-
Notifications
You must be signed in to change notification settings - Fork 7
Live response collection script
Karneades edited this page May 7, 2018
·
2 revisions
This page should provide an easy example how a GRR live response collection script could look like. The script would collect different predefined artifacts and would start some standard flows against the target client. Instead of starting multiple flows manually, the script runs them with one command.
PS> ipmo PowerGRR # See https://github.com/swisscom/PowerGRR#import
PS> $GRRcredential = Microsoft.PowerShell.Security\get-credentialPS> Invoke-GRRWindowsLiveResponse $targetfunction Invoke-GRRWindowsLiveResponse()
{
param (
[Parameter(Mandatory=$true)]
[string]
$ComputerName,
[string]
$NotifiedUsers,
[string]
$Reason
)
$Artifacts = "WindowsProxyPACAutoConfigURL", `
"WindowsDNSSettings", `
"WindowsXMLEventLogSecurity", `
"WindowsXMLEventLogApplication", `
"WindowsXMLEventLogSystem", `
"WindowsRegistryFilesAndTransactionLogs", `
"NTFSMFTFiles", `
"WindowsHostsFiles", `
"WindowsPrefetchFiles"
try
{
Write-Host "[*]"
Write-Host "[*] Get GRR client info for $ComputerName"
Write-Host "[*]"
Get-GRRClientInfo -ComputerName $ComputerName
}
catch
{
if ($NotifiedUsers -and $Reason)
{
Write-Host "[X]"
Write-Host "[X] Create new GRR client approval - wait until approval gets valid and restart command."
Write-Host "[X]"
New-GRRClientApproval -ComputerName $ComputerName -NotifiedUsers $NotifiedUsers -Reason $Reason
Exit
}
else
{
throw "Create an GRR client approval request or provide -NotifiedUsers and -Reason when calling Invoke-GRRWindowsLiveResponse."
}
}
Write-Host "[*]"
Write-Host "[*] Invoke GRR ListProcesses on $ComputerName."
Write-Host "[*]"
Invoke-GRRFlow -ComputerName $ComputerName -Flow ListProcesses
Write-Host "[*]"
Write-Host "[*] Invoke GRR ArtifactCollectorFlow for artifacts: $Artifacts on $ComputerName."
Write-Host "[*]"
Invoke-GRRFlow -ComputerName $ComputerName -Flow ArtifactCollectorFlow -ArtifactList $Artifacts -UseTsk
}