So, you have a PC on your network that you think might be infected with some malware. What do you do? Well, you could always PSExec into the computer and run a series of commands. But why not automate that process and store the results?
That was my motivation for writing this IR-Script. It is like a first response tool for investigating a possibly infected PC. You run the tool, gather a bunch of information, and store it for review. The script gathers the following information from a PC:
- AutoRuns output
- List of Local Groups and users in those groups
- List of Local Users
- NMAP TCP scan
- NMAP UDP scan
- NETSTAT -naob output
- PSInfo output
- PSList output
- Scheduled Jobs
- Open Shares accessible from the network
- Installed Software
- Output from TASKLIST -m, TASKLIST -v and TASKLIST -svc
- WMIC output of processes and their command line invocation
Download the script and read the manual at Google Code:
All of this information is stored in a folder name “<computer>-YYYYMMDD” for review. After a scan, your folder will look something like below.
Of course, you must run the script as a user that has local admin privileges on the target machine. Be sure to read Mike Pilkington’s excellent SANS blog posts on protecting privileged domain accounts to make sure your credentials don’t get snatched.
Let me know if this script is useful to you. If you want any features added, let me know here or at the Google Code page.