Get-Baseline is a wrapper PowerShell script for a number of functions that automates the initial tasks in an incident response scenario.
Prerequisites:
+ on Targets:
– Accessible via WinRM, SMB, or WMI (WinRM Preferred)
– PowerShell 2.0+ (3.5+ Preferred)
+ On Collection System:
+ PowerShell 5.0+
+ Domain Joined
+ Logged in with rights as Administrator (able to execute code remotely).
Primary function. Calls all Remote Access, Baseline Collection, and EventLog Collection functions.
* Baseline Collection
+ Collect ASEPs, live process, configuration data for systems in scope.
* Get-BetterTasklist
+ Collects current running processes – TimeGenerated, Name, ProcessID, ParentProcessId, ExecutablePath, Hash, CommandLine
* Get-DLLs
+ Collects current loaded DLLs – TimeGenerated, ModuleName, FileName, Hash, Size, Company, Description, FileVersion, Product, ProductVersion
* Get-BetterNetstat
+ Collects current netstat output – TimeGenerated, Protocols, LocalAddress, ForeignAddress, State, Name, ProcessId, ParentProcessId, ExecutablePath, Hash, CommandLine
* Invoke-Autorunsc
+ Download and execute autorunsc.exe with the following arguments: -accepteula -h -c -nobanner -a * -s
* Invoke-Sigcheck
+ Verifies signature integrity on the system based on Matt Graeber’s “Subverting Trust in Windows” then downloads and executes sigcheck.exe -accepteula -c -u -e -s -r -nobanner C:\Windows\System32 and C:\Windows\SysWOW64
* Get-AuditOptions
+ Checks registry for additional auditing options – Process Creation Command Line, PowerShell Transcription, PowerShell Script Block Logging, PowerShell Module Logging, Windows Event Forwarding.
* Remote Access
+ Enable PSRemoting for systems in scope.
* Enable-RemoteAccess
+ Enable PowerShell Remoting / WinRM via SMB (PsExec) or WMI (Invoke-WmiMethod)
* Enable-WinRMPsExec
+ Enable PowerShell Remoting / WinRM via SMB (PsExec)
* Enable-WinRMWMI
+ Enable PowerShell Remoting / WinRM via WMI (Invoke-WmiMethod)
* Event Log Collection
+ Collect security-relevant event logs for input into SIEM.
* Get-HuntData
Collects Windows Event Log data from the following Logs:
+ Application
+ System
+ Security
+ Windows PowerShell
+ Microsoft-Windows-Windows Defender/Operational
+ Microsoft-Windows-AppLocker/EXE and DLL
+ Microsoft-Windows-AppLocker/MSI and Script
+ Microsoft-Windows-AppLocker/Packaged app-Execution
+ Microsoft-Windows-DeviceGuard/Operational
+ Microsoft-Windows-PowerShell/Operational
+ Microsoft-Windows-Windows Firewall With Advanced Security/Firewall
+ Microsoft-Windows-Sysmon/Operational
Use and Download:
git clone https://github.com/zulu8/Get-Baseline && cd Get-Baseline Get-Baseline -Targets dc01,srv01,srv02,pc02win10 -url "http://10.129.0.1:8080/" Get-Baseline -Targets $(get-content <IP_list_file.txt>) -url "http://10.129.0.1:8080/" -SkipSigcheck
Source: https://github.com/zulu8