DailyThreatHunting.ps1

DailyThreatHunting.ps1

<#
  .SYNOPSIS
  Daily Threat Hunting script.

  .DESCRIPTION
  The DailyThreatHunting.ps1 script prints out:
    - commandline history, 
    - newly installed softwares, 
    - newly installed services,
    - processes creating network connections,
    - auto start events and processes.

  .PARAMETER DAYS_BACK
  How far back do you want to look at event logs. 
  Have to be negative, because it's relative to now.

  .PARAMETER DIFFERENCE_CHECK
  Run a diff from last time you ran this command. Input is either 1 or 0, true or false.
  When this is true, the last output will be compared to current output and the change will be printed out instead.

  .INPUTS
  None. You cannot pipe objects to DailyThreatHunting.ps1.

  .EXAMPLE
  PS> .\DailyThreatHunting.ps1

  .EXAMPLE
  PS> .\DailyThreatHunting.ps1 -DAYS_BACK -7

  .EXAMPLE
  PS> .\DailyThreatHunting.ps1 -DIFFERENCE_CHECK 0

  .LINK
  https://cyberspacehunter.com/2-minutes-threat-hunt/

#>
param(
 [int]$DAYS_BACK = -2,
 [bool]$DIFFERENCE_CHECK = $true
)

$HISTORY_FILE = ".\DailyThreatHunting_history.txt"
$SOFTWARE_FILE = ".\DailyThreatHunting_software.xml"
$NETWORK_FILE = ".\DailyThreatHunting_network.xml"
$SERVICE_FILE = ".\DailyThreatHunting_service.xml"
$AUTOSTART_FILE = ".\DailyThreatHunting_autostart.xml"

Write-Host "Daily Threat Hunting" -ForegroundColor Green
Write-Host "Hunt initiated..." -ForegroundColor DarkGreen
Write-Host ""

## HISTORY Check ##
if (!(Test-Path -Path $HISTORY_FILE) -or !($DIFFERENCE_CHECK)){
    Write-Host "COMMAND LINE HISTORY::" -ForegroundColor DarkGreen
    cat (Get-PSReadLineOption | select -ExpandProperty HistorySavePath) > $HISTORY_FILE
    cat (Get-PSReadLineOption | select -ExpandProperty HistorySavePath) | select -Last 20
}
else {
    Write-Host "COMMAND LINE HISTORY - difference from last run::" -ForegroundColor DarkGreen
    Compare-Object (Get-Content (Get-PSReadLineOption | select -ExpandProperty HistorySavePath)) (Get-Content $HISTORY_FILE) | ft inputobject -HideTableHeaders
}
cat (Get-PSReadLineOption | select -ExpandProperty HistorySavePath) > $HISTORY_FILE
Write-Host "----------------------------" -ForegroundColor DarkGreen

## Software ##
$installed_software = Get-WinEvent -FilterHashtable @{LogName='Application'; ID=11707;StartTime=$(Get-Date).AddDays($DAYS_BACK)} -ErrorAction SilentlyContinue
if (!(Test-Path -Path $SOFTWARE_FILE) -or !($DIFFERENCE_CHECK)){
    Write-Host "INSTALLED SOFTWARE::" -ForegroundColor DarkGreen
    $installed_software | ft timecreated, @{Label="User"; Expression={(New-Object System.Security.Principal.SecurityIdentifier($_.userid)).Translate([System.Security.Principal.NTAccount]).value}}, message
    Export-Clixml -InputObject $installed_software -Path $SOFTWARE_FILE
}
else {
    Write-Host "INSTALLED SOFTWARE - difference from last run::" -ForegroundColor DarkGreen
    $installed_software_saved = Import-Clixml -Path $SOFTWARE_FILE
    Compare-Object $installed_software_saved.message $installed_software.message | ft inputobject -HideTableHeaders
}
Export-Clixml -InputObject $installed_software -Path $SOFTWARE_FILE
Write-Host "----------------------------" -ForegroundColor DarkGreen

## Network ##
if (!(Get-Module "Getnetstat")){
Install-Module -Name GetNetStat -Scope CurrentUser
Set-ExecutionPolicy RemoteSigned -Scope CurrentUser
}
$network_connections = Get-Netstat
if (!(Test-Path -Path $NETWORK_FILE) -or !($DIFFERENCE_CHECK)){
    Write-Host "NETWORK CONNECTIONS::" -ForegroundColor DarkGreen
    $network_connections | sort pidname -u | sort remoteip
    Export-Clixml -InputObject $network_connections -Path $NETWORK_FILE
}
else {
    Write-Host "NETWORK CONNECTIONS - difference from last run::" -ForegroundColor DarkGreen
    $network_connections_saved = Import-Clixml -Path $NETWORK_FILE
    Compare-Object ($network_connections_saved|sort pidname -u).pidname ($network_connections | sort pidname -u).pidname | ft inputobject -HideTableHeaders 
}
Export-Clixml -InputObject $network_connections -Path $NETWORK_FILE
Write-Host "----------------------------" -ForegroundColor DarkGreen

## Service ##
$installed_services = Get-WinEvent -FilterHashtable @{LogName='System'; ID=7045;StartTime=$(Get-Date).AddDays($DAYS_BACK)}
if (!(Test-Path -Path $SERVICE_FILE) -or !($DIFFERENCE_CHECK)){
    Write-Host "INSTALLED SERVICES::" -ForegroundColor DarkGreen
    $installed_services | ft -wrap
    Export-Clixml -InputObject $installed_services -Path $SERVICE_FILE
}
else {
    Write-Host "INSTALLED SERVICES - difference from last run::" -ForegroundColor DarkGreen
    $installed_services_saved = Import-Clixml -Path $SERVICE_FILE
    Compare-Object $installed_services_saved.message $installed_services.message | ft inputobject -HideTableHeaders -wrap
}
Export-Clixml -InputObject $installed_services -Path $SERVICE_FILE
Write-Host "----------------------------" -ForegroundColor DarkGreen

## Auto Start ##
$WMIEvents = New-Object pscustomobject @{}
$WMIEvents.Filters = Get-WMIObject -Namespace root\Subscription -Class __EventFilter
$WMIEvents.Consumers = Get-WMIObject -Namespace root\Subscription -Class __EventConsumer
#$WMIEvents.Bindings = Get-WMIObject -Namespace root\Subscription -Class __FilterToConsumerBinding

if (!(Test-Path -Path $AUTOSTART_FILE) -or !($DIFFERENCE_CHECK)){
    Write-Host "WMI EVENTS::" -ForegroundColor DarkGreen
    $WMIEvents.Values.Name
    Export-Clixml -InputObject $installed_services -Path $AUTOSTART_FILE
}
else {
    Write-Host "WMI EVENTS - difference from last run::" -ForegroundColor DarkGreen
    $WMIEvents_saved = Import-Clixml -Path $AUTOSTART_FILE
    Compare-Object $WMIEvents_saved.Values.Name $WMIEvents.Values.Name | ft inputobject -HideTableHeaders
}
Export-Clixml -InputObject $WMIEvents -Path $AUTOSTART_FILE
Write-Host "----------------------------" -ForegroundColor DarkGreen