├── images ├── Magnet.png ├── screenshot.png └── Defender_RESPONSE.png ├── Magnet_RESPONSE_CLI_Guide.pdf ├── LICENSE ├── Defender_RESPONSE.ps1 ├── MagnetResponsePowerShell.ps1 └── README.md /images/Magnet.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/MagnetForensics/Magnet-RESPONSE-PowerShell/HEAD/images/Magnet.png -------------------------------------------------------------------------------- /images/screenshot.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/MagnetForensics/Magnet-RESPONSE-PowerShell/HEAD/images/screenshot.png -------------------------------------------------------------------------------- /Magnet_RESPONSE_CLI_Guide.pdf: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/MagnetForensics/Magnet-RESPONSE-PowerShell/HEAD/Magnet_RESPONSE_CLI_Guide.pdf -------------------------------------------------------------------------------- /images/Defender_RESPONSE.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/MagnetForensics/Magnet-RESPONSE-PowerShell/HEAD/images/Defender_RESPONSE.png -------------------------------------------------------------------------------- /LICENSE: -------------------------------------------------------------------------------- 1 | MIT License 2 | 3 | Copyright (c) 2023 Doug Metz 4 | 5 | Permission is hereby granted, free of charge, to any person obtaining a copy 6 | of this software and associated documentation files (the "Software"), to deal 7 | in the Software without restriction, including without limitation the rights 8 | to use, copy, modify, merge, publish, distribute, sublicense, and/or sell 9 | copies of the Software, and to permit persons to whom the Software is 10 | furnished to do so, subject to the following conditions: 11 | 12 | The above copyright notice and this permission notice shall be included in all 13 | copies or substantial portions of the Software. 14 | 15 | THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR 16 | IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, 17 | FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE 18 | AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER 19 | LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, 20 | OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE 21 | SOFTWARE. 22 | -------------------------------------------------------------------------------- /Defender_RESPONSE.ps1: -------------------------------------------------------------------------------- 1 | <# 2 | .NOTES 3 | Defender_RESPONSE.ps1 4 | doug.metz@magnetforensics.com 5 | v1.1 6 | 7 | .SYNOPSIS 8 | This script can be used to leverage Magnet RESPONSE and the Microsoft Defender for Endpoint Live Response console to capture triage collections on remote endpoints. 9 | 10 | Prerequisites: 11 | - Defender Live Response Console - upload MagnetRESPONSE.exe to the Library 12 | - Defender Live Response Console - upload Defender_RESPONSE.ps1 to the Library 13 | 14 | Operation: 15 | 1. 'connect' to endpoint in Live Response // establish connection with the endpoint 16 | 2. 'put MagnetRESPONSE.exe' // copies the exe to the target system 17 | 3. 'run Defender_RESPONSE.ps1' // where the magic happens 18 | 19 | Retrieving the Data: 20 | 21 | Once the script has finished running, the zipped output will be saved at the location “C:\Temp\RESPONSE” on the remote machine. 22 | 23 | * Navigate to output folder using command — cd c:\Temp\RESPONSE 24 | * List files using “dir” command 25 | * Copy the zip filename < 26 | filename.zip 27 | > 28 | * After the output filename is copied, collect the output by downloading it from the remote machine to your local system using the “Download” command. Download < 29 | filename.zip 30 | > & 31 | 32 | #> 33 | Write-Host "" 34 | Write-Host "Magnet RESPONSE v1.7 35 | $([char]0x00A9)2021-2023 Magnet Forensics, LLC 36 | " 37 | $OS = $(((gcim Win32_OperatingSystem -ComputerName $server.Name).Name).split('|')[0]) 38 | $arch = (get-wmiobject win32_operatingsystem).osarchitecture 39 | $name = (get-wmiobject win32_operatingsystem).csname 40 | $stopwatch = [System.Diagnostics.Stopwatch]::StartNew() 41 | Write-host " 42 | Hostname: $name 43 | Operating System: $OS 44 | Architecture: $arch 45 | " 46 | ./MagnetRESPONSE.exe /accepteula /unattended /output:C:\temp\RESPONSE /caseref:DefenderRESPONSE /capturevolatile /capturesystemfiles 47 | # To include RAM capture, comment out (#) the above line and un-comment the line below 48 | # ./MagnetRESPONSE.exe /accepteula /unattended /output:C:\temp\RESPONSE /caseref:DefenderRESPONSE /capturevolatile /capturesystemfiles /captureram 49 | Write-Host "[Collecting Arifacts]" 50 | Wait-Process -name "MagnetRESPONSE" 51 | $null = $stopwatch.Elapsed 52 | $Minutes = $StopWatch.Elapsed.Minutes 53 | $Seconds = $StopWatch.Elapsed.Seconds 54 | Write-Host "** Acquisition Completed in $Minutes minutes and $Seconds seconds.**" 55 | -------------------------------------------------------------------------------- /MagnetResponsePowerShell.ps1: -------------------------------------------------------------------------------- 1 | <# 2 | 3 | Magnet RESPONSE PowerShell Enterprise 4 | doug.metz@magnetforensics.com 5 | ver 1.7 6 | 7 | The script first checks if it is running with administrative permissions and exits if not. 8 | The script will then download Magnet RESPONSE from a web server, extract it, and run with the specified options. 9 | 10 | The $outputpath parameter can be used to write to a local directory `C:Temp`, `D:\Output` or network `\\Server\Share`. 11 | 12 | Finally, the script removes the downloaded Magnet RESPONSE files and prints the time taken for the collection 13 | and transfer to complete. 14 | 15 | #> 16 | param ([switch]$Elevated) 17 | function Test-Admin { 18 | $currentUser = New-Object Security.Principal.WindowsPrincipal $([Security.Principal.WindowsIdentity]::GetCurrent()) 19 | $currentUser.IsInRole([Security.Principal.WindowsBuiltinRole]::Administrator) 20 | } 21 | if ((Test-Admin) -eq $false) { 22 | if ($elevated) { 23 | } else { 24 | Write-host "" 25 | Write-host "Magnet RESPONSE requires Admin permissions. 26 | Exiting. 27 | " 28 | } 29 | exit 30 | } 31 | ### VARIABLE SETUP 32 | $caseID = "INC-8675309" # no spaces 33 | $outputpath = "\\server\share" # Update to reflect output destination. C:\Temp R:\Output \\Server\Share 34 | $server = "192.168.1.10" # "192.168.1.10" resolves to http://192.168.1.10/MagnetRESPONSE.zip 35 | <# 36 | ### COLLECION PROFILE - Uncomment the collection type to be used: 37 | #> 38 | #### Quick Sweep 39 | <# 40 | $profileName = "QUICK SWEEP" 41 | $arguments = "/capturevolatile /captureextendedprocessinfo" 42 | #> 43 | #### Capture Volatile 44 | 45 | $profileName = "CAPTURE VOLATILE" 46 | $arguments = "/capturevolatile" 47 | #> 48 | #### Capture Volatile & RAM 49 | <# 50 | $profileName = "CAPTURE VOLATILE & RAM" 51 | $arguments = "/captureram /capturevolatile" 52 | #> 53 | #### Extended Process Capture 54 | <# 55 | $profileName = "EXTENDED PROCESS CAPTURE" 56 | $arguments = "/capturevolatile /captureextendedprocessinfo /saveprocfiles" 57 | #> 58 | #### Systen Files 59 | <# 60 | $profileName = "SYSTEM FILES" 61 | $arguments = "/capturesystemfiles" 62 | #> 63 | #### Just RAM 64 | <# 65 | $profileName = "CAPTURE RAM" 66 | $arguments = "/captureram" 67 | #> 68 | #### Magnet TRIAGE 69 | <# 70 | $profileName = "Magnet TRIAGE" 71 | $arguments = "/captureram /capturevolatile /capturesystemfiles /captureextendedprocessinfo" 72 | #> 73 | #### Full Capture 74 | <# 75 | $profileName = "FULL CAPTURE" 76 | $arguments = "/captureram /capturepagefile /capturevolatile /capturesystemfiles /captureextendedprocessinfo /saveprocfiles" 77 | #> 78 | #### Kitchen Sink 79 | <# 80 | $profileName = "KITCHEN SINK" 81 | $arguments = "/captureram /capturepagefile /capturevolatile /capturesystemfiles /captureextendedprocessinfo /saveprocfiles /capturefiles:.ps1,.vbs,confidential /skipsystemfolders /maxsize:500  /captureransomnotes" 82 | #> 83 | #### End of Collection Profiles 84 | Clear-Host 85 | Write-Host "" 86 | $tstamp = (Get-Date -Format "yyyyMMddHHmm") 87 | $global:progressPreference = 'silentlyContinue' 88 | $stopwatch = [System.Diagnostics.Stopwatch]::StartNew() 89 | [console]::ForegroundColor="DarkCyan" 90 | Write-Host "Downloading Magnet RESPONSE" 91 | Invoke-WebRequest -Uri http://$server/MagnetRESPONSE.zip -OutFile .\MagnetRESPONSE.zip 92 | Expand-Archive -Path .\MagnetRESPONSE.zip 93 | Remove-Item .\MagnetRESPONSE.zip 94 | Clear-Host 95 | Write-Host "" 96 | Write-Host "Magnet RESPONSE v1.7 97 | $([char]0x00A9)2021-2023 Magnet Forensics Inc 98 | " 99 | $OS = $(((gcim Win32_OperatingSystem -ComputerName $server.Name).Name).split('|')[0]) 100 | $arch = (get-wmiobject win32_operatingsystem).osarchitecture 101 | $name = (get-wmiobject win32_operatingsystem).csname 102 | Write-Host " 103 | Selected Profile: $profileName" 104 | if (Test-Path -Path $outputpath) { 105 | Write-host "Output directory: $outputpath" 106 | } else { 107 | Write-host "Specified output path does not exist. 108 | " 109 | exit 110 | } 111 | Write-host " 112 | Hostname: $name 113 | Operating System: $OS 114 | Architecture: $arch 115 | " 116 | MagnetRESPONSE\MagnetRESPONSE.exe /accepteula /unattended /output:$outputpath/$caseID-$env:ComputerName-$tstamp /caseref:$caseID $arguments 117 | Write-Host "[Collecting Arifacts]" 118 | Wait-Process -name "MagnetRESPONSE" 119 | $null = $stopwatch.Elapsed 120 | $Minutes = $StopWatch.Elapsed.Minutes 121 | $Seconds = $StopWatch.Elapsed.Seconds 122 | Write-Host "** Acquisition Completed in $Minutes minutes and $Seconds seconds.** 123 | " 124 | Remove-Item "MagnetRESPONSE\" -Recurse -Confirm:$false -Force 125 | Write-Host "Operations Complete. 126 | " -------------------------------------------------------------------------------- /README.md: -------------------------------------------------------------------------------- 1 |
2 | 3 |

4 | 5 | 6 | PowerShell scripts to run **Magnet RESPONSE** 7 | forensic collection tool in large enterprises. 8 |

9 |

10 | 11 | ---------------------------- 12 | 13 | 14 | #### Magnet RESPONSE PowerShell 15 | v1.7 16 | 17 |

18 |

19 |
20 | 21 |
22 |
23 | Functions: 24 |
25 | 26 | - :computer: Capture specified triage artifacts using profiles with Magnet RESPONSE, 27 | - :ram: Capture a memory image with DumpIt for Windows, 28 | - :floppy_disk: Save all artifacts, output, and audit logs to network drive. 29 |
30 | Prerequisites: 31 |
32 | 33 | >- [Magnet RESPONSE](https://www.magnetforensics.com/resources/magnet-response/) 34 | >- Web server where you can host MagnetRESPONSE.zip that’s accessible to endpoints. 35 | >- File server repository to save the file collections to. 36 | 37 | 38 | **Please note this is not a Magnet supported product. This script is open source. If you have comments, updates, or suggestions - please do so here on GitHub via discussion or pull request.** 39 | 40 | ---------------------------- 41 | 42 | 43 | [Magnet RESPONSE](https://www.magnetforensics.com/resources/magnet-response/) is a free tool from Magnet Forensics that lets investigators and non-technical users easily collect and preserve critical data relevant to incident response investigations from local endpoints. Pre-set collection profiles let you target a comprehensive set of files and data relevant to incident response investigations, including RAM. 44 | 45 | ***What happens when you need to collect from dozens endpoints? That’s where the CLI (Command Line Interface) functionality of Magnet RESPONSE comes into play.*** 46 | 47 | There are two areas of the script for you to customize. 48 | >- The ***Variable Setup*** contains the case identification, file server and web server locations. 49 | >- The second section, ***Collection Profiles***, define which artifact groups you want to collect. You can see all the options available in the [Magnet RESPONSE CLI Guide](/Magnet_RESPONSE_CLI_Guide.pdf). 50 | 51 | ### VARIABLE SETUP 52 | 53 | `$caseID = "demo-161" # no spaces` 54 | 55 | `$outputpath = "\\Server\Share" # Update to reflect output destination.` 56 | 57 | `$server = "192.168.4.187" # "192.168.1.10" resolves to http://192.168.1.10/MagnetRESPONSE.zip` 58 | 59 | ### COLLECTION PROFILES 60 | Within the script we need to have at least one set of collection arguments defined. In this case I’ve built multiple profiles, which are simply un-commented to mark the profile as active. You only want to have one profile enabled at a time. You can design your own collection profiles using any of the available CLI options, just follow the format below. 61 | 62 | `#### Extended Process Capture` 63 | 64 | `$profileName = "EXTENDED PROCESS CAPTURE"` 65 | 66 | `$arguments = "/capturevolatile /captureextendedprocessinfo /saveprocfiles"` 67 | 68 | ### Execution 69 | 70 | Once your environment and collection variables are defined, go ahead and run the script on your endpoints. 71 | Every host that executes the script will download RESPONSE from the web server, run the specified collection profile, and then transfer the output to the file server.  72 | All data defined in the collection profile will be collected and organized by hostname in the central collection location. The returned files can be examined manually, using open source tools, or products like Magnet AXIOM Cyber. 73 | 74 | ---------------------------- 75 | 76 | ### Defender_RESPONSE.ps1 77 | 78 | v1.1 79 | 80 |
81 | 82 |
83 |
84 | 85 | **SYNOPSIS** 86 | >This script can be used to leverage Magnet RESPONSE and the Microsoft Defender for Endpoint Live Response console to capture triage collections on remote endpoints. 87 | 88 | **PREREQUISITES:** 89 | >- Upload `MagnetRESPONSE.exe` to Defender Live Response Console Library 90 | >- Upload `Defender_RESPONSE.ps1` to Defender Live Response Console Library 91 | 92 | **OPERATION:** 93 | >1. `connect` to endpoint in Live Response // establish connection with the endpoint 94 | >2. `put MagnetRESPONSE.exe` // copies the exe to the target system 95 | >3. `run Defender_RESPONSE.ps1` // where the magic happens 96 | 97 | **RETREIVING THE COLLECTION:** 98 | 99 | >Once the script has finished running, the zipped output will be saved at the location `C:\Temp\RESPONSE` on the remote machine. 100 | > 101 | >* Navigate to output folder `cd c:\Temp\RESPONSE` 102 | >* List files using `dir` command 103 | >* Copy the zip filename `` 104 | >* After the output filename is copied, collect the output by downloading it from the remote machine to your local system using the “Download” command. `Download &` 105 | 106 | **COLLECTION SIZE LIMITATIONS:** 107 | 108 | >Collections over 3GB cannot be copied across the Defender console directly. See [Ginsu](http://github.com/dwmetz/ginsu). 109 | --------------------------------------------------------------------------------