Home

Blue Windows Triage Wiki

Overview

The BlueWindowsTriage script is a PowerShell tool designed to perform rapid initial data collection on a potentially breached Windows system. It automates the process of gathering crucial information during the early stages of an incident response process, focusing on security, efficiency, and speed.

Script Functionality

The script performs the following steps to collect relevant data from the targeted system:

1. System Information: Collects basic system details such as hostname, OS version, uptime, installed software, running processes, and network configuration.

   • Incident Response Use: Provides a baseline understanding of the compromised system, helping responders identify anomalies or suspicious activities. It aids in determining the scope and impact of the incident.

2. User and Group Information: Gathers information about local user accounts, user groups, and recently created user accounts.

   • Incident Response Use: Helps identify unauthorized or suspicious user accounts that may have been created by attackers, enabling responders to investigate and mitigate potential insider threats or compromised accounts.

3. Event Logs: Retrieves relevant event logs (Security, System, Application) from the last 24 hours and exports them to CSV files.

   • Incident Response Use: Crucial for reconstructing the timeline of the incident and identifying key events such as successful/failed login attempts, system changes, and suspicious activities.

4. Network Connections: Captures active network connections and their details, including local and remote addresses, ports, and owning processes.

   • Incident Response Use: Helps identify suspicious or unauthorized communication channels, detecting data exfiltration attempts, command-and-control (C2) communication, and lateral movement within the network.

5. Registry Analysis: Analyzes critical registry keys related to autostart locations and exports their values to JSON files.

   • Incident Response Use: Identifies malicious entries or modifications made by the attacker to ensure persistence on the system, allowing responders to detect and remove unauthorized autostart programs or scripts.

6. File System Analysis: Performs a recursive search for recently modified files in critical system directories and collects file metadata and hashes.

   • Incident Response Use: Enables responders to identify suspicious or recently modified files, detecting malware, backdoors, or other malicious artifacts dropped by the attacker.

7. Artifact Collection: Collects additional artifacts such as PowerShell console history and browser history.

   • Incident Response Use: Provides insights into user activities and potentially malicious commands executed on the system, helping reconstruct the attacker's actions and identify malicious scripts or commands.

8. Startup Items: Collects startup items using Get-CimInstance to identify suspicious programs or scripts configured to run automatically at system startup.

   • Incident Response Use: Identifies malicious programs or scripts configured to run at startup, ensuring persistence for the attacker and allowing responders to disable or remove these items.

9. Browser Extension Collection: Collects information about installed Firefox and Google Chrome extensions by searching user profiles and parsing manifest files.

   • Incident Response Use: Detects malicious or suspicious extensions installed by the attacker, which may be used for data exfiltration, credential stealing, or other unauthorized activities.

10. Browser History Collection: Collects browser history files from Chrome, Firefox, and Microsoft Edge.

    • Incident Response Use: Provides insights into the user's browsing activities, identifying suspicious or malicious websites visited, and aiding in determining the initial attack vector.

11. Password File Search: Searches for files containing the word "password" using Get-ChildItem to identify potentially sensitive files that may contain login credentials.

    • Incident Response Use: Identifies sensitive login credentials, which attackers often search for to gain unauthorized access or escalate privileges.

12. PowerShell History: Collects user PowerShell history by searching for ConsoleHost_history.txt files in user profiles.

    • Incident Response Use: Identifies malicious or suspicious PowerShell commands executed by the attacker, providing valuable information about the attacker's tactics, techniques, and procedures (TTPs).

13. Shimcache Data: Collects Shimcache data by exporting the Shimcache registry key to a .reg file.

    • Incident Response Use: Identifies recently executed programs, including malicious executables, and provides a historical record of executed files.

14. Prefetch Files: Collects Prefetch files from C:\Windows\Prefetch.

    • Incident Response Use: Identifies recently executed programs, including malware or suspicious executables, and provides insights into the attacker's activities.

15. Jump Lists: Collects Jump Lists from user profiles.

    • Incident Response Use: Tracks user activities and identifies recently accessed files and directories, revealing files or folders accessed by the attacker.

16. Windows Timeline: Collects Windows Timeline data by exporting the relevant registry key and copying the ActivitiesCache.db files.

    • Incident Response Use: Reconstructs user activities and actions, providing a chronological view of interactions and identifying suspicious activities.

17. Scheduled Tasks: Collects information about scheduled tasks including their names, paths, states, and actions.

• Incident Response Use: Identifies malicious or unauthorized tasks scheduled to run at specified intervals, which can be leveraged by the attacker to maintain persistence.

18. Service Information: Gathers detailed information about system services, including their status, start type, and configuration.

• Incident Response Use: Pinpoints suspicious or unauthorized services that may have been introduced by the attacker.

19. Browser Cookies: Collects browser cookies from Chrome, Firefox, and Microsoft Edge for further analysis.

• Incident Response Use: Tracks user sessions and identifies malicious session hijacking or tracking.

20. File Hashing: Calculates hash values (SHA-256) of collected files and stores them in a CSV file.

    • Incident Response Use: Verifies the integrity of collected files, comparing them against known malware signatures, and aiding in malware analysis and threat intelligence sharing.

21. Logging: Includes logging functionality to record the script's actions, timestamps, and any encountered errors.

    • Incident Response Use: Provides a detailed record of the script's execution, maintaining an audit trail of the data collection process and facilitating troubleshooting.

22. Output Compression: Compresses the output directory into a ZIP file for easy transfer and removes the original directory to save space.

    • Incident Response Use: Packages collected data into a single, portable file for easy transfer to a secure analysis environment, maintaining the integrity and confidentiality of collected evidence.

Output and Analysis

The script generates an output directory named C:\IncidentResponse\yyyyMMdd_HHmmss (timestamp-based) to store all the collected data. The data is saved in various formats such as JSON, CSV, and TXT files, depending on the type of information.

The collected data can be analyzed by incident responders to identify suspicious activities, malicious artifacts, and potential indicators of compromise. Some key areas to focus on during analysis include:

• Unusual user accounts or group memberships
• Suspicious processes or services running on the system
• Anomalous network connections or communication patterns
• Malicious entries in autostart locations or registry keys
• Recently modified or created files in critical system directories
• Suspicious PowerShell or browser history
• Unauthorized browser extensions
• Sensitive files containing passwords or login credentials

The script also generates a log file named script_log.txt in the output directory, which records the script's actions, timestamps, and any encountered errors. This log file can be helpful for troubleshooting and auditing purposes.

After the script finishes execution, the output directory is compressed into a ZIP file with the same name as the directory. This ZIP file can be easily transferred to a secure location for further analysis and investigation.

Preparation and Usage Tips

1. Preparation:

   • Ensure you have administrative privileges before running the script.
   • Verify that PowerShell's execution policy allows script execution or sign the script with a trusted certificate.
   • Familiarize yourself with the file and folder paths used by the script. Modify paths as needed for custom environments.

2. Execution:

   • Run the script from an elevated Command prompt. powershell -ExecutionPolicy Bypass .\BlueWindowsTriage.ps1
   • Monitor the script's progress and check the log files for any errors or issues encountered during execution.
   • Be prepared for potential large data volumes, which may require significant disk space and extended execution time.

3. Post-Execution:

   • Review the compressed ZIP file and analyze the collected data methodically.
   • Focus on identifying key indicators of compromise, such as unauthorized user accounts, suspicious processes, and anomalous network connections.
   • Leverage the file hashes to compare against known malware signatures and share findings with threat intelligence platforms.

Conclusion

The BlueWindowsTriage script is a powerful tool for rapid initial data collection during incident response. By automating the process of gathering crucial system information, the script enables incident responders to quickly assess the situation and identify potential indicators of compromise. The collected data provides a solid foundation for further analysis and investigation, helping organizations respond effectively to security incidents.

It is important to note that while the script automates the data collection process, it should be used by trained professionals who can interpret the results and perform in-depth analysis. The script is not a replacement for a comprehensive incident response plan but rather a tool to aid in the initial stages of the process.

As with any incident response tool, it is crucial to regularly update the script to address new security threats, system changes, and best practices. Organizations should also ensure that the script aligns with their security policies and legal requirements for handling sensitive data.

By leveraging the BlueWindowsTriage script, incident responders can streamline their initial data collection efforts, saving valuable time and resources during critical incidents. The script's modular design allows for easy customization and extension to fit specific organizational needs and requirements. Below are additional considerations and best practices for maximizing the effectiveness of the BlueWindowsTriage script:

Customization and Extension

1. Adjust Output Directory:

   • Customize the output directory path and naming convention in the $outputDir variable to align with your organization's naming standards and storage policies.

2. Extend Event Log Collection:

   • Modify the event log collection to include additional logs or change the time range as required by your incident response procedures.

3. Expand Registry Analysis:

   • Add or remove specific registry keys to analyze based on your requirements, focusing on areas commonly leveraged by malware for persistence or configuration changes.

4. File System Analysis Enhancements:

   • Customize the file system analysis to include additional directories or modify the search criteria to better match the systems you're protecting.

5. Artifact Collection:

   • Extend the artifact collection to include other relevant files or locations specific to your environment, such as custom application logs or additional browser artifacts.

6. Scheduled Tasks and Services:

   • Modify the script to capture detailed information about scheduled tasks and services that have non-standard configurations or are critical to your environment.

7. Browser Data and Extensions:

   • Ensure browser data paths are correctly specified for all user profiles and browsers used within your organization. Adjust paths for non-default installations as needed.

8. Password File Search Criteria:

   • Refine the search criteria for identifying sensitive files to reduce false positives and focus on likely locations or file types where credentials might be stored.

Legal and Ethical Considerations

1. Compliance with Legal Requirements:

   • Ensure that data collection and analysis are performed in compliance with legal requirements, including data protection and privacy laws applicable in your jurisdiction.

2. Authorization and Consent:

   • Obtain necessary authorizations and consents before collecting and analyzing user data to ensure that your actions are legally and ethically sound.

3. Data Handling Policies:

   • Handle collected data securely, protect it during transfer and storage, and restrict access to authorized personnel only to maintain confidentiality and integrity.

Script Maintenance

1. Regular Updates:

   • Periodically review and update the script to address new security threats, system changes, and best practices in incident response.

2. Compatibility Checks:

   • Ensure compatibility with the latest versions of operating systems, browsers, and other relevant software by testing the script in a lab environment.

3. Documentation and Training:

   • Maintain up-to-date documentation for the script and provide training for incident responders to ensure effective use and interpretation of the collected data.

Summary

Thoroughly testing the BlueWindowsTriage script in a controlled environment, such as a lab or test system, is essential before deploying it on production systems. This helps identify potential issues, errors, or compatibility problems specific to the target environment. Additionally, ensure that the script is executed by trained professionals who can interpret the collected data, handle any exceptions or errors, and follow appropriate incident response procedures.

By leveraging the BlueWindowsTriage script, incident responders can streamline their initial data collection efforts, saving valuable time and resources during critical incidents. The script's modular design allows for easy customization and extension, making it a versatile tool for a wide range of incident response scenarios.

Remember to handle the collected data securely, protect it during transfer and storage, and ensure that access to the data is restricted to authorized personnel only.