taco-shellcode/remote_windows_triage.ps1

## remote_windows_triage.ps1
#PowerShell Triage Script
$suspicious_ip = ''
$ip_address = ''
$hostname = ''

$endpoint_information = @{
    remote_powershell_version = ''
    os_version = ''
    network_connections = ''
    running_processes = ''
    services = ''
    persistence_reg_values = ''
}

$endpoint_information.remote_powershell_version = Invoke-Command -ComputerName $hostname -ScriptBlock {($PSVersionTable).PSVersion.ToString()}
$endpoint_information.os_version = Invoke-Command -ComputerName $hostname -ScriptBlock {(Get-WmiObject -Class Win32_OperatingSystem).Version}
$endpoint_information.network_connections = Invoke-Command -ComputerName $hostname -ScriptBlock {Get-NetTCPConnection}
$endpoint_information.running_processes = Invoke-Command -ComputerName $hostname -ScriptBlock {Get-WmiObject -Class Win32_Process -Property CommandLine, CreationDate, ExecutablePath, ProcessId, ParentProcessId, ProcessName}
$endpoint_information.services = Invoke-Command -ComputerName $hostname -ScriptBlock {Get-Service -DependentServices -RequiredServices}

$persistence_reg_keys = @(
'HKCU:\Software\Microsoft\Windows\CurrentVersion\RunOnce',
'HKCU:\Software\Microsoft\Windows\CurrentVersion\Run',
'HKLM:\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run',
'HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Run',
'HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce'
)

$endpoint_information.persistence_reg_values = $persistence_reg_keys | ForEach-Object {
    Invoke-Command -ComputerName $hostname -ScriptBlock {Get-ItemProperty -Path $_ -ErrorAction 'SilentlyContinue'}
}


$suspicious_process = $network_connections | Where-Object {$_.RemoteAddress -like $suspicious_ip}
$process = Invoke-Command -ComputerName $hostname -ScriptBlock {get-process -ID $suspicious_process.OwningProcess -FileVersionInfo -Module}
$filehash = Invoke-Command -ComputerName $hostname -ScriptBlock {Get-FileHash -Path $process[0].FileName -Algorithm SHA256}
	#PowerShell Triage Script
	$suspicious_ip = ''
	$ip_address = ''
	$hostname = ''

	$endpoint_information = @{
	remote_powershell_version = ''
	os_version = ''
	network_connections = ''
	running_processes = ''
	services = ''
	persistence_reg_values = ''
	}

	$endpoint_information.remote_powershell_version = Invoke-Command -ComputerName $hostname -ScriptBlock {($PSVersionTable).PSVersion.ToString()}
	$endpoint_information.os_version = Invoke-Command -ComputerName $hostname -ScriptBlock {(Get-WmiObject -Class Win32_OperatingSystem).Version}
	$endpoint_information.network_connections = Invoke-Command -ComputerName $hostname -ScriptBlock {Get-NetTCPConnection}
	$endpoint_information.running_processes = Invoke-Command -ComputerName $hostname -ScriptBlock {Get-WmiObject -Class Win32_Process -Property CommandLine, CreationDate, ExecutablePath, ProcessId, ParentProcessId, ProcessName}
	$endpoint_information.services = Invoke-Command -ComputerName $hostname -ScriptBlock {Get-Service -DependentServices -RequiredServices}

	$persistence_reg_keys = @(
	'HKCU:\Software\Microsoft\Windows\CurrentVersion\RunOnce',
	'HKCU:\Software\Microsoft\Windows\CurrentVersion\Run',
	'HKLM:\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run',
	'HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Run',
	'HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce'
	)

	$endpoint_information.persistence_reg_values = $persistence_reg_keys \| ForEach-Object {
	Invoke-Command -ComputerName $hostname -ScriptBlock {Get-ItemProperty -Path $_ -ErrorAction 'SilentlyContinue'}
	}


	$suspicious_process = $network_connections \| Where-Object {$_.RemoteAddress -like $suspicious_ip}
	$process = Invoke-Command -ComputerName $hostname -ScriptBlock {get-process -ID $suspicious_process.OwningProcess -FileVersionInfo -Module}
	$filehash = Invoke-Command -ComputerName $hostname -ScriptBlock {Get-FileHash -Path $process[0].FileName -Algorithm SHA256}