{"id":18606397,"url":"https://github.com/bert-janp/incident-response-powershell","last_synced_at":"2025-05-15T13:04:29.157Z","repository":{"id":160000747,"uuid":"511209061","full_name":"Bert-JanP/Incident-Response-Powershell","owner":"Bert-JanP","description":"PowerShell Digital Forensics \u0026 Incident Response Scripts.","archived":false,"fork":false,"pushed_at":"2025-04-01T06:02:38.000Z","size":64,"stargazers_count":591,"open_issues_count":0,"forks_count":82,"subscribers_count":11,"default_branch":"main","last_synced_at":"2025-04-07T18:06:25.106Z","etag":null,"topics":["forensics-tools","incident-response","powershell"],"latest_commit_sha":null,"homepage":"","language":"PowerShell","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"bsd-3-clause","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/Bert-JanP.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null}},"created_at":"2022-07-06T16:16:32.000Z","updated_at":"2025-04-05T19:30:11.000Z","dependencies_parsed_at":null,"dependency_job_id":"a7276aec-bf60-4fed-8999-6b5433776735","html_url":"https://github.com/Bert-JanP/Incident-Response-Powershell","commit_stats":{"total_commits":64,"total_committers":5,"mean_commits":12.8,"dds":0.296875,"last_synced_commit":"1aa18076f06f0649089f6c323429fe4c5417c472"},"previous_names":[],"tags_count":4,"template":false,"template_full_name":null,"repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/Bert-JanP%2FIncident-Response-Powershell","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/Bert-JanP%2FIncident-Response-Powershell/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/Bert-JanP%2FIncident-Response-Powershell/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/Bert-JanP%2FIncident-Response-Powershell/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/Bert-JanP","download_url":"https://codeload.github.com/Bert-JanP/Incident-Response-Powershell/tar.gz/refs/heads/main","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":248961186,"owners_count":21189991,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["forensics-tools","incident-response","powershell"],"created_at":"2024-11-07T02:25:28.827Z","updated_at":"2025-04-14T20:57:36.823Z","avatar_url":"https://github.com/Bert-JanP.png","language":"PowerShell","funding_links":[],"categories":[],"sub_categories":[],"readme":"# Powershell Digital Forensics \u0026 Incident Response\nThis repository provides PowerShell-based Incident Response scripts.\n\n# DFIR Script\nThe [DFIR-Script.ps1](./DFIR-Script.ps1) script collects forensic artifacts on Windows devices. Key features include:\n- Collecting over 25 potential indicators of compromise.\n- CSV-based export files for SIEM integration.\n- Defender for Endpoint Live Response integration.\n\n# Granular Response Scripts\nThese scripts perform specific tasks, such as collecting Windows Security Events, resetting active user sessions, or uploading a folder to Azure Storage Blob. Some scripts use APIs to retrieve or export data, with required permissions described in each script. The scripts are structured for the Incident Response cycle:\n\n| Phase | Description |\n|--------|-------------|\n| [Acquisition](./Acquisition/) | Scripts and tools for acquiring data and evidence during an incident. |\n| [Analysis](./Analysis/) | Sripts for analyzing acquired data to identify indicators of compromise and understand the scope of the incident. |\n| [Containment](./Containment/) | Scripts and methods for containing the incident to prevent further damage and spread. |\n\n# Related Blogs:\n- [Incident Response Part 3: Leveraging Live Response](https://kqlquery.com/posts/leveraging-live-response/)\n- [Incident Response PowerShell V2](https://kqlquery.com/posts/incident-response-powershell-v2/)\n\n\n# DFIR Script Usage\n\n## DFIR Script - Extracted Artefacts\nThe [DFIR script](./DFIR-Script.ps1) collects information from multiple sources and structures the output in the current directory in a folder named 'DFIR-_hostname_-_year_-_month_-_date_'. This folder is zipped at the end, so that folder can be remotely collected. This script can also be used within Defender For Endpoint in a Live Response session (see below). The DFIR script collects the following information when running as normal user:\n- Local IP Info\n- Open Connections\n- Autorun Information (Startup Folder \u0026 Registry Run keys)\n- Active Users\n- Local Users\n- Connections Made From Office Applications\n- Active SMB Shares\n- RDP Sessions\n- Active Processes\n- Active USB Connections\n- PowerShell History\n- DNS Cache\n- Installed Drivers\n- Installed Software\n- Running Services\n- Scheduled Tasks\n- Browser history and profile files\n\nFor the best experience run the script as admin, then the following items will also be collected:\n- Windows Security Events\n- Remotely Opened Files\n- Shadow Copies\n- MPLogs\n- Defender Exclusions\n- PowerShell History All Users\n\n## SIEM Import Functionality\nThe forensic artifacts are exported as CSV files, allowing responders to ingest them into tools like Sentinel, Splunk, Elastic, or Azure Data Explorer for filtering, aggregation, and visualization.\n\nThe folder *CSV Results (SIEM Import Data)* includes all the CSV files containing the artifacts:\n\n```PowerShell\nName\n----\nActiveUsers.csv\nAutoRun.csv\nConnectedDevices.csv\nDefenderExclusions.csv\nDNSCache.csv\nDrivers.csv\nInstalledSoftware.csv\nIPConfiguration.csv\nLocalUsers.csv\nNetworkShares.csv\nOfficeConnections.csv\nOpenTCPConnections.csv\nPowerShellHistory.csv\nProcesses.csv\nRDPSessions.csv\nRemotelyOpenedFiles.csv\nRunningServices.csv\nScheduledTasks.csv\nScheduledTasksRunInfo.csv\nSecurityEvents.csv\nShadowCopy.csv\nSMBShares.csv\n```\n\n## Execute the script\n\nThe script can be executed by running the following command.\n```PowerShell\n.\\DFIR-Script.ps1\n```\n\nThe script is unsigned, that could result in having to use the -ExecutionPolicy Bypass to run the script.\n```PowerShell\nPowershell.exe -ExecutionPolicy Bypass .\\DFIR-Script.ps1\n```\n\n## Defender For Endpoint Live Response Integration\nIt is possible to use the scripts in combination with the Defender For Endpoint Live Response. Make sure that Live Response is setup (See DOCS). Since my script is unsigned, a setting change must be made to be able to run the script.\n\nThere is a blog article available that explains more about how to leverage Custom Script in Live Response: [Incident Response Part 3: Leveraging Live Response](https://kqlquery.com/posts/leveraging-live-response/)\n\nTo run unsigned scripts live Response:\n- Go to Security.microsoft.com\n- Navigate to Settings \u003e Endpoints \u003e Advanced Features\n- Ensure Live Response is enabled\n- Enable Live Response for servers if needed\n- Enable Live Response unsigned script execution\n\nExecute script:\n- Go to the device page\n- Initiate Live Response session\n- Upload File to library to upload script\n- After uploading the script to the library execute: ```run DFIR-script.ps1``` to start the script. If you want to run the script using parameters, you should run ```run DFIR-Script.ps1 -parameters \"-sw 10\"```\n- Execute ```getfile DFIR-DeviceName-yyyy-mm-dd``` to download the retrieved artifacts to your local machine for analysis.\n\n### Docs\n- [Microsoft Documentation Live Response](https://docs.microsoft.com/en-us/microsoft-365/security/defender-endpoint/live-response?view=o365-worldwide)\n- [DFE User permissions](https://docs.microsoft.com/en-us/microsoft-365/security/defender-endpoint/user-roles?view=o365-worldwide)\n- [Defender For Endpoint Settings Live Response](https://docs.microsoft.com/en-us/microsoft-365/security/defender-endpoint/advanced-features?view=o365-worldwide#live-response)","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fbert-janp%2Fincident-response-powershell","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fbert-janp%2Fincident-response-powershell","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fbert-janp%2Fincident-response-powershell/lists"}