DFIR & automation

Emmaf · December 8, 2017, 7:34pm

@dave @mike.mitchell
Which DFIR steps have you automated?

mike.mitchell · December 25, 2017, 7:31am

There are several steps you can automate during the DFIR process, but there are still some processes that are typically done in a manual fashion. Some of the more routine steps that I will automate include:

Ingesting the Alerts
Enriching the data using threat intel sources
Gather host/user information
*4) Gather process and memory dumps from the affect host
Notifying stakeholders of the incident
Open/Update/Close tickets centered around incident

Automating the retrieval of process and memory dumps can be achieved using third party EDR solutions or using the community sourced Powershell scripts. However, running analysis of those dumps is typically done be an analyst with some reverse engineering background.

SWS · December 26, 2017, 2:59pm

@mike.mitchell and @john.grigg provided a three part blog series on the topic that provides a step-by-step overview of doing so with Powershell and Swimlane:
Enhance the DFIR Process with Powershell and Swimlane – Part 1
Enhance the DFIR Process with Powershell and Swimlane – Part 2
Enhance the DFIR Process with Powershell and Swimlane – Part 3

Java · December 26, 2017, 3:01pm

@mike.mitchell

Where can I find community-sourced Powershell scripts?

mike.mitchell · December 26, 2017, 3:23pm

Here are a few scripts on Github that are widely used…

PS Recon:

github.com

gfoss/PSRecon/blob/master/psrecon.ps1

#requires -version 2.0

  #==========================================#
  # LogRhythm Labs                           #
  # Incident Response Live Data Acquisition  #
  # greg . foss @ logrhythm . com            #
  # v0.2  --  October, 2015                  #
  #==========================================#

# Copyright 2015 LogRhythm Inc.   
# Licensed under the Apache License, Version 2.0 (the "License"); you may not use this file except in compliance with the License.  You may obtain a copy of the License at;
# http://www.apache.org/licenses/LICENSE-2.0
# Unless required by applicable law or agreed to in writing, software distributed under the License is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.  See the License for the specific language governing permissions and limitations under the License.

#=======================================================================================
# CONFIGURATION
#=======================================================================================

[CmdLetBinding()]
param(

This file has been truncated. show original

Powershell Empire

Kansa:

A really good article about Live Response from SANS:
https://www.sans.org/reading-room/whitepapers/forensics/live-response-powershell-34302

Topic		Replies	Views
What do you use powershell for? Threat hunting powershell	6	1664	December 15, 2017
Swimlane Version Control Knowledge base	0	1484	December 30, 2017
Swimlane Powershell Scripting Knowledge base	4	1829	January 8, 2018
Carbon Black Protection Automated Reporting Knowledge base usecase , playbook	0	2484	December 25, 2017
Disable"Verify SSL" Knowledge base	2	1842	January 2, 2020

DFIR & automation

Related Topics