Incident Response Security Scripting for Windows and Linux systems

/ Miguel Bigueur

jJgjc

Windows IR Scripting

Below is the IR Script that I produced for Windows systems. The test machine was Windows 2016 Core running inside of VMware Fusion 8. I’ve included some tools for the most commonly requested information. As an incident handler, I believe it is better to use the least complicated tools possibly to get the job done, therefore, avoiding unnecessary complications that run the risk of jeopardizing an incident response investigation. Batch scripting is also within my comfort zone. Another benefit of batch scripting is that they require the least amount of time to prepare and have proven to be very reliable across multiple operating system distributions.

Linux IR 1

Windows Incident Response Template

https://github.com/SmokeDog88/InfoSec_Ops/blob/master/IR_Script.bat

Below is a screenshot of the output folder that I created for the batch script. I opted to send all scripted test data to a single folder location in an effort to reduce administrative overhead and reduce incident response times.

2

Below are a few screenshots of some of the output files showing the successful operation of the batch file’s Windows script.

3

 

4

5

Below are screenshots of the hashed output files and folder.

Hashed toolset:

6

Hashed output files:

7

Linux IR Scripting

Below is a basic IR script for Linux systems, which includes some of the most commonly used command line tools. I wrote this using Bash scripting because it is probably the least complicated way to perform incident detection on host computers. It’s generally a good idea to avoid introducing unneeded complexities where not required.

Linux IR 1

Linux IR 2

Linux Incident Response Template

https://github.com/SmokeDog88/InfoSec_Ops/blob/master/IR_Detect.sh

The output of the script is shown below, revealing the execution and successful completion of the script. The output file location is an added benefit.

3

Below is the output directory folder. I directed all of the scripts outputs into easily readable text files in a single location for added convenience.

4

Below are a few screenshots of a few output folders, which indicates that the script executed properly after a few test runs and prior to use in production.

5

6

7

8

Below is a screenshot of the hashed output of both the script and output folder in an effort to validate future file integrity.

Hashed tool-set and output file:

9

 

References

Microsoft. (2017). Sysinternals Utilities Index. Retrieved April 2, 2017, from https://technet.microsoft.com/en-us/sysinternals/bb545027

NirSoft. (2016). IECacheView v1.58 – Internet Explorer Cache Viewer. Retrieved April 2, 2017, from http://nirsoft.net/utils/ie_cache_viewer.html

 

 

 

 

 

Leave a Reply

Fill in your details below or click an icon to log in:

Gravatar
WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Cancel

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.