In-Depth

Incident Response: A Quick Way To Gather Lots of Files

Using PowerShell, finding infected files can take just a few minutes to complete.

Finding the source of an intrusion or malware infestation is critical. In just a few minutes, a determined worm can infect thousands of machines if left unchecked. One way to perform an investigation is through file collection. Typically, malware or intrusions leave some trace behind in a file or set of files. Once this is determined, it's important to perform an investigation fast amongst these files. If malware is the problem, these files may be spread across thousands of machines.

In this article, we're going to cover a way you can collect lots of files matching a criterion that would indicate an intrusion or malware infection.

The first is determining what to look for which can vary widely. For this example, let's say you know of a folder path but the file names change. Perhaps it's a folder in the temporary directory of a bunch of workstations, and the malware is trying to cover its tracks by using a file with a different name. You also know the timeframe the problem happened. Going off of the two criteria you have, a folder path and a date range, you set out to build a script that can pull all files from this folder path that were written in that timeframe.

You'll next need to figure out how to build a script that can find a single file on a single computer. Let's start small. We'll first define the seed variables we're working with. We'll define the folder path and the start and end times.

$folderPath =  'Windows\Temp\MalwareHere'
$startTime = [datetime]'11/3/17 10:33AM'
$endTime = [datetime]'11/3/17 11:09AM'
Once we've got the variables created, let's then attempt to find all files in our folder on a single remote computer.
PS> $computers = 'DC'
foreach ($c in $computers) {
Get-ChildItem -Path "\\$c\c$\$folderPath" | Where-Object { $_.LastWriteTime -gt $startTime -and $_.LastWriteTime -lt $endTime }
}

Directory: \\dc\c$\Windows\Temp\MalwareHere


Mode                LastWriteTime         Length Name
----                -------------         ------ ----
-a----        11/3/2017  10:54 AM              2 adfloj4433.dat

Now we're cookin'! At this point, I can now discover all the files I'm looking for. I now want to copy these to some central network location for further analysis so let's take it up a notch.

$centralFolder = 'C:\MalwareFiles'

foreach ($c in $computers) {
if ($files = Get-ChildItem -Path "\\$c\c$\$folderPath" | Where-Object { $_.LastWriteTime -gt $startTime -and $_.LastWriteTime -lt $endTime }) {
$dest = mkdir "C:\MalwareFiles\$c"
Copy-Item -Path $files.FullName -Destination $dest.FullName
}
}

When run, the script now creates a folder in C:\MalwareFiles with the name of the computer where the file came from and drops all interesting files in that folder.

Now that we can do one, let's do them all with some parallel processing goodness with background jobs.

 

$centralFolder = 'C:\MalwareFiles'

foreach ($c in $computers) {
$scriptBlock = {
$start = $args[1]
$end = $args[2]
if ($files = Get-ChildItem -Path "\\$($args[0])\c$\$($args[3])" | Where-Object { $_.LastWriteTime -ge $start -and $_.LastWriteTime -le $end }) {
$dest = "C:\MalwareFiles\$($args[0])"
if (-not (Test-Path -Path $dest -PathType Container)) {
$null = mkdir $dest
}
Copy-Item -Path $files.FullName -Destination $dest
}
}
$jobParams = @{
Name = $c
ScriptBlock = $scriptBlock
ArgumentList = $c,$startTime,$endTime,$folderPath
}
Start-Job @jobParams
}

The code has increased in complexity. Sure. But we've now got a foundation to add any number of computers we need! We simply need to add additional computers to the $computers variable whether by adding to an array, pulling from Active Directory, a database, or wherever!

About the Author

Adam Bertram is a 20-year veteran of IT. He's an automation engineer, blogger, consultant, freelance writer, Pluralsight course author and content marketing advisor to multiple technology companies. Adam also founded the popular TechSnips e-learning platform. He mainly focuses on DevOps, system management and automation technologies, as well as various cloud platforms mostly in the Microsoft space. He is a Microsoft Cloud and Datacenter Management MVP who absorbs knowledge from the IT field and explains it in an easy-to-understand fashion. Catch up on Adam's articles at adamtheautomator.com, connect on LinkedIn or follow him on Twitter at @adbertram or the TechSnips Twitter account @techsnips_io.


Featured

comments powered by Disqus

Office 365 Watch

Sign up for our newsletter.

I agree to this site's Privacy Policy.