Windows Incident Response Script
I have taken some time to write an incident response script using only the resources provided by the Windows operating system. You can find out the why by reading the article I wrote titled Windows Incident Response With Only System Resources or the how by reviewing the code I wrote. UPDATE: I broke the link when I did a bug fix. So, this link may break in the future, please refer to the complete article for the most recent version.
I hope that some of you find this useful and that this centralizes a lot of the information necessary to understand the abilities inherent to the Windows operating system. It is nothing ground breaking. Just a few things that can be done if you do not have or are not allowed to obtain and use the number of very useful tools that are available online or through a vendor.
Go forth and do good things,
Don C. Weber
wmi, wmic, vbscript, Security Ripcord, incident response
Help support my training and travel to security conferences. Get your SANS Training and GIAC Certifications through the Security Ripcord.
You can follow any responses to this entry through the RSS 2.0 feed. You can leave a response, or trackback from your own site.
April 18th, 2008 at 6:25 am
Hey Don,
Just noticed that when I tried to run it I had an error at line 252. It was complaining about “Cannot use parentheses when calling a sub”. I found by adding the “call” statement in front of the BackupLogFiles(objTextFile, deBugging) call it would work. For example:
call BackupLogFiles(objTextFile, deBugging) ‘* Backup Log Files
Unsure if this is related to my particular version of cscript (on my VM cscript version is 5.6).
Nice work btw
Regards,
Christian
April 18th, 2008 at 6:33 am
Ah, sorry about the double post – also noticed (and I should’ve been paying attention perhaps) that the /out option has to specify an absolute path, not a relative path. For example, I created a local “output” folder, and then provided the /out:output option. Due to how the script calls other functions, I found the bulk of the output in C:\Windows\system32\output\.
User error. My bad.
Regards,
Christian
April 18th, 2008 at 11:56 am
Christian,
First Bug!!! Excellent. Thank you very much. That is what I get for making changes and not testing them. I had that function disabled and I enabled it right before uploading thinking all was well.
The scope of the variables extends into the function. So, I didn’t need to pass them at all. I had commented out that function for testing and forgot to go back an update the function call after I learned more about variable scope in VBScripts.
Of course, I do not explicitly define my variables and that will be bad later and needs to be updated.
Thanks again. I have added you my Blogroll as a prize. Sorry it is not better.
Go forth and do good things,
Don C. Weber
April 19th, 2008 at 1:32 am
Haha, no worries Don. I like the concept and simplicity of the script, and you’ve done something which I’m sure heaps of people have thought about before.
Again, nice work.
Regards,
Christian
May 7th, 2008 at 7:01 pm
[...] This was actually posted last month by Don Weber, but I just came across it and thought it worth pointing out. He has written and provided to us all an incident response information collection script that uses only built-in Windows operating systems resources. Nifty! [...]