-
Notifications
You must be signed in to change notification settings - Fork 0
Expand file tree
/
Copy pathhuntBotNets.ps1
More file actions
71 lines (56 loc) · 2.27 KB
/
huntBotNets.ps1
File metadata and controls
71 lines (56 loc) · 2.27 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
<#
.SYNOPSIS
A PowerShell script to assist incident responders in hunting down suspicious network connections
.DESCRIPTION
Using network IOCs, huntBotNets searches for connections to identified malicious IP addresses.
Output is stored into a text file.
Must be invoked with an IP address to search for.
Can be invoked with a path to where you want the output file saved.
.Example
huntBotNets.ps1 -BotNetIP 192.168.2.1
.Example
huntBotNets.ps1 -BotNetIP 192.168.2.1 -OutPath C:\DFIRLOGS\
.LINK
https://github.com/TazWake/Powershell-Learning/blob/master/huntBotNets.ps1
#>
param(
[Parameter(Mandatory=$true)][string]$BotNetIP,
[string]$OutPath = ".\"
)
# Initial data for logging
$HostName = (gi env:\Computername).Value
$DirPath = (gi env:\userprofile).value
$UserName = (gi env:\USERNAME).value
$Date = (Get-Date).ToString('dd.MM.yyyy')
# Notify User
Write-Host "[+] Beginning Data Collection on $HostName"
# Write log
Add-Content $OutPath\conncheck.txt "------------------------"
Add-Content $OutPath\conncheck.txt "- Checking for BotNets -"
Add-Content $OutPath\conncheck.txt "------------------------"
$b = "Hostname: " + $HostName
Add-Content $OutPath\conncheck.txt $b
$b = "Path: " + $DirPath
Add-Content $OutPath\conncheck.txt $b
$b = "User Name: " + $UserName
Add-Content $OutPath\conncheck.txt $b
$b = "Date: " + $Date
Add-Content $OutPath\conncheck.txt $b
Add-Content $OutPath\conncheck.txt "------------------------"
$cmd = netstat -nao | select-string $BotNetIP
foreach ($element in $cmd)
{
$data = $element -split ' ' | where {$_ -ne ''}
$ConnCheck = @{
'Local IP : Port#'=$data[1];
'Remote IP : Port#'=$data[2];
'Process ID'= $data[4];
'Process Name'=((Get-process |where {$_.ID -eq $data[4]})).Name
'Process File Path'=((Get-process |where {$_.ID -eq $data[4]})).path
'Process Start Time'=((Get-process |where {$_.ID -eq $data[4]})).starttime
'Associated DLLs and Path'=((Get-process |where {$_.ID -eq $data[4]})).Modules |select @{Name='Modules';Expression={$_.filename -join '; ' } } |out-string
}
New-Object -TypeName psobject –Property $ConnCheck | out-file -append "$OutPath\conncheck.txt" -Encoding ascii
}
# Notify User
Write-Host "[+] Collection Complete - Results in $OutPath\conncheck.txt"