Where Irregulars are part of the Game
Just in time for the 2022 Magnet User Summit and my presentation on FREE Tools for DFIR Triage Collections, an updated release (v3.1) of CSIRT-Collect. Special thanks to Kevin Pagano for contributing.
You can register for my talk Free Tools for DFIR Triage Collections here.
We’re often using PowerShell within the Incident Response team. I’m a big practitioner of spending 5 hours coding something to automate a 5 minute job. At first the math may not compute, but when that 5 minute job may be requested hundreds of times – and with it scripted it takes 30 seconds… that’s where it pays off. It also enforces consistency and removes some of the possibility for human error.
We have a collection of internal scripts that we use frequently. As more scripts (or scriptlets) are added to the frequently used, I wanted a means to expose all the scripts to the team and to put some organization to it. I also wanted to easily support changes or additions to the referenced scripts. What I wound up building was a simple PowerShell menu structure.
Each individual script is referenced by a 2 letter code in the menu. Right now in our environment there’s 38 scripts in the menu. Many of those are proprietary (can’t share), however I gathered a handful to share here to illustrate the concept of the menu process.
https://github.com/dwmetz/PSHero
Once you’ve downloaded and unzipped the repository, you’ll want to edit the PSHero.ps1 file to ensure that the paths for the scripts reflect where you’ve got them saved to.
To add or remove scripts from the menu, there are 2 modifications:
In the top section is the menu listing
Write-Host "EX: MX Header Analysis"
Which pairs with
'EX' {
D:\PowerShell\PSHero\Parse-EmailHeader.ps1
}
in the lower section. Use the other scripts as examples and add what you like. Just watch your brackets.
The scripts included in this demo menu include:
Have a favorite PS script you use? Post a recommendation in the comments below.
Baker Street Forensics 