In-Depth

Incident Response: A Quick Way To Gather Lots of Files

Using PowerShell, finding infected files can take just a few minutes to complete.

• By Adam Bertram
• 12/21/2017

Finding the source of an intrusion or malware infestation is critical. In just a few minutes, a determined worm can infect thousands of machines if left unchecked. One way to perform an investigation is through file collection. Typically, malware or intrusions leave some trace behind in a file or set of files. Once this is determined, it's important to perform an investigation fast amongst these files. If malware is the problem, these files may be spread across thousands of machines.

In this article, we're going to cover a way you can collect lots of files matching a criterion that would indicate an intrusion or malware infection.

The first is determining what to look for which can vary widely. For this example, let's say you know of a folder path but the file names change. Perhaps it's a folder in the temporary directory of a bunch of workstations, and the malware is trying to cover its tracks by using a file with a different name. You also know the timeframe the problem happened. Going off of the two criteria you have, a folder path and a date range, you set out to build a script that can pull all files from this folder path that were written in that timeframe.

You'll next need to figure out how to build a script that can find a single file on a single computer. Let's start small. We'll first define the seed variables we're working with. We'll define the folder path and the start and end times.

$folderPath =  'Windows\Temp\MalwareHere'

  $startTime = [datetime]'11/3/17 10:33AM'

  $endTime = [datetime]'11/3/17 11:09AM'

  Once we've got the variables created, let's then  attempt to find all files in our folder on a single remote computer.

  PS> $computers = 'DC'

  foreach ($c in $computers) {

  Get-ChildItem -Path "\\$c\c$\$folderPath" | Where-Object {  $_.LastWriteTime -gt $startTime -and $_.LastWriteTime -lt $endTime }

  }

  

  Directory:  \\dc\c$\Windows\Temp\MalwareHere

  

  

  Mode                 LastWriteTime         Length Name

  ----                 -------------         ------ ----

-a----         11/3/2017  10:54 AM              2 adfloj4433.dat

Now we're cookin'! At this point, I can now discover all the files I'm looking for. I now want to copy these to some central network location for further analysis so let's take it up a notch.

$centralFolder = 'C:\MalwareFiles'

  

  foreach ($c in $computers) {

  if ($files =  Get-ChildItem -Path "\\$c\c$\$folderPath" | Where-Object {  $_.LastWriteTime -gt $startTime -and $_.LastWriteTime -lt $endTime }) {

  $dest =  mkdir "C:\MalwareFiles\$c" 

  Copy-Item -Path $files.FullName -Destination $dest.FullName

  }

}

When run, the script now creates a folder in C:\MalwareFiles with the name of the computer where the file came from and drops all interesting files in that folder.

Now that we can do one, let's do them all with some parallel processing goodness with background jobs.

$centralFolder = 'C:\MalwareFiles'

  

  foreach ($c in $computers) {

  $scriptBlock  = {

  $start =  $args[1]

  $end =  $args[2]

  if  ($files = Get-ChildItem -Path "\\$($args[0])\c$\$($args[3])" | Where-Object  { $_.LastWriteTime -ge $start -and $_.LastWriteTime -le $end }) {

  $dest  = "C:\MalwareFiles\$($args[0])"

  if  (-not (Test-Path -Path $dest -PathType Container)) {

  $null = mkdir $dest

  }

  Copy-Item  -Path $files.FullName -Destination $dest

  }

  }

  $jobParams =  @{

  Name =  $c

  ScriptBlock = $scriptBlock

  ArgumentList = $c,$startTime,$endTime,$folderPath

  }

  Start-Job  @jobParams

}

The code has increased in complexity. Sure. But we've now got a foundation to add any number of computers we need! We simply need to add additional computers to the $computers variable whether by adding to an array, pulling from Active Directory, a database, or wherever!