-
Notifications
You must be signed in to change notification settings - Fork 10
Collection Modules
Scott Sutherland edited this page Mar 29, 2022
·
23 revisions
Collection modules are used query data from target systems. They typically target a single data source. Most of the default modules that can parse file paths will capture a md5 hash of the file, the file owner, and PE security file details along with the data source relevant information.
All collection modules are automatically loaded from the windows\modules\collection folder and ran against established PowerShell Remoting systems. You can add your own there and they will be run automatically.
By default, all collection modules will be run. To run a subset of the collection modules simply remove the modules you dont want to run.
Module Template
Below is an example of a collection module. They can be pretty freeform and dont use any standardized variables like analysis modules do.
# Script : Invoke-PowerHunt
# Module : collect-environmental-paths
# Version: 1.0
# Author : Scott Sutherland
# Summary: This is script is part of the PowerHunt framework and collect connection information.
# License: 3-clause BSD
# Get list of environmental paths
$Env:Path |
foreach {
$EnvPath = $_.split(",;")
$EnvPath |
Foreach{
# Verify folder exists
$PathExists = Test-Path "$_"
if($PathExists -eq $true){
# Get folder info
$FileInfo = Get-Item "$_"
$FileOwner = $FileInfo.GetAccessControl().Owner
$FileCreationTime = $FileInfo.CreationTime
$FileLastWriteTime = $FileInfo.LastWriteTime
$FileLastAccessTime = $FileInfo.LastAccessTime
}
# Create new object
$Object = New-Object PSObject
$Object | add-member EnvPath $_
$Object | add-member PathExists $PathExists
$Object | add-member FileOwner $FileOwner
$Object | add-member FileCreationTime $FileCreationTime
$Object | add-member FileLastWriteTime $FileLastWriteTime
$Object | add-member FileLastAccessTime $FileLastAccessTime
$Object
}
}
Below is a summary of the currently supported collection modules.
| Module Name |
Mitre ATT&CK ID | Module Description |
Collection Method |
|---|---|---|---|
| collect-tasks | T1053.002 | Collect Windows scheduled task information. | Get-ScheduledTask |
| collect-services | T1569.002 | Collect Windows service information. | Get-WmiObject -Class win32_service |
| collect-wmi-providers | T1047 | Collect WMI provider information. | Get-WmiObject -Class __Win32Provider |
| collect-wmi-bindings | T1546.003 | Collect WMI binding information. | Get-WmiObject -Namespace root/subscription -Class __FilterToConsumerBinding |
| collect-wmi-filters | T1546.003 | Collect WMI filter information. | Get-WmiObject -Namespace root/subscription -Class __EventFilter |
| collect-wmi-consumers | T1546.003 | Collect WMI consumer information. | Get-WmiObject -Namespace root/subscription -Class __EventConsumer |
| collect-startup-files-allusers | T1547.001 | Collect information from user startup folders. | C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\ C:\user[username]\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup |
| collect-startup-registry-run | T1547.001 | Collect information from registry run keys. | HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\ HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\ |
| collect-installed-software | T1505 | Collect installed software list. | Get-Software |
| collect-named-pipes | T1570 | Collect information from named pipes. | Get-ChildItem \.\pipe\ |
| collect-events-4732 | T1136.001 | Event 4732: Member added to security group. | Get-WinEvent -FilterHashtable @{logname="security"; id="4732"} |
| collect-events-1102 | T1070.001 | Event 1102: Audit log cleared. | Get-WinEvent -FilterHashtable @{logname="security"; id="1102"} |
| collect-processes | T1057 | Collect list of running processes. | Get-WMIObject Win32_Process |
| collect-connections | T1571 | Collect connection and associated process information. | Get-NetTCPConnection Get-WMIObject Win32_Process |
| collect-environmental-variables | T1574.007 | Collect environmental variables. | Get-ChildItem env: |
| collect-environmental-paths | T1574.007 | Collect environmental paths. | $Env:Path |
| collect-users | T1136.001 | Collect local users. | Get-LocalUser |
| collect-groups | T1136.001 | Collect local groups. | Get-LocalGroup |
| collect-group-members | T1136.001 | Collect local group members. | Get-LocalGroupMember |
| collect-mapped-drives | T1039 | Collect mapped drives. | Get-WmiObject -ClassName Win32_MappedLogicalDisk |
| collect-network-interfaces | T1090 | Collect network interfaces | Get-NetAdapter Get-NetIPAddress Get-NetConnectionProfile |