In-Depth

Incident Response: A Quick Way To Gather Lots of Files

Using PowerShell, finding infected files can take just a few minutes to complete.

Finding the source of an intrusion or malware infestation is critical. In just a few minutes, a determined worm can infect thousands of machines if left unchecked. One way to perform an investigation is through file collection. Typically, malware or intrusions leave some trace behind in a file or set of files. Once this is determined, it's important to perform an investigation fast amongst these files. If malware is the problem, these files may be spread across thousands of machines.

In this article, we're going to cover a way you can collect lots of files matching a criterion that would indicate an intrusion or malware infection.

The first is determining what to look for which can vary widely. For this example, let's say you know of a folder path but the file names change. Perhaps it's a folder in the temporary directory of a bunch of workstations, and the malware is trying to cover its tracks by using a file with a different name. You also know the timeframe the problem happened. Going off of the two criteria you have, a folder path and a date range, you set out to build a script that can pull all files from this folder path that were written in that timeframe.

You'll next need to figure out how to build a script that can find a single file on a single computer. Let's start small. We'll first define the seed variables we're working with. We'll define the folder path and the start and end times.

$folderPath =  'Windows\Temp\MalwareHere'
$startTime = [datetime]'11/3/17 10:33AM'
$endTime = [datetime]'11/3/17 11:09AM'
Once we've got the variables created, let's then attempt to find all files in our folder on a single remote computer.
PS> $computers = 'DC'
foreach ($c in $computers) {
Get-ChildItem -Path "\\$c\c$\$folderPath" | Where-Object { $_.LastWriteTime -gt $startTime -and $_.LastWriteTime -lt $endTime }
}

Directory: \\dc\c$\Windows\Temp\MalwareHere


Mode                LastWriteTime         Length Name
----                -------------         ------ ----
-a----        11/3/2017  10:54 AM              2 adfloj4433.dat

Now we're cookin'! At this point, I can now discover all the files I'm looking for. I now want to copy these to some central network location for further analysis so let's take it up a notch.

$centralFolder = 'C:\MalwareFiles'

foreach ($c in $computers) {
if ($files = Get-ChildItem -Path "\\$c\c$\$folderPath" | Where-Object { $_.LastWriteTime -gt $startTime -and $_.LastWriteTime -lt $endTime }) {
$dest = mkdir "C:\MalwareFiles\$c"
Copy-Item -Path $files.FullName -Destination $dest.FullName
}
}

When run, the script now creates a folder in C:\MalwareFiles with the name of the computer where the file came from and drops all interesting files in that folder.

Now that we can do one, let's do them all with some parallel processing goodness with background jobs.

 

$centralFolder = 'C:\MalwareFiles'

foreach ($c in $computers) {
$scriptBlock = {
$start = $args[1]
$end = $args[2]
if ($files = Get-ChildItem -Path "\\$($args[0])\c$\$($args[3])" | Where-Object { $_.LastWriteTime -ge $start -and $_.LastWriteTime -le $end }) {
$dest = "C:\MalwareFiles\$($args[0])"
if (-not (Test-Path -Path $dest -PathType Container)) {
$null = mkdir $dest
}
Copy-Item -Path $files.FullName -Destination $dest
}
}
$jobParams = @{
Name = $c
ScriptBlock = $scriptBlock
ArgumentList = $c,$startTime,$endTime,$folderPath
}
Start-Job @jobParams
}

The code has increased in complexity. Sure. But we've now got a foundation to add any number of computers we need! We simply need to add additional computers to the $computers variable whether by adding to an array, pulling from Active Directory, a database, or wherever!

About the Author

Adam Bertram is an independent consultant, technical writer, trainer and presenter. Adam specializes in consulting and evangelizing all things IT automation mainly focused around Windows PowerShell. Adam is a Microsoft Windows PowerShell MVP, 2015 powershell.org PowerShell hero and has numerous Microsoft IT pro certifications. He is a writer, trainer and presenter and authors IT pro course content for Pluralsight. He is also a regular contributor to numerous print and online publications and presents at various user groups and conferences. You can find Adam at adamtheautomator.com or on Twitter at @adbertram.

Featured

comments powered by Disqus

Office 365 Watch

Sign up for our newsletter.

I agree to this site's Privacy Policy.