How PowerShell Can Fast-Track Your Security Incident Investigations
In cybersecurity, the ability to quickly identify deviations from a baseline is often the difference between stopping a threat in its tracks and allowing it to escalate. A simple yet powerful way to achieve this is by leveraging PowerShell to create baselines of your gold image (clean system) and comparing them against suspected compromised machines.
Let’s explore how this method can streamline your investigations and empower your incident response capabilities.
Building a Baseline with PowerShell
Your gold image is the clean, default state of your system—its services, scheduled tasks, user accounts, and running processes. Capturing this baseline ensures you have a reliable reference for comparison during investigations.
Here are key areas to baseline and the PowerShell commands to extract them:
Services:
Get-Service | Select-Object -ExpandProperty Name | Out-File -FilePath "C:\Baseline\Services.txt"
This captures the names of all installed services.
Scheduled Tasks:
Get-ScheduledTask | Select-Object -ExpandProperty TaskName | Out-File -FilePath "C:\Baseline\Tasks.txt"
Useful for identifying task names that could be used for persistence.
Users:
Get-LocalUser | Select-Object -ExpandProperty Name | Out-File -FilePath "C:\Baseline\Users.txt"
Tracks local user account names to detect additions or changes.
Processes:
Get-Process | Select-Object -ExpandProperty Name | Out-File -FilePath "C:\Baseline\Processes.txt"
Captures the names of running processes.
Store these text files in a secure, central location—such as a file share, SIEM, or cloud storage—for easy access during an investigation.
Investigating a Compromised Machine
When a machine is suspected of compromise, you can quickly gather the same metrics using the same PowerShell commands. Save the output from the compromised machine to a separate directory for analysis:
Get-Service | Select-Object -ExpandProperty Name | Out-File -FilePath "C:\Compromised\Services.txt"
Get-ScheduledTask | Select-Object -ExpandProperty TaskName | Out-File -FilePath "C:\Compromised\Tasks.txt"
Get-LocalUser | Select-Object -ExpandProperty Name | Out-File -FilePath "C:\Compromised\Users.txt"
Get-Process | Select-Object -ExpandProperty Name | Out-File -FilePath "C:\Compromised\Processes.txt"
Comparing the Baseline and Compromised System
The true power of this method comes from using PowerShell’s Compare-Object cmdlet to find differences between the baseline and the compromised machine.
Example: Comparing Services
$baseline = Get-Content "C:\Baseline\Services.txt"
$current = Get-Content "C:\Compromised\Services.txt"
Compare-Object -ReferenceObject $baseline -DifferenceObject $current
Sample Output:
InputObject SideIndicator
----------- -------------
AppXSvc =>
UnwantedService <=
NewService =>
How to Read It:
=>: Indicates the service exists on the compromised machine but not in the baseline.
<=: Indicates the service exists in the baseline but is missing from the compromised machine.
Example: Comparing Scheduled Tasks
$baselineTasks = Get-Content "C:\Baseline\Tasks.txt"
$currentTasks = Get-Content "C:\Compromised\Tasks.txt"
Compare-Object -ReferenceObject $baselineTasks -DifferenceObject $currentTasks
Sample Output:
InputObject SideIndicator
----------- -------------
MaliciousTask =>
RemovedTask <=
How to Read It:
=>: Indicates a new scheduled task present on the compromised machine.
<=: Indicates a task from the baseline that is missing on the compromised machine.
Example: Comparing Users
$baselineUsers = Get-Content "C:\Baseline\Users.txt"
$currentUsers = Get-Content "C:\Compromised\Users.txt"
Compare-Object -ReferenceObject $baselineUsers -DifferenceObject $currentUsers
Sample Output:
InputObject SideIndicator
----------- -------------
HackerUser =>
TestUser <=
How to Read It:
=>: Indicates a new user account created on the compromised machine.
<=: Indicates a user account from the baseline that is no longer present.
Full Example Workflow
Here’s a step-by-step example of how you can use this method during a real incident investigation:
Baseline Creation: Run the PowerShell commands on your gold image and store the text files securely:
C:\Baseline\Services.txt
C:\Baseline\Tasks.txt
C:\Baseline\Users.txt
C:\Baseline\Processes.txt
Data Collection from Suspect Machine: Run the same commands on the suspected machine and save the outputs to a separate directory:
C:\Compromised\Services.txt
C:\Compromised\Tasks.txt
C:\Compromised\Users.txt
C:\Compromised\Processes.txt
Comparison: Use Compare-Object to find differences:
Services: Compare-Object -ReferenceObject (Get-Content "C:\Baseline\Services.txt") -DifferenceObject (Get-Content "C:\Compromised\Services.txt")
Scheduled Tasks: Compare-Object -ReferenceObject (Get-Content "C:\Baseline\Tasks.txt") -DifferenceObject (Get-Content "C:\Compromised\Tasks.txt")
Users: Compare-Object -ReferenceObject (Get-Content "C:\Baseline\Users.txt") -DifferenceObject (Get-Content "C:\Compromised\Users.txt")
Analysis: Review the output for:
New or suspicious services.
Unauthorized scheduled tasks.
Unexpected user accounts.
Unknown or suspicious processes.
Why Baselines Matter
By maintaining baselines:
Faster Investigations: You reduce noise by focusing on deviations.
Contextual Awareness: You have a clear understanding of what is “normal” in your environment.
Better Detection: Quickly identify new persistence mechanisms or other indicators of compromise.
Do you keep baselines of your gold images? If not, what’s holding you back? Drop your thoughts below and let’s discuss how we can improve incident response workflows together!
Commentaires