps1
14
+ . EXAMPLE
15
+ Define custom search window, this is done in days. Example below collects the Security Events from the last 10 days.
16
+ .\DFIR-Script.ps1 -sw 10
17
+
18
+ . LINK
19
+ Integration Defender For Endpoint Live Response:
20
+ https://github.com/Bert-JanP/Incident-Response-Powershell
21
+
22
+ Individual PowerShell Incident Response Commands:
23
+ https://github.com/Bert-JanP/Incident-Response-Powershell/blob/main/DFIR-Commands.md
24
+
25
+ . NOTES
26
+ Any additional notes or information about the script or function.
27
+
28
+
29
+ #>
30
+
31
+ param (
32
+ [Parameter (Mandatory = $false )][int ]$sw = 2 # Defines the custom search window, this is done in days.
33
+ )
34
+
35
+
36
+ $Version = ' 2.0.0'
1
37
$ASCIIBanner = @"
2
38
_____ _ _ _ _____ ______ _____ _____
3
39
| __ \ | | | | | | | __ \ | ____| |_ _| | __ \
4
40
| |__) | ___ __ __ ___ _ __ ___ | |__ ___ | | | | | | | | | |__ | | | |__) |
5
41
| ___/ / _ \ \ \ /\ / / / _ \ | '__| / __| | '_ \ / _ \ | | | | | | | | | __| | | | _ /
6
42
| | | (_) | \ V V / | __/ | | \__ \ | | | | | __/ | | | | | |__| | | | _| |_ | | \ \
7
- |_| \___/ \_/\_/ \___| |_| |___/ |_| |_| \___| |_| |_| |_____/ |_| |_____| |_| \_\
43
+ |_| \___/ \_/\_/ \___| |_| |___/ |_| |_| \___| |_| |_| |_____/ |_| |_____| |_| \_\`n
8
44
"@
9
45
Write-Host $ASCIIBanner
10
- Write-Host " `n "
46
+ Write-Host " Version: $Version "
11
47
Write-Host " By twitter: @BertJanCyber, Github: Bert-JanP"
12
48
Write-Host " ===========================================`n "
13
49
@@ -26,23 +62,33 @@ else {
26
62
Write-Host " Creating output directory..."
27
63
$CurrentPath = $pwd
28
64
$ExecutionTime = $ (get-date -f yyyy- MM- dd)
29
- $FolderCreation = " $CurrentPath \DFIR-$env: computername -$ExecutionTime "
65
+ $FolderCreation = " D:\Github\DFIR-$env: computername -$ExecutionTime "
66
+ # $FolderCreation = "$CurrentPath\..\DFIR-$env:computername-$ExecutionTime"
30
67
mkdir - Force $FolderCreation | Out-Null
31
68
Write-Host " Output directory created: $FolderCreation ..."
32
69
33
70
$currentUsername = (Get-WmiObject Win32_Process -f ' Name="explorer.exe"' ).GetOwner().User
34
71
$currentUserSid = Get-ItemProperty ' HKLM:\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList\*' | Where-Object {$_.PSChildName -match ' S-1-5-21-\d+-\d+\-\d+\-\d+$' -and $_.ProfileImagePath -match " \\$currentUsername $" } | ForEach-Object {$_.PSChildName }
35
72
Write-Host " Current user: $currentUsername $currentUserSid "
36
73
74
+ # CSV Output for import in SIEM
75
+ $CSVOutputFolder = " $FolderCreation \CSV Results (SIEM Import Data)"
76
+ mkdir - Force $CSVOutputFolder | Out-Null
77
+ Write-Host " SIEM Export Output directory created: $CSVOutputFolder ..."
78
+
37
79
function Get-IPInfo {
38
80
Write-Host " Collecting local ip info..."
39
81
$Ipinfoutput = " $FolderCreation \ipinfo.txt"
40
82
Get-NetIPAddress | Out-File - Force - FilePath $Ipinfoutput
83
+ $CSVExportLocation = " $CSVOutputFolder \IPConfiguration.csv"
84
+ Get-NetIPAddress | ConvertTo-Csv - NoTypeInformation | Out-File - FilePath $CSVExportLocation - Encoding UTF8
41
85
}
42
86
function Get-ShadowCopies {
43
87
Write-Host " Collecting Shadow Copies..."
44
88
$ShadowCopy = " $FolderCreation \ShadowCopies.txt"
45
89
Get-CimInstance Win32_ShadowCopy | Out-File - Force - FilePath $ShadowCopy
90
+ $CSVExportLocation = " $CSVOutputFolder \ShadowCopy.csv"
91
+ Get-CimInstance Win32_ShadowCopy | ConvertTo-Csv - NoTypeInformation | Out-File - FilePath $CSVExportLocation - Encoding UTF8
46
92
}
47
93
48
94
function Get-OpenConnections {
@@ -51,6 +97,8 @@ function Get-OpenConnections {
51
97
mkdir - Force $ConnectionFolder | Out-Null
52
98
$Ipinfoutput = " $ConnectionFolder \OpenConnections.txt"
53
99
Get-NetTCPConnection - State Established | Out-File - Force - FilePath $Ipinfoutput
100
+ $CSVExportLocation = " $CSVOutputFolder \OpenTCPConnections.csv"
101
+ Get-NetTCPConnection - State Established | ConvertTo-Csv - NoTypeInformation | Out-File - FilePath $CSVExportLocation - Encoding UTF8
54
102
}
55
103
56
104
function Get-AutoRunInfo {
@@ -59,13 +107,17 @@ function Get-AutoRunInfo {
59
107
mkdir - Force $AutoRunFolder | Out-Null
60
108
$RegKeyOutput = " $AutoRunFolder \AutoRunInfo.txt"
61
109
Get-CimInstance Win32_StartupCommand | Select-Object Name, command, Location, User | Format-List | Out-File - Force - FilePath $RegKeyOutput
110
+ $CSVExportLocation = " $CSVOutputFolder \AutoRun.csv"
111
+ Get-CimInstance Win32_StartupCommand | Select-Object Name, command, Location, User | ConvertTo-Csv - NoTypeInformation | Out-File - FilePath $CSVExportLocation - Encoding UTF8
62
112
}
63
113
64
114
function Get-InstalledDrivers {
65
115
Write-Host " Collecting Installed Drivers..."
66
116
$AutoRunFolder = " $FolderCreation \Persistence"
67
117
$RegKeyOutput = " $AutoRunFolder \InstalledDrivers.txt"
68
118
driverquery | Out-File - Force - FilePath $RegKeyOutput
119
+ $CSVExportLocation = " $CSVOutputFolder \Drivers.csv"
120
+ (driverquery) -split " \n" -replace ' \s\s+' , ' ,' | Out-File - Force $CSVExportLocation - Encoding UTF8
69
121
}
70
122
71
123
function Get-ActiveUsers {
@@ -74,13 +126,17 @@ function Get-ActiveUsers {
74
126
mkdir - Force $UserFolder | Out-Null
75
127
$ActiveUserOutput = " $UserFolder \ActiveUsers.txt"
76
128
query user / server:$server | Out-File - Force - FilePath $ActiveUserOutput
129
+ $CSVExportLocation = " $CSVOutputFolder \ActiveUsers.csv"
130
+ (query user / server:$server ) -split " \n" -replace ' \s\s+' , ' ,' | Out-File - Force - FilePath $CSVExportLocation - Encoding UTF8
77
131
}
78
132
79
133
function Get-LocalUsers {
80
134
Write-Host " Collecting Local users..."
81
135
$UserFolder = " $FolderCreation \UserInformation"
82
136
$ActiveUserOutput = " $UserFolder \LocalUsers.txt"
83
137
Get-LocalUser | Format-Table | Out-File - Force - FilePath $ActiveUserOutput
138
+ $CSVExportLocation = " $CSVOutputFolder \LocalUsers.csv"
139
+ Get-LocalUser | ConvertTo-Csv - NoTypeInformation | Out-File - FilePath $CSVExportLocation - Encoding UTF8
84
140
}
85
141
86
142
function Get-ActiveProcesses {
@@ -89,6 +145,7 @@ function Get-ActiveProcesses {
89
145
New-Item - Path $ProcessFolder - ItemType Directory - Force | Out-Null
90
146
$UniqueProcessHashOutput = " $ProcessFolder \UniqueProcessHash.csv"
91
147
$ProcessListOutput = " $ProcessFolder \ProcessList.csv"
148
+ $CSVExportLocation = " $CSVOutputFolder \Processes.csv"
92
149
93
150
$processes_list = @ ()
94
151
foreach ($process in (Get-WmiObject Win32_Process | Select-Object Name, ExecutablePath, CommandLine, ParentProcessId, ProcessId))
@@ -108,28 +165,38 @@ function Get-ActiveProcesses {
108
165
}
109
166
110
167
($processes_list | Select-Object Proc_Path, Proc_Hash - Unique).GetEnumerator() | Export-Csv - NoTypeInformation - Path $UniqueProcessHashOutput
168
+ ($processes_list | Select-Object Proc_Path, Proc_Hash - Unique).GetEnumerator() | Export-Csv - NoTypeInformation - Path $CSVExportLocation
111
169
($processes_list | Select-Object Proc_Name, Proc_Path, Proc_CommandLine, Proc_ParentProcessId, Proc_ProcessId, Proc_Hash).GetEnumerator() | Export-Csv - NoTypeInformation - Path $ProcessListOutput
170
+
112
171
}
113
172
114
173
function Get-SecurityEventCount {
115
- Write-Host " Collecting stats Security Events last 48 hours..."
174
+ param (
175
+ [Parameter (Mandatory = $true )][String ]$sw
176
+ )
177
+ Write-Host " Collecting stats Security Events last $sw days..."
116
178
$SecurityEvents = " $FolderCreation \SecurityEvents"
117
179
mkdir - Force $SecurityEvents | Out-Null
118
180
$ProcessOutput = " $SecurityEvents \EventCount.txt"
119
- $SecurityEvents = Get-EventLog - LogName security - After (Get-Date ).AddDays(-2 )
181
+ $SecurityEvents = Get-EventLog - LogName security - After (Get-Date ).AddDays(- $sw )
120
182
$SecurityEvents | Group-Object - Property EventID - NoElement | Sort-Object - Property Count - Descending | Out-File - Force - FilePath $ProcessOutput
121
183
}
122
184
123
185
function Get-SecurityEvents {
124
- Write-Host " Collecting Security Events last 48 hours..."
186
+ param (
187
+ [Parameter (Mandatory = $true )][String ]$sw
188
+ )
189
+ Write-Host " Collecting Security Events last $sw days..."
125
190
$SecurityEvents = " $FolderCreation \SecurityEvents"
126
191
mkdir - Force $SecurityEvents | Out-Null
127
192
$ProcessOutput = " $SecurityEvents \SecurityEvents.txt"
128
- get-eventlog security - After (Get-Date ).AddDays(-2 ) | Format-List * | Out-File - Force - FilePath $ProcessOutput
193
+ get-eventlog security - After (Get-Date ).AddDays(- $sw ) | Format-List * | Out-File - Force - FilePath $ProcessOutput
194
+ $CSVExportLocation = " $CSVOutputFolder \SecurityEvents.csv"
195
+ get-eventlog security - After (Get-Date ).AddDays(- $sw ) | ConvertTo-Csv - NoTypeInformation | Out-File - FilePath $CSVExportLocation - Encoding UTF8
129
196
}
130
197
131
- function Get-EVTXFiles {
132
- Write-Host " Collecting Important EVTX Files..."
198
+ function Get-EventViewerFiles {
199
+ Write-Host " Collecting Important Event Viewer Files..."
133
200
$EventViewer = " $FolderCreation \Event Viewer"
134
201
mkdir - Force $EventViewer | Out-Null
135
202
$evtxPath = " C:\Windows\System32\winevt\Logs"
@@ -155,12 +222,16 @@ function Get-OfficeConnections {
155
222
Write-Host " Collecting connections made from office applications..."
156
223
$ConnectionFolder = " $FolderCreation \Connections"
157
224
$OfficeConnection = " $ConnectionFolder \ConnectionsMadeByOffice.txt"
225
+ $CSVExportLocation = " $CSVOutputFolder \OfficeConnections.csv"
226
+
158
227
159
228
if ($UserSid ) {
160
- Get-ItemProperty - Path " registry::HKEY_USERS\$UserSid \SOFTWARE\Microsoft\Office\16.0\Common\Internet\Server Cache*" - erroraction ' silentlycontinue' | Out-File - Force - FilePath $OfficeConnection
229
+ Get-ChildItem - Path " registry::HKEY_USERS\$UserSid \SOFTWARE\Microsoft\Office\16.0\Common\Internet\Server Cache" - erroraction ' silentlycontinue' | Out-File - Force - FilePath $OfficeConnection
230
+ Get-ChildItem - Path " registry::HKEY_USERS\$UserSid \SOFTWARE\Microsoft\Office\16.0\Common\Internet\Server Cache" - erroraction ' silentlycontinue' | ConvertTo-Csv - NoTypeInformation | Out-File - FilePath $CSVExportLocation - Encoding UTF8
161
231
}
162
232
else {
163
- Get-ItemProperty - Path HKCU:\SOFTWARE\Microsoft\Office\16.0 \Common\Internet\Server Cache* - erroraction ' silentlycontinue' | Out-File - Force - FilePath $OfficeConnection
233
+ Get-ChildItem - Path HKCU:\SOFTWARE\Microsoft\Office\16.0 \Common\Internet\Server Cache - erroraction ' silentlycontinue' | Out-File - Force - FilePath $OfficeConnection
234
+ Get-ChildItem - Path HKCU:\SOFTWARE\Microsoft\Office\16.0 \Common\Internet\Server Cache - erroraction ' silentlycontinue' | Out-File - Force - FilePath $OfficeConnection | Out-File - FilePath $CSVExportLocation - Encoding UTF8
164
235
}
165
236
}
166
237
@@ -172,12 +243,16 @@ function Get-NetworkShares {
172
243
Write-Host " Collecting Active Network Shares..."
173
244
$ConnectionFolder = " $FolderCreation \Connections"
174
245
$ProcessOutput = " $ConnectionFolder \NetworkShares.txt"
246
+ $CSVExportLocation = " $CSVOutputFolder \NetworkShares.csv"
175
247
176
248
if ($UserSid ) {
249
+ write-host $UserSid
177
250
Get-ItemProperty - Path " registry::HKEY_USERS\$UserSid \SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\" - erroraction ' silentlycontinue' | Format-Table | Out-File - Force - FilePath $ProcessOutput
251
+ Get-ItemProperty - Path " registry::HKEY_USERS\$UserSid \SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\" - erroraction ' silentlycontinue' | ConvertTo-Csv - NoTypeInformation | Out-File - FilePath $CSVExportLocation - Encoding UTF8
178
252
}
179
253
else {
180
- Get-ChildItem - Path HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\ | Format-Table | Out-File - Force - FilePath $ProcessOutput
254
+ Get-ChildItem - Path HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\ - erroraction ' silentlycontinue' | Format-Table | Out-File - Force - FilePath $ProcessOutput
255
+ Get-ChildItem - Path HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\ - erroraction ' silentlycontinue' | ConvertTo-Csv - NoTypeInformation | Out-File - FilePath $CSVExportLocation - Encoding UTF8
181
256
}
182
257
}
183
258
@@ -186,33 +261,43 @@ function Get-SMBShares {
186
261
$ConnectionFolder = " $FolderCreation \Connections"
187
262
$ProcessOutput = " $ConnectionFolder \SMBShares.txt"
188
263
Get-SmbShare | Out-File - Force - FilePath $ProcessOutput
264
+ $CSVExportLocation = " $CSVOutputFolder \SMBShares.csv"
265
+ Get-SmbShare | ConvertTo-Csv - NoTypeInformation | Out-File - FilePath $CSVExportLocation - Encoding UTF8
189
266
}
190
267
191
268
function Get-RDPSessions {
192
269
Write-Host " Collecting RDS Sessions..."
193
270
$ConnectionFolder = " $FolderCreation \Connections"
194
271
$ProcessOutput = " $ConnectionFolder \RDPSessions.txt"
272
+ $CSVExportLocation = " $CSVOutputFolder \RDPSessions.csv"
195
273
qwinsta / server:localhost | Out-File - Force - FilePath $ProcessOutput
274
+ (qwinsta / server:localhost) -split " \n" -replace ' \s\s+' , ' ,' | Out-File - FilePath $CSVExportLocation - Encoding UTF8
196
275
}
197
276
198
277
function Get-RemotelyOpenedFiles {
199
278
Write-Host " Collecting Remotly Opened Files..."
200
279
$ConnectionFolder = " $FolderCreation \Connections"
201
280
$ProcessOutput = " $ConnectionFolder \RemotelyOpenedFiles.txt"
281
+ $CSVExportLocation = " $CSVOutputFolder \RemotelyOpenedFiles.csv"
202
282
openfiles | Out-File - Force - FilePath $ProcessOutput
283
+ (openfiles) -split " \n" -replace ' \s\s+' , ' ,' | Out-File - FilePath $CSVExportLocation - Encoding UTF8
203
284
}
204
285
205
286
function Get-DNSCache {
206
287
Write-Host " Collecting DNS Cache..."
207
288
$ConnectionFolder = " $FolderCreation \Connections"
208
289
$ProcessOutput = " $ConnectionFolder \DNSCache.txt"
209
290
Get-DnsClientCache | Format-List | Out-File - Force - FilePath $ProcessOutput
291
+ $CSVExportLocation = " $CSVOutputFolder \DNSCache.csv"
292
+ Get-DnsClientCache | ConvertTo-Csv - NoTypeInformation | Out-File - FilePath $CSVExportLocation - Encoding UTF8
210
293
}
211
294
212
295
function Get-PowershellHistory {
213
296
Write-Host " Collecting Powershell History..."
214
297
$PowershellHistoryOutput = " $FolderCreation \PowershellHistory.txt"
215
298
history | Out-File - Force - FilePath $PowershellHistoryOutput
299
+ $CSVExportLocation = " $CSVOutputFolder \PowerShellHistory.csv"
300
+ history | ConvertTo-Csv - NoTypeInformation | Out-File - FilePath $CSVExportLocation - Encoding UTF8
216
301
}
217
302
218
303
function Get-RecentlyInstalledSoftwareEventLogs {
@@ -221,13 +306,17 @@ function Get-RecentlyInstalledSoftwareEventLogs {
221
306
mkdir - Force $ApplicationFolder | Out-Null
222
307
$ProcessOutput = " $ApplicationFolder \RecentlyInstalledSoftwareEventLogs.txt"
223
308
Get-WinEvent - ProviderName msiinstaller | where id -eq 1033 | select timecreated, message | FL * | Out-File - Force - FilePath $ProcessOutput
309
+ $CSVExportLocation = " $CSVOutputFolder \InstalledSoftware.csv"
310
+ Get-WinEvent - ProviderName msiinstaller | where id -eq 1033 | select timecreated, message | ConvertTo-Csv - NoTypeInformation | Out-File - FilePath $CSVExportLocation - Encoding UTF8
224
311
}
225
312
226
313
function Get-RunningServices {
227
314
Write-Host " Collecting Running Services..."
228
315
$ApplicationFolder = " $FolderCreation \Applications"
229
316
$ProcessOutput = " $ApplicationFolder \RecentlyInstalledSoftwareEventLogs.txt"
230
317
Get-Service | Where-Object {$_.Status -eq " Running" } | format-list | Out-File - Force - FilePath $ProcessOutput
318
+ $CSVExportLocation = " $CSVOutputFolder \RunningServices.csv"
319
+ Get-Service | Where-Object {$_.Status -eq " Running" } | ConvertTo-Csv - NoTypeInformation | Out-File - FilePath $CSVExportLocation - Encoding UTF8
231
320
}
232
321
233
322
function Get-ScheduledTasks {
@@ -236,22 +325,27 @@ function Get-ScheduledTasks {
236
325
mkdir - Force $ScheduledTaskFolder | Out-Null
237
326
$ProcessOutput = " $ScheduledTaskFolder \ScheduledTasksList.txt"
238
327
Get-ScheduledTask | Where-Object {$_.State -ne " Disabled" } | Format-List | Out-File - Force - FilePath $ProcessOutput
328
+ $CSVExportLocation = " $CSVOutputFolder \ScheduledTasks.csv"
329
+ Get-ScheduledTask | Where-Object {$_.State -ne " Disabled" } | ConvertTo-Csv - NoTypeInformation | Out-File - FilePath $CSVExportLocation - Encoding UTF8
239
330
}
240
331
241
332
function Get-ScheduledTasksRunInfo {
242
333
Write-Host " Collecting Scheduled Tasks Run Info..."
243
334
$ScheduledTaskFolder = " $FolderCreation \ScheduledTask"
244
335
$ProcessOutput = " $ScheduledTaskFolder \ScheduledTasksListRunInfo.txt"
336
+ $CSVExportLocation = " $CSVOutputFolder \ScheduledTasksRunInfo.csv"
245
337
Get-ScheduledTask | Where-Object {$_.State -ne " Disabled" } | Get-ScheduledTaskInfo | Out-File - Force - FilePath $ProcessOutput
338
+ Get-ScheduledTask | Where-Object {$_.State -ne " Disabled" } | Get-ScheduledTaskInfo | ConvertTo-Csv - NoTypeInformation | Out-File - FilePath $CSVExportLocation - Encoding UTF8
246
339
}
247
340
248
341
function Get-ConnectedDevices {
249
342
Write-Host " Collecting Information about Connected Devices..."
250
343
$DeviceFolder = " $FolderCreation \ConnectedDevices"
251
344
New-Item - Path $DeviceFolder - ItemType Directory - Force | Out-Null
252
345
$ConnectedDevicesOutput = " $DeviceFolder \ConnectedDevices.csv"
253
-
254
346
Get-PnpDevice | Export-Csv - NoTypeInformation - Path $ConnectedDevicesOutput
347
+ $CSVExportLocation = " $CSVOutputFolder \ConnectedDevices.csv"
348
+ Get-PnpDevice | ConvertTo-Csv - NoTypeInformation | Out-File - FilePath $CSVExportLocation - Encoding UTF8
255
349
}
256
350
257
351
function Get-ChromiumFiles {
@@ -311,6 +405,34 @@ function Get-FirefoxFiles {
311
405
}
312
406
}
313
407
408
+ function Get-MPLogs {
409
+ Write-Host " Collecting MPLogs..."
410
+ $MPLogFolder = " $FolderCreation \MPLogs"
411
+ New-Item - Path $MPLogFolder - ItemType Directory - Force | Out-Null
412
+ $MPLogLocation = " C:\ProgramData\Microsoft\Windows Defender\Support"
413
+ Copy-Item - Path $MPLogLocation - Destination $MPLogFolder - Recurse
414
+ }
415
+
416
+ function Get-DefenderExclusions {
417
+ Write-Host " Collecting Defender Exclusions..."
418
+ $DefenderExclusionFolder = " $FolderCreation \DefenderExclusions"
419
+ New-Item - Path $DefenderExclusionFolder - ItemType Directory - Force | Out-Null
420
+ Get-MpPreference | Select-Object - ExpandProperty ExclusionPath | Out-File - Force - FilePath " $DefenderExclusionFolder \ExclusionPath.txt"
421
+ Get-MpPreference | Select-Object - ExpandProperty ExclusionExtension | Out-File - Force - FilePath " $DefenderExclusionFolder \ExclusionExtension.txt"
422
+ Get-MpPreference | Select-Object - ExpandProperty ExclusionIpAddress | Out-File - Force - FilePath " $DefenderExclusionFolder \ExclusionIpAddress.txt"
423
+ Get-MpPreference | Select-Object - ExpandProperty ExclusionProcess | Out-File - Force - FilePath " $DefenderExclusionFolder \ExclusionProcess.txt"
424
+
425
+ $CSVExportLocation = " $CSVOutputFolder \DefenderExclusions.csv"
426
+ $ExclusionPaths = (Get-MpPreference | Select-Object - ExpandProperty ExclusionPath) -join " `n "
427
+ $ExclusionExtensions = (Get-MpPreference | Select-Object - ExpandProperty ExclusionExtension) -join " `n "
428
+ $ExclusionIPAddresses = (Get-MpPreference | Select-Object - ExpandProperty ExclusionIpAddress) -join " `n "
429
+ $ExclusionProcesses = (Get-MpPreference | Select-Object - ExpandProperty ExclusionProcess) -join " `n "
430
+
431
+ # Combine all results into a single array
432
+ $combinedData = $ExclusionPaths , $ExclusionExtensions , $ExclusionIPAddresses , $ExclusionProcesses
433
+ $combinedData -split " \n" -replace ' \s\s+' , ' ,' | Out-File - FilePath $CSVExportLocation - Encoding UTF8
434
+ }
435
+
314
436
function Zip-Results {
315
437
Write-Host " Write results to $FolderCreation .zip..."
316
438
Compress-Archive - Force - LiteralPath $FolderCreation - DestinationPath " $FolderCreation .zip"
@@ -348,12 +470,14 @@ function Run-WithoutAdminPrivilege {
348
470
}
349
471
350
472
# Run all functions that do require admin priviliges
351
- Function Run-WithAdminPrivilges {
352
- Get-SecurityEventCount
353
- Get-SecurityEvents
473
+ function Run-WithAdminPrivilges {
474
+ Get-SecurityEventCount $sw
475
+ Get-SecurityEvents $sw
354
476
Get-RemotelyOpenedFiles
355
477
Get-ShadowCopies
356
- Get-EVTXFiles
478
+ Get-EventViewerFiles
479
+ Get-MPLogs
480
+ Get-DefenderExclusions
357
481
}
358
482
359
483
Run- WithoutAdminPrivilege - UserSid $currentUserSid - Username $currentUsername
0 commit comments