Created
August 21, 2018 15:46
-
-
Save andrewkrug/e832da8970d50377e8cd0b1299f9e962 to your computer and use it in GitHub Desktop.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| #!/bin/bash | |
| # Make sure it runs as root | |
| [[ $UID == 0 || $EUID == 0 ]] || ( | |
| echo "Must be root!" | |
| exit 1 | |
| ) || exit 1 | |
| # Default variables | |
| INSTANCE_ID=$(curl -s http://169.254.169.254/latest/meta-data/instance-id) | |
| TIMESTAMP=$(date +%s) | |
| CASE_ID=$TIMESTAMP | |
| BUCKET="msp-resources" | |
| PREFIX="case-$CASE_ID" | |
| LOCAL_DIR=/tmp | |
| OUTPUT="local" | |
| outputS3 () { | |
| aws s3 cp - s3://$BUCKET/$PREFIX/$1 | |
| } | |
| outputLocal () { | |
| if [[ ! -d $LOCAL_DIR/$PREFIX ]]; then | |
| mkdir -p $LOCAL_DIR/$PREFIX | |
| fi | |
| tee $LOCAL_DIR/$PREFIX/$1 | |
| } | |
| output () { | |
| case $OUTPUT in | |
| s3) | |
| aws s3 cp - s3://$BUCKET/$PREFIX/$1 | |
| ;; | |
| local) | |
| if [[ ! -d $LOCAL_DIR/$PREFIX ]]; then | |
| mkdir -p $LOCAL_DIR/$PREFIX | |
| fi | |
| tee $LOCAL_DIR/$PREFIX/$1 | |
| esac | |
| } | |
| get_userprofile() { | |
| # userprofile | |
| while read line | |
| do | |
| user=$(echo "$line" | cut -f1 -d:) | |
| home=$(echo "$line" | cut -f6 -d:) | |
| # user shell history | |
| echo -e "\n Get users shell history..." | |
| for f in $home/.*_history; do | |
| count=0 | |
| while read line | |
| do | |
| echo $f $count $line |output $INSTANCE_ID/$user'-shellhistory.txt' | |
| echo $f $count $line |output $INSTANCE_ID/$user'-shellhistory.txt' | |
| count=$(( $count + 1 )) | |
| done < $f | |
| done | |
| # user contabs | |
| echo -e "\n Get users crontabs..." | |
| crontab -u $user -l |output $INSTANCE_ID/$user'-crontab.txt' | |
| # ssh known hosts | |
| echo -e "\n Get ssh known hosts..." | |
| cat $home/.ssh/known_hosts |output $INSTANCE_ID/$user'-ssh_known_hosts.txt' | |
| # ssh config | |
| echo -e "\n Get ssh config..." | |
| cat $home/.ssh/config |output $INSTANCE_ID/$user'-ssh_config.txt' | |
| done < /etc/passwd | |
| # user accounts | |
| echo -e '\n Get user accounts...' | |
| cat /etc/passwd |output $INSTANCE_ID/$user'-passwd.txt' | |
| # user groups | |
| echo -e '\n Get user groups...' | |
| cat /etc/group |output $INSTANCE_ID/$user'-group.txt' | |
| # user accounts | |
| { | |
| echo -e "\n Get user shadows..." | |
| while read line | |
| do | |
| user=`echo "$line" | cut -d':' -f1` | |
| pw=`echo "$line" | cut -d':' -f2` | |
| # ignore the salt and hash, but capture the hashing method | |
| hsh_method=`echo "$pw" | cut -d'$' -f2` | |
| rest=`echo "$line" | cut -d':' -f3,4,5,6,7,8,9` | |
| echo "$user:$hsh_method:$rest" | |
| done < /etc/shadow | |
| } | output $INSTANCE_ID/$user'-shadow.txt' | |
| } | |
| get_systeminfo(){ | |
| # version information | |
| echo -e "\n Get version infomation... to version.txt" | |
| { | |
| echo -n "kernel_name="; uname -s; | |
| echo -n "nodename="; uname -n; | |
| echo -n "kernel_release="; uname -r; | |
| echo -n "kernel_version="; uname -v; | |
| echo -n "machine="; uname -m; | |
| echo -n "processor="; uname -p; | |
| echo -n "hardware_platform="; uname -i; | |
| echo -n "os="; uname -o; | |
| } | output $INSTANCE_ID/'version.txt' | |
| # kernel modules | |
| echo -e "\n Get kernel modules..." | |
| TMP=$(lsmod | sed 1d) | |
| while read module size usedby | |
| do | |
| { | |
| echo -e $module'\t'$size'\t'$usedby; | |
| modprobe --show-depends $module; | |
| modinfo $module; | |
| echo ""; | |
| } | output $INSTANCE_ID/'-modules.txt' | |
| done < $TMP | |
| # list of PCI devices | |
| echo -e "\n Get PCI devices list..." | |
| if [ -x /sbin/lspci ] | |
| then | |
| # rhel5 | |
| LSPCI=/sbin/lspci | |
| else | |
| LSPCI=`which ifconfig` | |
| fi | |
| $LSPCI | output $INSTANCE_ID/'-lspci.txt' | |
| # locale information | |
| echo -e "\n Get locale info..." | |
| locale | output $INSTANCE_ID/'-locale.txt' | |
| # installed packages with version information - ubuntu | |
| echo -e "\n Get installed packages on ubuntu..." | |
| if dpkg-query -W &> /dev/null; then | |
| dpkg-query -W -f='${PackageSpec}\t${Version}\n' | output $INSTANCE_ID/'os-packages.txt' | |
| fi | |
| # installed packages with version information - redhat/centos/amazon linux | |
| echo -e "\n Get installed packages on redhat/centos/amazon linux..." | |
| if /bin/rpm -qa --queryformat "%{NAME}\t%{VERSION}\n" &> /dev/null; then | |
| /bin/rpm -qa --queryformat '%{NAME}\t%{VERSION}\n' | output $INSTANCE_ID/'os-packages.txt' | |
| fi | |
| # kernel ring buffer messages | |
| echo -e "\n Get kernel ring buffer message [dmesg]..." | |
| { | |
| if dmesg -T &> /dev/null | |
| then | |
| dmesg -T | |
| else | |
| dmesg | |
| fi | |
| } | output $INSTANCE_ID/'dmesg.txt' | |
| # network interfaces | |
| echo -e "\n Get network interfaces [ifconfig]..." | |
| if [ -x /sbin/ifconfig ] | |
| then | |
| # rhel5 | |
| IFCONFIG=/sbin/ifconfig | |
| else | |
| IFCONFIG=`which ifconfig` | |
| fi | |
| $IFCONFIG -a | output $INSTANCE_ID/'ifconfig.txt' | |
| # mounted devices | |
| echo -e "\n Get information about currently mounted devices..." | |
| mount | output $INSTANCE_ID/'mounted_devices.txt' | |
| } | |
| get_activity(){ | |
| # running processes | |
| echo -e "\n Get running process [ps]..." | |
| { | |
| PS_FORMAT=user,pid,ppid,vsz,rss,tname,stat,stime,time,args | |
| if ps axwwSo $PS_FORMAT &> /dev/null; then | |
| # bsd | |
| ps axwwSo $PS_FORMAT | |
| elif ps -eF &> /dev/null; then | |
| # gnu | |
| ps -eF | |
| else | |
| # bsd without ppid | |
| ps axuSww | |
| fi | |
| } | output $INSTANCE_ID/'ps.txt' | |
| # active network connections | |
| echo -e "\n Get network conections [netstat]..." | |
| netstat -pWanoee | output $INSTANCE_ID/'netstat.txt' | |
| # active network infomation | |
| echo -e "\n Get network information [interface|ifconfig|ip|route|lsof|hosts]..." | |
| { | |
| if cat /etc/network/interfaces &> /dev/null; then | |
| echo -e "\n</etc/network/interfaces>";cat /etc/network/interfaces | |
| fi | |
| echo -e "\n<ifconfig -a>";ifconfig -a | |
| echo -e "\n<ip addr>"; ip addr | |
| echo -e "\n<ip link>";ip link | |
| echo -e "\n<netstat -lnput>;"netstat -lnput | |
| echo -e "\n<lsof -i -n -P>";lsof -i -n -P | |
| echo -e "\n<ss -ap>";ss -ap | |
| echo -e "\n<route -n>";route -n # "netstat -nr"; "ip route" | |
| echo -e "\n<ip neigh>";ip neigh | |
| echo -e "\n<cat /etc/hosts>";cat /etc/hosts | |
| echo -e "\n<cat /etc/hosts.allow>";cat /etc/hosts.allow | |
| echo -e "\n<cat /etc/hosts.deny>";cat /etc/hosts.deny | |
| } | output $INSTANCE_ID/'-netinfo.txt' | |
| # current logged in users | |
| echo -e "\n[Debug][activity] get current logged in users ... to who.txt(\$who), who.bin(\$utmp)" | |
| if who -a &> /dev/null | |
| then | |
| who -a | output $CASE_ID'-who.txt' | |
| else | |
| cat /var/run/utmp | output $CASE_ID'-who.bin' | |
| fi | |
| # last logged in users | |
| echo -e "\n[Debug][activity] get last logged in users ... to last.txt" | |
| if last -Fwx -f /var/log/wtmp* &> /dev/null | |
| then | |
| last -Fwx -f /var/log/wtmp* | output $CASE_ID'-last.txt' | |
| else | |
| cat /var/log/wtmp* | output $CASE_ID'-last.bin' | |
| fi | |
| } | |
| echo -e "\n[Debug] Collect triage data..." | |
| get_userprofile 2>&1 | |
| get_systeminfo 2>&1 | |
| get_activity 2>&1 | |
| # get_fileinfo 2>&1 | |
| # get_servicereg 2>&1 | |
| # get_logs 2>&1 | |
| # get_srvconf 2>&1 | |
| # get_srvcontents 2>&1 | |
| # scan_virus 2>&1 | |
| # get_hash 2>&1 | |
| # # basic triage | |
| # date | output date-${CASE_ID}.txt | |
| # uname -a | output uname-${CASE_ID}.txt | |
| # ifconfig -a | output ifconfig-${CASE_ID}.txt | |
| # netstat -anp | output netstat-${CASE_ID}.txt | |
| # lsof -V | output lsof-${CASE_ID}.txt | |
| # ps -ef | output ps-${CASE_ID}.txt | |
| # netstat -rn | output netstat-${CASE_ID}.txt | |
| # route | output route-${CASE_ID}.txt | |
| # lsmod | output lsmod-${CASE_ID}.txt | |
| # df | output df-${CASE_ID}.txt | |
| # mount | output mount-${CASE_ID}.txt | |
| # w | output w-${CASE_ID}.txt | |
| # last | output last-${CASE_ID}.txt | |
| # lastb | output lastb-${CASE_ID}.txt | |
| # cat /etc/passwd | output etc-passwd-${CASE_ID}.txt | |
| # cat /etc/shadow | output etc-shadow-${CASE_ID}.txt | |
| # | |
| # # 1. Acquire a full memory dump. | |
| # log "# Starting LiME to dump system memory..." | |
| # memfile="$saveto/memdump-$(hostname)-linux-$(uname -m).lime" | |
| # log "insmod $bin/lime.ko \"path='$memfile' format=lime\"" | |
| # insmod "$bin/lime.ko" "path=\"$memfile\" format=lime" | |
| # log "rmmod lime" | |
| # rmmod lime | |
| # log "# LiME finished." | |
| # | |
| # | |
| # # Histories | |
| # find /home -type f -regextype posix-extended -regex "home/[a-zA-Z\.]+(/\.bash_history)" -exec awk '{ print "{};" $0}' {} \; | output histories-${CASE_ID}.csv | |
| # find /root -type f -regextype posix-extended -regex "root(/\.bash_history)" -exec awk '{ print "{};" $0}' {} \; | output history-root-${CASE_ID}.csv | |
| # | |
| # # Logs | |
| # aws s3 cp /var/log s3://$BUCKET/$PREFIX/ --recursive | |
| # find /var/log -type f -xdev -exec sha1sum -b {} \; | output logfiles-sha1sum-${CASE_ID}.txt | |
| # end timestamp | |
| date '+%Y-%m-%d %H:%M:%S %Z %:z' | output $CASE_ID'triage-date-time.txt' | |
| # MD5 to all files acquired | |
| # ETag is the MD5 checksum of every key. Create a list with all files checksum | |
| if [[ $OUTPUT == "local" ]]; then | |
| find $PREFIX -type f -exec md5sum {} \; | output $CASE_ID-list-checksum-md5.txt | |
| else | |
| aws s3api list-objects --bucket $BUCKET --prefix $PREFIX --output text --query Contents[*].[Key,ETag] | output $CASE_ID-list-checksum-md5.txt | |
| fi |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment