Scripts Executed on Forensics

Following is the list of data that is collected from Windows Agent 5.1.30 and above for Forensics data collection:

Event Log	Persistence
User Accounts	Network
Process Files	Prefetch Files

Event Log

• System Information- Collects system information.
• System Critical- Collects critical system logs.
• Application Critical- Collects critical application logs.
• Security- Collects security event logs. 
• Windows Defender- Collects Windows Defender logs.
• Windows Powershell- Collects Windows Powershell logs.
• Windows Sysmon- Collects Windows Sysmon logs.

Persistence

• Services- List all services running on the system.
• ScheduledTasks- List all scheduled tasks on the system.
• Registry key data- Collects the data from the following registry keys :

  • hklm\SOFTWARE\Microsoft\Windows\CurrentVersion\Run

  • hklm\SOFTWARE\Classes\Protocols\Filter 

  • hklm\SOFTWARE\Classes\Protocols\Handler

  • hklm\Software\Classes*\ShellEx\ContextMenuHandlers

  • hklm\Software\Classes\Drive\ShellEx\ContextMenuHandlers

  • hklm\Software\Classes*\ShellEx\PropertySheetHandlers

  • hklm\Software\Classes\Directory\ShellEx\ContextMenuHandlers

  • hklm\Software\Classes\Directory\Background\ShellEx\ContextMenuHandlers

  • hklm\Software\Classes\Folder\ShellEx\ContextMenuHandler

  • hklm\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects

  • hklm\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects

  • hklm\Software\Microsoft\InternetExplorer\Extensions

  • hklm\Software\Wow6432Node\Microsoft\InternetExplorer\Extensions

  • hklm\Software\Google\Chrome\Extensions                   

  • hklm\SOFTWARE\Microsoft\Windows\CurrentVersion\Run

  • hklm\System\CurrentControlSet\Services

  • hklm\Software\Microsoft\WindowsNT\CurrentVersion\Drivers32

  • hklm\Software\Wow6432Node\Microsoft\WindowsNT\CurrentVersion\Drivers32

  • hklm\Software\Microsoft\Windows\CurrentVersion\GroupPolicy\Scripts\Startup

  • hklm\Software\Microsoft\Windows\CurrentVersion\GroupPolicy\Scripts\Shutdown

  • hkcu\Software\Microsoft\Windows\CurrentVersion\Run

  • hklm\SOFTWARE\Microsoft\ActiveSetup\InstalledComponents

  • hklm\SOFTWARE\Wow6432Node\Microsoft\ActiveSetup\InstalledComponents

  • hkcu\Software\Classes\All\ShellEx\ContextMenuHandlers

  • hklm\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellIconOverlayIdentifiers

  • hklm\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Explorer\ShellIconOverlayIdentifiers

  • hklm\SOFTWARE\Classes\Htmlfile\Shell\Open\Command

  • hklm\SYSTEM\CurrentControlSet\Control\Print\Monitors

  • hklm\Software\Microsoft\Office\Outlook\Addins

  • hkcu\Software\Microsoft\Office\Outlook\Addins

  • hklm\Software\Microsoft\Office\Excel\Addins

  • hklm\Software\Microsoft\Office\PowerPoint\Addins

  • hklm\Software\Wow6432Node\Microsoft\Office\PowerPoint\Addins

  • hkcu\Software\Microsoft\Office\Word\Addin

  • hkcu\software\microsoft\Windows\CurrentVersion\runonc

  • hklm\Software\Wow6432Node\Microsoft\Office\Excel\Addin

  • hkcu\Software\Microsoft\Office\PowerPoint\Addin

  • hklm\SYSTEM\CurrentControlSet\Control\Session\Manager\AppCompatCache

  • hklm\Wow6432Node\Windows\NT\CurrentVersion\ImageFileExecutionOptions

  • hklm\System\Controlset\00x_Services_Bam

User Accounts

• Query user- Collects information about user sessions on a Remote Desktop Session Host server.
• Local groups- Collects local groups on the system.
• Local users- Collects local users on the system.
• Created users- Collects recently created users on the system.
• Locked accounts- Collects locked accounts on the system.
• Password reset- Collects recent password reset accounts on the system.
• Deleted users- Collects recently deleted users on the system.

Network

• Active net connections- Collects all active network connections on the system.
• Address resolution cache- Collects address resolution cache from the system.
• DNS cache- Collects DNS cache from the system.
• IPConfig- Collects the ipconfig command data.
• SMB inbound sessions- Collects all the SMB inbound sessions from the system.
• SMB outbound sessions- Collects all the SMB outbound sessions from the system.
• Firewall log- Collects the firewall logs from the system.

Process Files

• Process list- Collects all running processes from the system.
  • ProcessFiles\TempDirFiles
  • ProcessFiles\UserInstalledPrograms
• WMIC Installed programs- Collects all the installed programs from the system.
• Installed Programs- Collects the following registry keys:

  • hklm\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall

  • hklm\Software\Microsoft\Windows\CurrentVersion\Uninstall

  • hkcu\Software\Microsoft\Windows\Explorer\RunMRU

Prefetch Files

On a Windows operating system, when a program is executed, the Prefetch file allows you to access the program quickly. It contains the name of the program when it was executed alongwith other information. The prefetch files are located at `%systemroot%\Prefetch`. 

This file acts as an evidence that proves a malicious program was executed on the system along with the timestamp at which it was executed. The prefetch parser script lists the following fields in its output:

• Version

• File Size

• Application name

• File path hash (Decimal)

• Application run count

• Last execution time (UTC)

• Other Execution times (UTC)

• Prefetch file creation time(First run of application)

• Prefetch modified time (UTC)

• Prefetch accessed time (UTC)

• Dependency count

• Dependency files