Skip to content

Releases: Bert-JanP/Incident-Response-Powershell

DFIR PowerShell V2.1.0

26 Mar 18:33
@Bert-JanP Bert-JanP
V2.1.0
daf514f
Compare
Choose a tag to compare
DFIR PowerShell V2.1.0 Latest
Latest

New Functionality:

  • Collect PowerShell History of all users

Updates:

  • MP Log Collection changes
Assets 2
Loading

DFIR PowerShell V2.0.1

14 Feb 06:25
@Bert-JanP Bert-JanP
V2.0.1
80b8a70
This commit was created on GitHub.com and signed with GitHub’s verified signature.
GPG key ID: B5690EEEBB952194
Learn about vigilant mode.
Compare
Choose a tag to compare
DFIR PowerShell V2.0.1

What's New in Version 2.0.1:

  • Fix output location
Assets 2
Loading

DFIR PowerShell V2.0.0

08 Feb 17:29
@Bert-JanP Bert-JanP
V2.0.0
b58958f
Compare
Choose a tag to compare
DFIR PowerShell V2.0.0

What's New in Version 2.0.0:

  1. SIEM Import Functionality
  • In the world of incident response, seamless collaboration and integration with other tools are essential. The new SIEM import functionality feature allows you to import the collected artefacts into your preferred SIEM or data analysis tools by providing the output also as CSV files.
  1. Microsoft Protection Log – Artefact Collection
  • The script includes the export of Microsoft Protection Log (MPLog). These files can contain artefacts of the following activities: Process execution, Threats detected, Security Scans and Actions and File File existence.
  1. DefenderExclusions – Artefact Collection
  • The script gathers the Defender Exclusions that are configured on the device. The exclusions can contain evidence of excluded files/folders/processes that have not been monitored.
  1. Custom Timeframe Support For Windows Security Event Collection
  • That Windows Security Events can contain valuable information about attacker behaviour was already known. This customization allows users to customize the timeframe of the collected security events to their specific investigative needs, ensuring a more targeted and efficient response.
Assets 2
Loading

PowerShell DFIR V1.0

19 Dec 20:47
@Bert-JanP Bert-JanP
DFIR1.0
6081f87
Compare
Choose a tag to compare
PowerShell DFIR V1.0

DFIR Script

The DFIR script collects information from multiple sources and structures the output in the current directory in a folder named 'DFIR-hostname-year-month-date'. This folder is zipped at the end, so that folder can be remotely collected. This script can also be used within Defender For Endpoint in a Live Response session (see below). The DFIR script collects the following information when running as normal user:

Local IP Info
Open Connections
Aautorun Information (Startup Folder & Registry Run keys)
Active Users
Local Users
Connections Made From Office Applications
Active SMB Shares
RDP Sessions
Active Processes
Active USB Connections
Powershell History
DNS Cache
Installed Drivers
Installed Software
Running Services
Scheduled Tasks
Browser history and profile files
For the best experience run the script as admin, and then the following items will also be collected:

Windows Security Events
Remotely Opened Files
Shadow Copies

Assets 2
Loading