Skip to content

Collection Modules

Scott Sutherland edited this page Mar 29, 2022 · 23 revisions

Collection modules are used query data from target systems. They typically target a single data source. Most of the default modules that can parse file paths will capture a md5 hash of the file, the file owner, and PE security file details along with the data source relevant information.

Adding New Collection Modules

All collection modules are automatically loaded from the windows\modules\collection folder and ran against established PowerShell Remoting systems. You can add your own there and they will be run automatically.

By default, all collection modules will be run. To run a subset of the collection modules simply remove the modules you dont want to run.

Module Template
Below is an example of a collection module. They are basically freeform PowerShell and don't use any standardized variables like analysis modules do.

# Script : Invoke-PowerHunt
# Module : collect-environmental-paths
# Version: 1.0
# Author : Scott Sutherland
# Summary: This is script is part of the PowerHunt framework and collect connection information.
# License: 3-clause BSD

# Get list of environmental paths
$Env:Path |
foreach {
    
    $EnvPath = $_.split(",;")
    $EnvPath | 
    Foreach{

        # Verify folder exists
        $PathExists = Test-Path "$_"

        if($PathExists -eq $true){
            
            # Get folder info
            $FileInfo           =  Get-Item "$_"
            $FileOwner          =  $FileInfo.GetAccessControl().Owner
            $FileCreationTime   =  $FileInfo.CreationTime
            $FileLastWriteTime  =  $FileInfo.LastWriteTime
            $FileLastAccessTime =  $FileInfo.LastAccessTime
        }

        # Create new object
        $Object = New-Object PSObject
        $Object | add-member EnvPath              $_
        $Object | add-member PathExists           $PathExists 
        $Object | add-member FileOwner            $FileOwner 
        $Object | add-member FileCreationTime     $FileCreationTime 
        $Object | add-member FileLastWriteTime    $FileLastWriteTime
        $Object | add-member FileLastAccessTime   $FileLastAccessTime
        $Object
    }
}

Current Modules

Below is a summary of the currently supported collection modules.

Module
Name
Mitre ATT&CK ID Module
Description
Collection
Method
collect-tasks T1053.002 Collect Windows scheduled task information. Get-ScheduledTask
collect-services T1569.002 Collect Windows service information. Get-WmiObject -Class win32_service
collect-wmi-providers T1047 Collect WMI provider information. Get-WmiObject -Class __Win32Provider
collect-wmi-bindings T1546.003 Collect WMI binding information. Get-WmiObject -Namespace root/subscription -Class __FilterToConsumerBinding
collect-wmi-filters T1546.003 Collect WMI filter information. Get-WmiObject -Namespace root/subscription -Class __EventFilter
collect-wmi-consumers T1546.003 Collect WMI consumer information. Get-WmiObject -Namespace root/subscription -Class __EventConsumer
collect-startup-files-allusers T1547.001 Collect information from user startup folders. C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\
C:\user[username]\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup
collect-startup-registry-run T1547.001 Collect information from registry run keys. HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\
HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\
HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\
HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\
collect-installed-software T1505 Collect installed software list. Get-Software
collect-named-pipes T1570 Collect information from named pipes. Get-ChildItem \.\pipe\
collect-events-4732 T1136.001 Event 4732: Member added to security group. Get-WinEvent -FilterHashtable @{logname="security"; id="4732"}
collect-events-1102 T1070.001 Event 1102: Audit log cleared. Get-WinEvent -FilterHashtable @{logname="security"; id="1102"}
collect-processes T1057 Collect list of running processes. Get-WMIObject Win32_Process
collect-connections T1571 Collect connection and associated process information. Get-NetTCPConnection
Get-WMIObject Win32_Process
collect-environmental-variables T1574.007 Collect environmental variables. Get-ChildItem env:
collect-environmental-paths T1574.007 Collect environmental paths. $Env:Path
collect-users T1136.001 Collect local users. Get-LocalUser
collect-groups T1136.001 Collect local groups. Get-LocalGroup
collect-group-members T1136.001 Collect local group members. Get-LocalGroupMember
collect-mapped-drives T1039 Collect mapped drives. Get-WmiObject -ClassName Win32_MappedLogicalDisk
collect-network-interfaces T1090 Collect network interfaces Get-NetAdapter
Get-NetIPAddress
Get-NetConnectionProfile