Network Unisolation Queries: Advanced Incident Response Guide#

This comprehensive guide provides detailed queries and techniques for conducting network unisolation analysis during incident response activities. Learn advanced forensic methodologies, threat hunting procedures, and malware analysis techniques for effective security investigations.

Table of Contents#

Understanding Network Unisolation#

What is Network Unisolation?#

Network unisolation refers to the process of restoring network connectivity that was previously isolated or restricted due to security incidents. During incident response, systems are often isolated to contain threats, and unisolation queries help analysts understand:

Isolation Timeline: When and why systems were isolated
Network Dependencies: What services and connections were affected
Communication Patterns: Normal vs. anomalous network behavior
Threat Indicators: Evidence of malicious network activity
Recovery Requirements: What needs to be restored for normal operations

Common Isolation Scenarios#

Malware Infections: Systems isolated to prevent lateral movement
Data Breaches: Network segments isolated to stop exfiltration
Ransomware Attacks: Critical systems isolated to prevent encryption spread
APT Incidents: Compromised hosts isolated during investigation
Policy Violations: Systems isolated for compliance investigations

Windows Network Forensics Queries#

Registry-Based Network Configuration Analysis#

1
# Network-Configuration-Analysis.ps1 - Registry-based network forensics
2

3
# Function to analyze network adapter configurations
4
function Get-NetworkAdapterForensics {
5
    param(
6
        [string]$ComputerName = $env:COMPUTERNAME,
7
        [datetime]$StartTime = (Get-Date).AddDays(-30),
8
        [datetime]$EndTime = (Get-Date)
9
    )
10

11
    Write-Host "=== Network Adapter Forensic Analysis ===" -ForegroundColor Yellow
12
    Write-Host "Computer: $ComputerName" -ForegroundColor Cyan
13
    Write-Host "Time Range: $StartTime to $EndTime" -ForegroundColor Cyan
14

15
    # Get network adapter registry information
16
    $networkAdapters = Get-ItemProperty -Path "HKLM:\SYSTEM\CurrentControlSet\Control\Class\{4d36e972-e325-11ce-bfc1-08002be10318}\*" -ErrorAction SilentlyContinue |
17
        Where-Object { $_.DriverDesc -ne $null }
18

19
    $results = @()
20

21
    foreach ($adapter in $networkAdapters) {
22
        $adapterInfo = @{
23
            DriverDescription = $adapter.DriverDesc
24
            DriverVersion = $adapter.DriverVersion
25
            DriverDate = $adapter.DriverDate
26
            ProviderName = $adapter.ProviderName
27
            RegistryPath = $adapter.PSPath
28
            NetCfgInstanceId = $adapter.NetCfgInstanceId
29
            ComponentId = $adapter.ComponentId
30
            LastModified = (Get-Item $adapter.PSPath.Replace('Microsoft.PowerShell.Core\Registry::', '')).LastWriteTime
31
        }
32

33
        # Check for suspicious network adapters
34
        $suspiciousIndicators = @()
35

36
        if ($adapter.DriverDesc -match "TAP|VPN|Virtual|Tunnel") {
37
            $suspiciousIndicators += "Virtual/VPN adapter detected"
38
        }
39

40
        if ($adapter.ProviderName -match "Unknown|Unsigned") {
41
            $suspiciousIndicators += "Unsigned or unknown provider"
42
        }
43

44
        if ($suspiciousIndicators.Count -gt 0) {
45
            $adapterInfo.SuspiciousIndicators = $suspiciousIndicators
46
        }
47

48
        $results += New-Object PSObject -Property $adapterInfo
49
    }
50

51
    return $results
52
}
53

54
# Function to analyze network isolation events
55
function Get-NetworkIsolationEvents {
56
    param(
57
        [string]$ComputerName = $env:COMPUTERNAME,
58
        [datetime]$StartTime = (Get-Date).AddDays(-7),
59
        [datetime]$EndTime = (Get-Date)
60
    )
61

62
    Write-Host "=== Network Isolation Event Analysis ===" -ForegroundColor Yellow
63

64
    # Security event IDs related to network isolation
65
    $isolationEventIDs = @(
66
        4624,  # Successful logon
67
        4625,  # Failed logon
68
        4648,  # Logon using explicit credentials
69
        4776,  # Domain controller attempted to validate credentials
70
        5156,  # Windows Filtering Platform allowed connection
71
        5157,  # Windows Filtering Platform blocked connection
72
        5447,  # Windows Filtering Platform filter change
73
        5448,  # Windows Filtering Platform provider change
74
        5152,  # Windows Filtering Platform blocked packet
75
        5154   # Windows Filtering Platform permitted application to listen
76
    )
77

78
    $events = @()
79

80
    foreach ($eventID in $isolationEventIDs) {
81
        try {
82
            $eventLogs = Get-WinEvent -FilterHashtable @{
83
                LogName = 'Security'
84
                ID = $eventID
85
                StartTime = $StartTime
86
                EndTime = $EndTime
87
            } -ComputerName $ComputerName -ErrorAction SilentlyContinue
88

89
            foreach ($event in $eventLogs) {
90
                $eventData = @{
91
                    TimeCreated = $event.TimeCreated
92
                    EventID = $event.Id
93
                    LevelDisplayName = $event.LevelDisplayName
94
                    Message = $event.Message
95
                    Computer = $event.MachineName
96
                    UserID = $event.UserId
97
                    ProcessID = $event.ProcessId
98
                    ThreadID = $event.ThreadId
99
                }
100

101
                # Parse specific event details
102
                switch ($event.Id) {
103
                    5156 {
104
                        # Parse WFP allowed connection
105
                        if ($event.Message -match "Source Address:\s+([^\r\n]+)") {
106
                            $eventData.SourceAddress = $matches[1].Trim()
107
                        }
108
                        if ($event.Message -match "Destination Address:\s+([^\r\n]+)") {
109
                            $eventData.DestinationAddress = $matches[1].Trim()
110
                        }
111
                        if ($event.Message -match "Source Port:\s+([^\r\n]+)") {
112
                            $eventData.SourcePort = $matches[1].Trim()
113
                        }
114
                        if ($event.Message -match "Destination Port:\s+([^\r\n]+)") {
115
                            $eventData.DestinationPort = $matches[1].Trim()
116
                        }
117
                    }
118
                    5157 {
119
                        # Parse WFP blocked connection
120
                        if ($event.Message -match "Source Address:\s+([^\r\n]+)") {
121
                            $eventData.SourceAddress = $matches[1].Trim()
122
                        }
123
                        if ($event.Message -match "Destination Address:\s+([^\r\n]+)") {
124
                            $eventData.DestinationAddress = $matches[1].Trim()
125
                        }
126
                        if ($event.Message -match "Source Port:\s+([^\r\n]+)") {
127
                            $eventData.SourcePort = $matches[1].Trim()
128
                        }
129
                        if ($event.Message -match "Destination Port:\s+([^\r\n]+)") {
130
                            $eventData.DestinationPort = $matches[1].Trim()
131
                        }
132
                    }
133
                }
134

135
                $events += New-Object PSObject -Property $eventData
136
            }
137
        }
138
        catch {
139
            Write-Warning "Could not retrieve events for ID $eventID`: $($_.Exception.Message)"
140
        }
141
    }
142

143
    return $events | Sort-Object TimeCreated
144
}
145

146
# Function to analyze firewall rule changes
147
function Get-FirewallRuleChanges {
148
    param(
149
        [string]$ComputerName = $env:COMPUTERNAME,
150
        [datetime]$StartTime = (Get-Date).AddDays(-7),
151
        [datetime]$EndTime = (Get-Date)
152
    )
153

154
    Write-Host "=== Firewall Rule Change Analysis ===" -ForegroundColor Yellow
155

156
    # Get firewall rule change events
157
    $firewallEvents = Get-WinEvent -FilterHashtable @{
158
        LogName = 'Security'
159
        ID = @(5447, 5448, 5449)  # WFP filter/provider changes
160
        StartTime = $StartTime
161
        EndTime = $EndTime
162
    } -ComputerName $ComputerName -ErrorAction SilentlyContinue
163

164
    $ruleChanges = @()
165

166
    foreach ($event in $firewallEvents) {
167
        $ruleChange = @{
168
            TimeCreated = $event.TimeCreated
169
            EventID = $event.Id
170
            Computer = $event.MachineName
171
            UserSID = $event.UserId
172
            ProcessID = $event.ProcessId
173
            Message = $event.Message
174
        }
175

176
        # Extract rule details
177
        if ($event.Message -match "Filter Name:\s+([^\r\n]+)") {
178
            $ruleChange.FilterName = $matches[1].Trim()
179
        }
180
        if ($event.Message -match "Provider Name:\s+([^\r\n]+)") {
181
            $ruleChange.ProviderName = $matches[1].Trim()
182
        }
183
        if ($event.Message -match "Change Type:\s+([^\r\n]+)") {
184
            $ruleChange.ChangeType = $matches[1].Trim()
185
        }
186

187
        $ruleChanges += New-Object PSObject -Property $ruleChange
188
    }
189

190
    return $ruleChanges
191
}
192

193
# Function to get current firewall status and rules
194
function Get-FirewallConfiguration {
195
    Write-Host "=== Current Firewall Configuration ===" -ForegroundColor Yellow
196

197
    # Get firewall profiles
198
    $profiles = @()
199
    foreach ($profile in @('Domain', 'Private', 'Public')) {
200
        $profileInfo = netsh advfirewall show $profile.ToLower() state
201
        $enabled = if ($profileInfo -match "State\s+ON") { $true } else { $false }
202

203
        $profiles += @{
204
            Profile = $profile
205
            Enabled = $enabled
206
            Details = $profileInfo
207
        }
208
    }
209

210
    # Get active firewall rules
211
    $firewallRules = Get-NetFirewallRule | Where-Object { $_.Enabled -eq 'True' } | ForEach-Object {
212
        $rule = $_
213
        $addressFilter = $rule | Get-NetFirewallAddressFilter
214
        $portFilter = $rule | Get-NetFirewallPortFilter
215
        $applicationFilter = $rule | Get-NetFirewallApplicationFilter
216

217
        @{
218
            DisplayName = $rule.DisplayName
219
            Direction = $rule.Direction
220
            Action = $rule.Action
221
            Enabled = $rule.Enabled
222
            Profile = $rule.Profile
223
            LocalAddress = $addressFilter.LocalAddress
224
            RemoteAddress = $addressFilter.RemoteAddress
225
            Protocol = $portFilter.Protocol
226
            LocalPort = $portFilter.LocalPort
227
            RemotePort = $portFilter.RemotePort
228
            Program = $applicationFilter.Program
229
            CreationDate = $rule.CreationDate
230
        }
231
    }
232

233
    return @{
234
        Profiles = $profiles
235
        Rules = $firewallRules
236
    }
237
}
238

239
# Main execution example
240
$adapterAnalysis = Get-NetworkAdapterForensics
241
$isolationEvents = Get-NetworkIsolationEvents
242
$firewallChanges = Get-FirewallRuleChanges
243
$firewallConfig = Get-FirewallConfiguration
244

245
# Display suspicious adapters
246
$suspiciousAdapters = $adapterAnalysis | Where-Object { $_.SuspiciousIndicators -ne $null }
247
if ($suspiciousAdapters) {
248
    Write-Host "=== SUSPICIOUS NETWORK ADAPTERS DETECTED ===" -ForegroundColor Red
249
    $suspiciousAdapters | Format-Table DriverDescription, ProviderName, SuspiciousIndicators -AutoSize
250
}
251

252
# Display recent isolation events
253
Write-Host "=== RECENT NETWORK ISOLATION EVENTS ===" -ForegroundColor Yellow
254
$isolationEvents | Select-Object TimeCreated, EventID, SourceAddress, DestinationAddress, DestinationPort |
255
    Sort-Object TimeCreated -Descending | Select-Object -First 20 | Format-Table -AutoSize
256

257
# Display firewall rule changes
258
if ($firewallChanges) {
259
    Write-Host "=== FIREWALL RULE CHANGES ===" -ForegroundColor Yellow
260
    $firewallChanges | Select-Object TimeCreated, ChangeType, FilterName, ProviderName |
261
        Sort-Object TimeCreated -Descending | Format-Table -AutoSize
262
}

Network Connection Analysis#

1
# Network-Connection-Analysis.ps1 - Comprehensive network connection forensics
2

3
# Function to analyze active network connections
4
function Get-NetworkConnectionForensics {
5
    param(
6
        [string]$ProcessName = "*",
7
        [string]$RemoteAddress = "*",
8
        [int]$Port = 0
9
    )
10

11
    Write-Host "=== Active Network Connection Analysis ===" -ForegroundColor Yellow
12

13
    # Get active connections with process information
14
    $connections = Get-NetTCPConnection | ForEach-Object {
15
        $conn = $_
16
        $process = Get-Process -Id $conn.OwningProcess -ErrorAction SilentlyContinue
17

18
        $connectionInfo = @{
19
            LocalAddress = $conn.LocalAddress
20
            LocalPort = $conn.LocalPort
21
            RemoteAddress = $conn.RemoteAddress
22
            RemotePort = $conn.RemotePort
23
            State = $conn.State
24
            ProcessId = $conn.OwningProcess
25
            ProcessName = if ($process) { $process.ProcessName } else { "Unknown" }
26
            ProcessPath = if ($process) { $process.Path } else { "Unknown" }
27
            ProcessStartTime = if ($process) { $process.StartTime } else { $null }
28
            CreationTime = $conn.CreationTime
29
        }
30

31
        # Add risk assessment
32
        $riskFactors = @()
33

34
        # Check for suspicious remote addresses
35
        if ($conn.RemoteAddress -match "^(10\.|172\.(1[6-9]|2[0-9]|3[01])\.|192\.168\.)") {
36
            # Internal network - lower risk
37
        } elseif ($conn.RemoteAddress -notmatch "^(127\.|::1|0\.0\.0\.0)") {
38
            $riskFactors += "External connection"
39
        }
40

41
        # Check for suspicious ports
42
        $suspiciousPorts = @(4444, 5555, 6666, 8080, 9999, 31337, 12345)
43
        if ($conn.RemotePort -in $suspiciousPorts -or $conn.LocalPort -in $suspiciousPorts) {
44
            $riskFactors += "Suspicious port"
45
        }
46

47
        # Check for suspicious processes
48
        $suspiciousProcesses = @("cmd.exe", "powershell.exe", "rundll32.exe", "regsvr32.exe")
49
        if ($process -and $process.ProcessName -in $suspiciousProcesses) {
50
            $riskFactors += "Suspicious process"
51
        }
52

53
        if ($riskFactors.Count -gt 0) {
54
            $connectionInfo.RiskFactors = $riskFactors
55
            $connectionInfo.RiskLevel = if ($riskFactors.Count -gt 2) { "High" } elseif ($riskFactors.Count -gt 1) { "Medium" } else { "Low" }
56
        }
57

58
        New-Object PSObject -Property $connectionInfo
59
    }
60

61
    # Filter results
62
    $filteredConnections = $connections
63

64
    if ($ProcessName -ne "*") {
65
        $filteredConnections = $filteredConnections | Where-Object { $_.ProcessName -like "*$ProcessName*" }
66
    }
67

68
    if ($RemoteAddress -ne "*") {
69
        $filteredConnections = $filteredConnections | Where-Object { $_.RemoteAddress -like "*$RemoteAddress*" }
70
    }
71

72
    if ($Port -gt 0) {
73
        $filteredConnections = $filteredConnections | Where-Object { $_.LocalPort -eq $Port -or $_.RemotePort -eq $Port }
74
    }
75

76
    return $filteredConnections
77
}
78

79
# Function to analyze historical network connections
80
function Get-HistoricalNetworkConnections {
81
    param(
82
        [datetime]$StartTime = (Get-Date).AddDays(-1),
83
        [datetime]$EndTime = (Get-Date)
84
    )
85

86
    Write-Host "=== Historical Network Connection Analysis ===" -ForegroundColor Yellow
87

88
    # Parse network-related events from event logs
89
    $networkEvents = @()
90

91
    # Get Sysmon network connection events (Event ID 3)
92
    try {
93
        $sysmonEvents = Get-WinEvent -FilterHashtable @{
94
            LogName = 'Microsoft-Windows-Sysmon/Operational'
95
            ID = 3
96
            StartTime = $StartTime
97
            EndTime = $EndTime
98
        } -ErrorAction SilentlyContinue
99

100
        foreach ($event in $sysmonEvents) {
101
            $xml = [xml]$event.ToXml()
102
            $eventData = $xml.Event.EventData.Data
103

104
            $networkEvent = @{
105
                TimeCreated = $event.TimeCreated
106
                EventID = $event.Id
107
                ProcessId = ($eventData | Where-Object {$_.Name -eq 'ProcessId'}).'#text'
108
                Image = ($eventData | Where-Object {$_.Name -eq 'Image'}).'#text'
109
                User = ($eventData | Where-Object {$_.Name -eq 'User'}).'#text'
110
                Protocol = ($eventData | Where-Object {$_.Name -eq 'Protocol'}).'#text'
111
                SourceIp = ($eventData | Where-Object {$_.Name -eq 'SourceIp'}).'#text'
112
                SourcePort = ($eventData | Where-Object {$_.Name -eq 'SourcePort'}).'#text'
113
                DestinationIp = ($eventData | Where-Object {$_.Name -eq 'DestinationIp'}).'#text'
114
                DestinationPort = ($eventData | Where-Object {$_.Name -eq 'DestinationPort'}).'#text'
115
                Initiated = ($eventData | Where-Object {$_.Name -eq 'Initiated'}).'#text'
116
            }
117

118
            $networkEvents += New-Object PSObject -Property $networkEvent
119
        }
120
    }
121
    catch {
122
        Write-Warning "Could not retrieve Sysmon events: $($_.Exception.Message)"
123
    }
124

125
    # Get Windows Filtering Platform events
126
    try {
127
        $wfpEvents = Get-WinEvent -FilterHashtable @{
128
            LogName = 'Security'
129
            ID = @(5156, 5157)  # WFP allowed/blocked connections
130
            StartTime = $StartTime
131
            EndTime = $EndTime
132
        } -ErrorAction SilentlyContinue
133

134
        foreach ($event in $wfpEvents) {
135
            $wfpEvent = @{
136
                TimeCreated = $event.TimeCreated
137
                EventID = $event.Id
138
                Action = if ($event.Id -eq 5156) { "Allowed" } else { "Blocked" }
139
                Computer = $event.MachineName
140
                ProcessID = $event.ProcessId
141
                Message = $event.Message
142
            }
143

144
            # Parse message for network details
145
            if ($event.Message -match "Source Address:\s+([^\r\n]+)") {
146
                $wfpEvent.SourceAddress = $matches[1].Trim()
147
            }
148
            if ($event.Message -match "Destination Address:\s+([^\r\n]+)") {
149
                $wfpEvent.DestinationAddress = $matches[1].Trim()
150
            }
151
            if ($event.Message -match "Source Port:\s+([^\r\n]+)") {
152
                $wfpEvent.SourcePort = $matches[1].Trim()
153
            }
154
            if ($event.Message -match "Destination Port:\s+([^\r\n]+)") {
155
                $wfpEvent.DestinationPort = $matches[1].Trim()
156
            }
157
            if ($event.Message -match "Protocol:\s+([^\r\n]+)") {
158
                $wfpEvent.Protocol = $matches[1].Trim()
159
            }
160

161
            $networkEvents += New-Object PSObject -Property $wfpEvent
162
        }
163
    }
164
    catch {
165
        Write-Warning "Could not retrieve WFP events: $($_.Exception.Message)"
166
    }
167

168
    return $networkEvents | Sort-Object TimeCreated
169
}
170

171
# Function to analyze DNS queries
172
function Get-DNSQueryAnalysis {
173
    param(
174
        [datetime]$StartTime = (Get-Date).AddDays(-1),
175
        [datetime]$EndTime = (Get-Date)
176
    )
177

178
    Write-Host "=== DNS Query Analysis ===" -ForegroundColor Yellow
179

180
    $dnsQueries = @()
181

182
    # Get Sysmon DNS query events (Event ID 22)
183
    try {
184
        $sysmonDNSEvents = Get-WinEvent -FilterHashtable @{
185
            LogName = 'Microsoft-Windows-Sysmon/Operational'
186
            ID = 22
187
            StartTime = $StartTime
188
            EndTime = $EndTime
189
        } -ErrorAction SilentlyContinue
190

191
        foreach ($event in $sysmonDNSEvents) {
192
            $xml = [xml]$event.ToXml()
193
            $eventData = $xml.Event.EventData.Data
194

195
            $dnsQuery = @{
196
                TimeCreated = $event.TimeCreated
197
                ProcessId = ($eventData | Where-Object {$_.Name -eq 'ProcessId'}).'#text'
198
                Image = ($eventData | Where-Object {$_.Name -eq 'Image'}).'#text'
199
                QueryName = ($eventData | Where-Object {$_.Name -eq 'QueryName'}).'#text'
200
                QueryStatus = ($eventData | Where-Object {$_.Name -eq 'QueryStatus'}).'#text'
201
                QueryResults = ($eventData | Where-Object {$_.Name -eq 'QueryResults'}).'#text'
202
            }
203

204
            # Analyze for suspicious domains
205
            $suspiciousDomains = @(
206
                "bit.ly", "tinyurl.com", "pastebin.com", "hastebin.com",
207
                "githubusercontent.com", "raw.githubusercontent.com",
208
                "ngrok.io", "duckdns.org", "no-ip.com"
209
            )
210

211
            $riskFactors = @()
212
            foreach ($domain in $suspiciousDomains) {
213
                if ($dnsQuery.QueryName -like "*$domain*") {
214
                    $riskFactors += "Suspicious domain: $domain"
215
                }
216
            }
217

218
            # Check for DGA-like domains
219
            if ($dnsQuery.QueryName -match "^[a-z]{10,}\.(com|net|org)$") {
220
                $riskFactors += "Possible DGA domain"
221
            }
222

223
            # Check for recently registered domains (would need external API)
224
            # This is a placeholder for demonstration
225
            if ($dnsQuery.QueryName -match "\.(tk|ml|ga|cf)$") {
226
                $riskFactors += "Free TLD (potentially suspicious)"
227
            }
228

229
            if ($riskFactors.Count -gt 0) {
230
                $dnsQuery.RiskFactors = $riskFactors
231
            }
232

233
            $dnsQueries += New-Object PSObject -Property $dnsQuery
234
        }
235
    }
236
    catch {
237
        Write-Warning "Could not retrieve Sysmon DNS events: $($_.Exception.Message)"
238
    }
239

240
    # Get DNS Client events
241
    try {
242
        $dnsClientEvents = Get-WinEvent -FilterHashtable @{
243
            LogName = 'Microsoft-Windows-DNS-Client/Operational'
244
            StartTime = $StartTime
245
            EndTime = $EndTime
246
        } -ErrorAction SilentlyContinue
247

248
        # Process DNS client events for additional context
249
        foreach ($event in $dnsClientEvents) {
250
            if ($event.Message -match "DNS query") {
251
                # Parse DNS client events for additional intelligence
252
                # Implementation depends on specific event structure
253
            }
254
        }
255
    }
256
    catch {
257
        Write-Warning "Could not retrieve DNS Client events: $($_.Exception.Message)"
258
    }
259

260
    return $dnsQueries | Sort-Object TimeCreated
261
}
262

263
# Usage examples
264
Write-Host "Starting Network Connection Forensic Analysis..." -ForegroundColor Green
265

266
# Analyze current connections
267
$currentConnections = Get-NetworkConnectionForensics
268
$riskyConnections = $currentConnections | Where-Object { $_.RiskLevel -ne $null }
269

270
if ($riskyConnections) {
271
    Write-Host "=== HIGH-RISK CONNECTIONS DETECTED ===" -ForegroundColor Red
272
    $riskyConnections | Format-Table ProcessName, RemoteAddress, RemotePort, RiskLevel, RiskFactors -AutoSize
273
}
274

275
# Analyze historical connections
276
$historicalConnections = Get-HistoricalNetworkConnections -StartTime (Get-Date).AddHours(-24)
277
$externalConnections = $historicalConnections | Where-Object {
278
    $_.DestinationIp -and $_.DestinationIp -notmatch "^(10\.|172\.(1[6-9]|2[0-9]|3[01])\.|192\.168\.|127\.|::1)"
279
}
280

281
Write-Host "=== EXTERNAL CONNECTIONS (Last 24 Hours) ===" -ForegroundColor Yellow
282
$externalConnections | Select-Object TimeCreated, Image, DestinationIp, DestinationPort |
283
    Sort-Object TimeCreated -Descending | Select-Object -First 20 | Format-Table -AutoSize
284

285
# Analyze DNS queries
286
$dnsAnalysis = Get-DNSQueryAnalysis -StartTime (Get-Date).AddHours(-24)
287
$suspiciousDNS = $dnsAnalysis | Where-Object { $_.RiskFactors -ne $null }
288

289
if ($suspiciousDNS) {
290
    Write-Host "=== SUSPICIOUS DNS QUERIES ===" -ForegroundColor Red
291
    $suspiciousDNS | Select-Object TimeCreated, Image, QueryName, RiskFactors | Format-Table -AutoSize
292
}

Advanced Threat Hunting Queries#

Lateral Movement Detection#

1
# Lateral-Movement-Detection.ps1 - Advanced lateral movement analysis
2

3
# Function to detect lateral movement patterns
4
function Detect-LateralMovement {
5
    param(
6
        [datetime]$StartTime = (Get-Date).AddDays(-7),
7
        [datetime]$EndTime = (Get-Date),
8
        [string[]]$TargetComputers = @()
9
    )
10

11
    Write-Host "=== Lateral Movement Detection Analysis ===" -ForegroundColor Yellow
12

13
    $lateralMovementIndicators = @()
14

15
    # 1. Detect Pass-the-Hash attacks
16
    Write-Host "Analyzing Pass-the-Hash indicators..." -ForegroundColor Cyan
17

18
    $pthEvents = Get-WinEvent -FilterHashtable @{
19
        LogName = 'Security'
20
        ID = 4624  # Successful logon
21
        StartTime = $StartTime
22
        EndTime = $EndTime
23
    } -ErrorAction SilentlyContinue | ForEach-Object {
24
        $event = $_
25
        $xml = [xml]$event.ToXml()
26
        $eventData = $xml.Event.EventData.Data
27

28
        $logonType = ($eventData | Where-Object {$_.Name -eq 'LogonType'}).'#text'
29
        $authPackage = ($eventData | Where-Object {$_.Name -eq 'AuthenticationPackageName'}).'#text'
30
        $logonProcess = ($eventData | Where-Object {$_.Name -eq 'LogonProcessName'}).'#text'
31
        $workstationName = ($eventData | Where-Object {$_.Name -eq 'WorkstationName'}).'#text'
32
        $sourceIP = ($eventData | Where-Object {$_.Name -eq 'IpAddress'}).'#text'
33
        $targetUser = ($eventData | Where-Object {$_.Name -eq 'TargetUserName'}).'#text'
34

35
        # PTH indicators: Type 3 logon with NTLM auth and no password (LM hash blank)
36
        if ($logonType -eq '3' -and $authPackage -eq 'NTLM' -and $logonProcess -eq 'NtLmSsp') {
37
            @{
38
                TimeCreated = $event.TimeCreated
39
                EventType = "Potential Pass-the-Hash"
40
                TargetUser = $targetUser
41
                SourceIP = $sourceIP
42
                WorkstationName = $workstationName
43
                LogonType = $logonType
44
                AuthPackage = $authPackage
45
                Severity = "High"
46
                Description = "Type 3 NTLM logon detected - possible PTH attack"
47
            }
48
        }
49
    }
50

51
    $lateralMovementIndicators += $pthEvents
52

53
    # 2. Detect WMI-based lateral movement
54
    Write-Host "Analyzing WMI lateral movement..." -ForegroundColor Cyan
55

56
    $wmiEvents = Get-WinEvent -FilterHashtable @{
57
        LogName = 'Microsoft-Windows-WMI-Activity/Operational'
58
        ID = 5857  # WMI connection
59
        StartTime = $StartTime
60
        EndTime = $EndTime
61
    } -ErrorAction SilentlyContinue | ForEach-Object {
62
        $event = $_
63
        if ($event.Message -match "ClientMachine = ([^;]+)") {
64
            $clientMachine = $matches[1]
65
            if ($clientMachine -ne $env:COMPUTERNAME -and $clientMachine -ne "127.0.0.1") {
66
                @{
67
                    TimeCreated = $event.TimeCreated
68
                    EventType = "WMI Remote Connection"
69
                    SourceComputer = $clientMachine
70
                    TargetComputer = $env:COMPUTERNAME
71
                    Severity = "Medium"
72
                    Description = "Remote WMI connection detected"
73
                }
74
            }
75
        }
76
    }
77

78
    $lateralMovementIndicators += $wmiEvents
79

80
    # 3. Detect PSExec-style service creation
81
    Write-Host "Analyzing service-based lateral movement..." -ForegroundColor Cyan
82

83
    $serviceEvents = Get-WinEvent -FilterHashtable @{
84
        LogName = 'System'
85
        ID = 7045  # Service installation
86
        StartTime = $StartTime
87
        EndTime = $EndTime
88
    } -ErrorAction SilentlyContinue | ForEach-Object {
89
        $event = $_
90
        if ($event.Message -match "PSEXE|ADMIN\$|psexec|paexec|winexe") {
91
            @{
92
                TimeCreated = $event.TimeCreated
93
                EventType = "Suspicious Service Creation"
94
                ServiceName = if ($event.Message -match "Service Name:\s+([^\r\n]+)") { $matches[1] } else { "Unknown" }
95
                ServicePath = if ($event.Message -match "Service File Name:\s+([^\r\n]+)") { $matches[1] } else { "Unknown" }
96
                Severity = "High"
97
                Description = "PSExec-style service creation detected"
98
            }
99
        }
100
    }
101

102
    $lateralMovementIndicators += $serviceEvents
103

104
    # 4. Detect RDP lateral movement
105
    Write-Host "Analyzing RDP lateral movement..." -ForegroundColor Cyan
106

107
    $rdpEvents = Get-WinEvent -FilterHashtable @{
108
        LogName = 'Security'
109
        ID = 4624  # Successful logon
110
        StartTime = $StartTime
111
        EndTime = $EndTime
112
    } -ErrorAction SilentlyContinue | ForEach-Object {
113
        $event = $_
114
        $xml = [xml]$event.ToXml()
115
        $eventData = $xml.Event.EventData.Data
116

117
        $logonType = ($eventData | Where-Object {$_.Name -eq 'LogonType'}).'#text'
118
        $sourceIP = ($eventData | Where-Object {$_.Name -eq 'IpAddress'}).'#text'
119
        $targetUser = ($eventData | Where-Object {$_.Name -eq 'TargetUserName'}).'#text'
120

121
        # RDP logons (Type 10)
122
        if ($logonType -eq '10' -and $sourceIP -ne '-' -and $sourceIP -ne '127.0.0.1') {
123
            @{
124
                TimeCreated = $event.TimeCreated
125
                EventType = "RDP Logon"
126
                TargetUser = $targetUser
127
                SourceIP = $sourceIP
128
                LogonType = $logonType
129
                Severity = "Medium"
130
                Description = "Remote RDP logon detected"
131
            }
132
        }
133
    }
134

135
    $lateralMovementIndicators += $rdpEvents
136

137
    # 5. Detect PowerShell remoting
138
    Write-Host "Analyzing PowerShell remoting..." -ForegroundColor Cyan
139

140
    $psRemotingEvents = Get-WinEvent -FilterHashtable @{
141
        LogName = 'Microsoft-Windows-PowerShell/Operational'
142
        ID = 4103  # Module logging
143
        StartTime = $StartTime
144
        EndTime = $EndTime
145
    } -ErrorAction SilentlyContinue | ForEach-Object {
146
        $event = $_
147
        if ($event.Message -match "Invoke-Command|Enter-PSSession|New-PSSession") {
148
            @{
149
                TimeCreated = $event.TimeCreated
150
                EventType = "PowerShell Remoting"
151
                Command = if ($event.Message -match "CommandName=([^\r\n]+)") { $matches[1] } else { "Unknown" }
152
                Severity = "Medium"
153
                Description = "PowerShell remoting activity detected"
154
            }
155
        }
156
    }
157

158
    $lateralMovementIndicators += $psRemotingEvents
159

160
    return $lateralMovementIndicators | Sort-Object TimeCreated
161
}
162

163
# Function to detect credential dumping activities
164
function Detect-CredentialDumping {
165
    param(
166
        [datetime]$StartTime = (Get-Date).AddDays(-7),
167
        [datetime]$EndTime = (Get-Date)
168
    )
169

170
    Write-Host "=== Credential Dumping Detection ===" -ForegroundColor Yellow
171

172
    $credentialDumpingIndicators = @()
173

174
    # 1. Detect LSASS access
175
    Write-Host "Analyzing LSASS process access..." -ForegroundColor Cyan
176

177
    $lsassEvents = Get-WinEvent -FilterHashtable @{
178
        LogName = 'Security'
179
        ID = 4656  # Handle to object requested
180
        StartTime = $StartTime
181
        EndTime = $EndTime
182
    } -ErrorAction SilentlyContinue | ForEach-Object {
183
        $event = $_
184
        if ($event.Message -match "lsass.exe" -and $event.Message -match "Process Terminate") {
185
            $xml = [xml]$event.ToXml()
186
            $eventData = $xml.Event.EventData.Data
187

188
            @{
189
                TimeCreated = $event.TimeCreated
190
                EventType = "LSASS Access"
191
                ProcessName = ($eventData | Where-Object {$_.Name -eq 'ProcessName'}).'#text'
192
                SubjectUserName = ($eventData | Where-Object {$_.Name -eq 'SubjectUserName'}).'#text'
193
                Severity = "High"
194
                Description = "Access to LSASS process detected - possible credential dumping"
195
            }
196
        }
197
    }
198

199
    $credentialDumpingIndicators += $lsassEvents
200

201
    # 2. Detect Mimikatz usage via Sysmon
202
    Write-Host "Analyzing potential Mimikatz usage..." -ForegroundColor Cyan
203

204
    $mimikatzEvents = Get-WinEvent -FilterHashtable @{
205
        LogName = 'Microsoft-Windows-Sysmon/Operational'
206
        ID = 1  # Process creation
207
        StartTime = $StartTime
208
        EndTime = $EndTime
209
    } -ErrorAction SilentlyContinue | ForEach-Object {
210
        $event = $_
211
        if ($event.Message -match "mimikatz|sekurlsa|logonpasswords|lsadump") {
212
            $xml = [xml]$event.ToXml()
213
            $eventData = $xml.Event.EventData.Data
214

215
            @{
216
                TimeCreated = $event.TimeCreated
217
                EventType = "Mimikatz Activity"
218
                Image = ($eventData | Where-Object {$_.Name -eq 'Image'}).'#text'
219
                CommandLine = ($eventData | Where-Object {$_.Name -eq 'CommandLine'}).'#text'
220
                User = ($eventData | Where-Object {$_.Name -eq 'User'}).'#text'
221
                Severity = "Critical"
222
                Description = "Mimikatz-related activity detected"
223
            }
224
        }
225
    }
226

227
    $credentialDumpingIndicators += $mimikatzEvents
228

229
    # 3. Detect procdump usage on LSASS
230
    Write-Host "Analyzing procdump usage..." -ForegroundColor Cyan
231

232
    $procdumpEvents = Get-WinEvent -FilterHashtable @{
233
        LogName = 'Microsoft-Windows-Sysmon/Operational'
234
        ID = 1  # Process creation
235
        StartTime = $StartTime
236
        EndTime = $EndTime
237
    } -ErrorAction SilentlyContinue | ForEach-Object {
238
        $event = $_
239
        if ($event.Message -match "procdump.*lsass" -or $event.Message -match "procdump.*-ma.*lsass") {
240
            $xml = [xml]$event.ToXml()
241
            $eventData = $xml.Event.EventData.Data
242

243
            @{
244
                TimeCreated = $event.TimeCreated
245
                EventType = "Procdump LSASS"
246
                Image = ($eventData | Where-Object {$_.Name -eq 'Image'}).'#text'
247
                CommandLine = ($eventData | Where-Object {$_.Name -eq 'CommandLine'}).'#text'
248
                User = ($eventData | Where-Object {$_.Name -eq 'User'}).'#text'
249
                Severity = "High"
250
                Description = "Procdump used against LSASS process"
251
            }
252
        }
253
    }
254

255
    $credentialDumpingIndicators += $procdumpEvents
256

257
    return $credentialDumpingIndicators | Sort-Object TimeCreated
258
}
259

260
# Function to detect persistence mechanisms
261
function Detect-PersistenceMechanisms {
262
    param(
263
        [datetime]$StartTime = (Get-Date).AddDays(-7),
264
        [datetime]$EndTime = (Get-Date)
265
    )
266

267
    Write-Host "=== Persistence Mechanism Detection ===" -ForegroundColor Yellow
268

269
    $persistenceIndicators = @()
270

271
    # 1. Detect registry autorun modifications
272
    Write-Host "Analyzing registry autorun changes..." -ForegroundColor Cyan
273

274
    $registryEvents = Get-WinEvent -FilterHashtable @{
275
        LogName = 'Security'
276
        ID = 4657  # Registry value modified
277
        StartTime = $StartTime
278
        EndTime = $EndTime
279
    } -ErrorAction SilentlyContinue | ForEach-Object {
280
        $event = $_
281
        $autorunKeys = @(
282
            "Run", "RunOnce", "RunServices", "RunServicesOnce",
283
            "Winlogon", "Explorer", "Shell", "Userinit"
284
        )
285

286
        foreach ($key in $autorunKeys) {
287
            if ($event.Message -match $key) {
288
                $xml = [xml]$event.ToXml()
289
                $eventData = $xml.Event.EventData.Data
290

291
                @{
292
                    TimeCreated = $event.TimeCreated
293
                    EventType = "Registry Autorun Modification"
294
                    ObjectName = ($eventData | Where-Object {$_.Name -eq 'ObjectName'}).'#text'
295
                    ProcessName = ($eventData | Where-Object {$_.Name -eq 'ProcessName'}).'#text'
296
                    SubjectUserName = ($eventData | Where-Object {$_.Name -eq 'SubjectUserName'}).'#text'
297
                    Severity = "Medium"
298
                    Description = "Autorun registry key modified"
299
                }
300
                break
301
            }
302
        }
303
    }
304

305
    $persistenceIndicators += $registryEvents
306

307
    # 2. Detect scheduled task creation
308
    Write-Host "Analyzing scheduled task creation..." -ForegroundColor Cyan
309

310
    $taskEvents = Get-WinEvent -FilterHashtable @{
311
        LogName = 'Security'
312
        ID = 4698  # Scheduled task created
313
        StartTime = $StartTime
314
        EndTime = $EndTime
315
    } -ErrorAction SilentlyContinue | ForEach-Object {
316
        $event = $_
317
        $xml = [xml]$event.ToXml()
318
        $eventData = $xml.Event.EventData.Data
319

320
        @{
321
            TimeCreated = $event.TimeCreated
322
            EventType = "Scheduled Task Created"
323
            TaskName = ($eventData | Where-Object {$_.Name -eq 'TaskName'}).'#text'
324
            SubjectUserName = ($eventData | Where-Object {$_.Name -eq 'SubjectUserName'}).'#text'
325
            TaskContent = ($eventData | Where-Object {$_.Name -eq 'TaskContent'}).'#text'
326
            Severity = "Medium"
327
            Description = "New scheduled task created"
328
        }
329
    }
330

331
    $persistenceIndicators += $taskEvents
332

333
    # 3. Detect service creation
334
    Write-Host "Analyzing service creation..." -ForegroundColor Cyan
335

336
    $serviceCreationEvents = Get-WinEvent -FilterHashtable @{
337
        LogName = 'System'
338
        ID = 7045  # Service installation
339
        StartTime = $StartTime
340
        EndTime = $EndTime
341
    } -ErrorAction SilentlyContinue | ForEach-Object {
342
        $event = $_
343
        @{
344
            TimeCreated = $event.TimeCreated
345
            EventType = "Service Installation"
346
            ServiceName = if ($event.Message -match "Service Name:\s+([^\r\n]+)") { $matches[1] } else { "Unknown" }
347
            ServicePath = if ($event.Message -match "Service File Name:\s+([^\r\n]+)") { $matches[1] } else { "Unknown" }
348
            StartType = if ($event.Message -match "Service Start Type:\s+([^\r\n]+)") { $matches[1] } else { "Unknown" }
349
            Severity = "Medium"
350
            Description = "New service installed"
351
        }
352
    }
353

354
    $persistenceIndicators += $serviceCreationEvents
355

356
    return $persistenceIndicators | Sort-Object TimeCreated
357
}
358

359
# Main execution
360
Write-Host "Starting Advanced Threat Hunting Analysis..." -ForegroundColor Green
361

362
# Detect lateral movement
363
$lateralMovement = Detect-LateralMovement -StartTime (Get-Date).AddDays(-7)
364
$criticalLateralMovement = $lateralMovement | Where-Object { $_.Severity -eq "Critical" -or $_.Severity -eq "High" }
365

366
if ($criticalLateralMovement) {
367
    Write-Host "=== CRITICAL LATERAL MOVEMENT DETECTED ===" -ForegroundColor Red
368
    $criticalLateralMovement | Format-Table TimeCreated, EventType, TargetUser, SourceIP, Description -AutoSize
369
}
370

371
# Detect credential dumping
372
$credentialDumping = Detect-CredentialDumping -StartTime (Get-Date).AddDays(-7)
373
if ($credentialDumping) {
374
    Write-Host "=== CREDENTIAL DUMPING ACTIVITIES ===" -ForegroundColor Red
375
    $credentialDumping | Format-Table TimeCreated, EventType, ProcessName, SubjectUserName, Description -AutoSize
376
}
377

378
# Detect persistence
379
$persistence = Detect-PersistenceMechanisms -StartTime (Get-Date).AddDays(-7)
380
$suspiciousPersistence = $persistence | Where-Object {
381
    $_.TaskName -match "Update|Microsoft|System" -or
382
    $_.ServiceName -match "Update|Microsoft|System" -or
383
    $_.ObjectName -match "HKEY_LOCAL_MACHINE.*Run"
384
}
385

386
if ($suspiciousPersistence) {
387
    Write-Host "=== SUSPICIOUS PERSISTENCE MECHANISMS ===" -ForegroundColor Yellow
388
    $suspiciousPersistence | Format-Table TimeCreated, EventType, TaskName, ServiceName, Description -AutoSize
389
}

Timeline Analysis and Correlation#

Incident Timeline Reconstruction#

1
# Timeline-Analysis.ps1 - Comprehensive incident timeline reconstruction
2

3
# Function to create comprehensive incident timeline
4
function Build-IncidentTimeline {
5
    param(
6
        [datetime]$IncidentStart,
7
        [datetime]$IncidentEnd,
8
        [string[]]$EventSources = @(
9
            'Security', 'System', 'Application',
10
            'Microsoft-Windows-Sysmon/Operational',
11
            'Microsoft-Windows-PowerShell/Operational',
12
            'Microsoft-Windows-WMI-Activity/Operational'
13
        ),
14
        [string[]]$Keywords = @()
15
    )
16

17
    Write-Host "=== Building Incident Timeline ===" -ForegroundColor Yellow
18
    Write-Host "Period: $IncidentStart to $IncidentEnd" -ForegroundColor Cyan
19

20
    $timelineEvents = @()
21

22
    foreach ($logName in $EventSources) {
23
        Write-Host "Processing log: $logName" -ForegroundColor Cyan
24

25
        try {
26
            $events = Get-WinEvent -FilterHashtable @{
27
                LogName = $logName
28
                StartTime = $IncidentStart
29
                EndTime = $IncidentEnd
30
            } -ErrorAction SilentlyContinue
31

32
            foreach ($event in $events) {
33
                $shouldInclude = $false
34

35
                # Include event if no keywords specified or if keywords match
36
                if ($Keywords.Count -eq 0) {
37
                    $shouldInclude = $true
38
                } else {
39
                    foreach ($keyword in $Keywords) {
40
                        if ($event.Message -match $keyword) {
41
                            $shouldInclude = $true
42
                            break
43
                        }
44
                    }
45
                }
46

47
                if ($shouldInclude) {
48
                    $timelineEvent = @{
49
                        TimeCreated = $event.TimeCreated
50
                        LogName = $event.LogName
51
                        EventID = $event.Id
52
                        Level = $event.LevelDisplayName
53
                        Computer = $event.MachineName
54
                        ProcessID = $event.ProcessId
55
                        ThreadID = $event.ThreadId
56
                        Message = $event.Message.Substring(0, [Math]::Min(200, $event.Message.Length))
57
                        FullMessage = $event.Message
58
                    }
59

60
                    # Add event-specific parsing
61
                    switch ($event.Id) {
62
                        1 {  # Sysmon Process Creation
63
                            if ($event.LogName -eq 'Microsoft-Windows-Sysmon/Operational') {
64
                                $xml = [xml]$event.ToXml()
65
                                $eventData = $xml.Event.EventData.Data
66
                                $timelineEvent.EventType = "Process Created"
67
                                $timelineEvent.Image = ($eventData | Where-Object {$_.Name -eq 'Image'}).'#text'
68
                                $timelineEvent.CommandLine = ($eventData | Where-Object {$_.Name -eq 'CommandLine'}).'#text'
69
                                $timelineEvent.ParentImage = ($eventData | Where-Object {$_.Name -eq 'ParentImage'}).'#text'
70
                                $timelineEvent.User = ($eventData | Where-Object {$_.Name -eq 'User'}).'#text'
71
                            }
72
                        }
73
                        3 {  # Sysmon Network Connection
74
                            if ($event.LogName -eq 'Microsoft-Windows-Sysmon/Operational') {
75
                                $xml = [xml]$event.ToXml()
76
                                $eventData = $xml.Event.EventData.Data
77
                                $timelineEvent.EventType = "Network Connection"
78
                                $timelineEvent.Image = ($eventData | Where-Object {$_.Name -eq 'Image'}).'#text'
79
                                $timelineEvent.DestinationIp = ($eventData | Where-Object {$_.Name -eq 'DestinationIp'}).'#text'
80
                                $timelineEvent.DestinationPort = ($eventData | Where-Object {$_.Name -eq 'DestinationPort'}).'#text'
81
                            }
82
                        }
83
                        4624 {  # Successful Logon
84
                            $xml = [xml]$event.ToXml()
85
                            $eventData = $xml.Event.EventData.Data
86
                            $timelineEvent.EventType = "Successful Logon"
87
                            $timelineEvent.TargetUserName = ($eventData | Where-Object {$_.Name -eq 'TargetUserName'}).'#text'
88
                            $timelineEvent.LogonType = ($eventData | Where-Object {$_.Name -eq 'LogonType'}).'#text'
89
                            $timelineEvent.IpAddress = ($eventData | Where-Object {$_.Name -eq 'IpAddress'}).'#text'
90
                        }
91
                        4625 {  # Failed Logon
92
                            $xml = [xml]$event.ToXml()
93
                            $eventData = $xml.Event.EventData.Data
94
                            $timelineEvent.EventType = "Failed Logon"
95
                            $timelineEvent.TargetUserName = ($eventData | Where-Object {$_.Name -eq 'TargetUserName'}).'#text'
96
                            $timelineEvent.FailureReason = ($eventData | Where-Object {$_.Name -eq 'FailureReason'}).'#text'
97
                            $timelineEvent.IpAddress = ($eventData | Where-Object {$_.Name -eq 'IpAddress'}).'#text'
98
                        }
99
                        4698 {  # Scheduled Task Created
100
                            $xml = [xml]$event.ToXml()
101
                            $eventData = $xml.Event.EventData.Data
102
                            $timelineEvent.EventType = "Scheduled Task Created"
103
                            $timelineEvent.TaskName = ($eventData | Where-Object {$_.Name -eq 'TaskName'}).'#text'
104
                            $timelineEvent.SubjectUserName = ($eventData | Where-Object {$_.Name -eq 'SubjectUserName'}).'#text'
105
                        }
106
                        7045 {  # Service Installation
107
                            $timelineEvent.EventType = "Service Installation"
108
                            if ($event.Message -match "Service Name:\s+([^\r\n]+)") {
109
                                $timelineEvent.ServiceName = $matches[1]
110
                            }
111
                            if ($event.Message -match "Service File Name:\s+([^\r\n]+)") {
112
                                $timelineEvent.ServicePath = $matches[1]
113
                            }
114
                        }
115
                        default {
116
                            $timelineEvent.EventType = "Other"
117
                        }
118
                    }
119

120
                    $timelineEvents += New-Object PSObject -Property $timelineEvent
121
                }
122
            }
123
        }
124
        catch {
125
            Write-Warning "Error processing log $logName`: $($_.Exception.Message)"
126
        }
127
    }
128

129
    return $timelineEvents | Sort-Object TimeCreated
130
}
131

132
# Function to correlate events and identify patterns
133
function Correlate-IncidentEvents {
134
    param(
135
        [array]$TimelineEvents,
136
        [int]$CorrelationWindowMinutes = 5
137
    )
138

139
    Write-Host "=== Correlating Incident Events ===" -ForegroundColor Yellow
140

141
    $correlatedEvents = @()
142
    $correlationWindow = New-TimeSpan -Minutes $CorrelationWindowMinutes
143

144
    # Group events by time windows
145
    $eventGroups = $TimelineEvents | Group-Object {
146
        [int]($_.TimeCreated.Ticks / $correlationWindow.Ticks)
147
    }
148

149
    foreach ($group in $eventGroups) {
150
        $groupEvents = $group.Group | Sort-Object TimeCreated
151
        $firstEvent = $groupEvents[0]
152
        $lastEvent = $groupEvents[-1]
153

154
        $correlation = @{
155
            TimeStart = $firstEvent.TimeCreated
156
            TimeEnd = $lastEvent.TimeCreated
157
            Duration = ($lastEvent.TimeCreated - $firstEvent.TimeCreated).TotalSeconds
158
            EventCount = $groupEvents.Count
159
            Events = $groupEvents
160
        }
161

162
        # Analyze patterns within the group
163
        $patterns = @()
164

165
        # Pattern 1: Process creation followed by network connection
166
        $processCreations = $groupEvents | Where-Object { $_.EventType -eq "Process Created" }
167
        $networkConnections = $groupEvents | Where-Object { $_.EventType -eq "Network Connection" }
168

169
        foreach ($proc in $processCreations) {
170
            $relatedConnections = $networkConnections | Where-Object {
171
                $_.Image -eq $proc.Image -and
172
                [Math]::Abs(($_.TimeCreated - $proc.TimeCreated).TotalSeconds) -lt 30
173
            }
174

175
            if ($relatedConnections) {
176
                $patterns += "Process-to-Network: $($proc.Image) -> $($relatedConnections[0].DestinationIp):$($relatedConnections[0].DestinationPort)"
177
            }
178
        }
179

180
        # Pattern 2: Failed logons followed by successful logon
181
        $failedLogons = $groupEvents | Where-Object { $_.EventType -eq "Failed Logon" }
182
        $successfulLogons = $groupEvents | Where-Object { $_.EventType -eq "Successful Logon" }
183

184
        if ($failedLogons -and $successfulLogons) {
185
            $patterns += "Brute Force Pattern: $($failedLogons.Count) failed attempts, then successful logon"
186
        }
187

188
        # Pattern 3: Service installation followed by process creation
189
        $serviceInstalls = $groupEvents | Where-Object { $_.EventType -eq "Service Installation" }
190
        if ($serviceInstalls -and $processCreations) {
191
            $patterns += "Service-to-Process: Service installation followed by process execution"
192
        }
193

194
        if ($patterns.Count -gt 0) {
195
            $correlation.Patterns = $patterns
196
            $correlation.RiskLevel = switch ($patterns.Count) {
197
                { $_ -ge 3 } { "High" }
198
                { $_ -eq 2 } { "Medium" }
199
                default { "Low" }
200
            }
201
        }
202

203
        $correlatedEvents += New-Object PSObject -Property $correlation
204
    }
205

206
    return $correlatedEvents | Sort-Object TimeStart
207
}
208

209
# Function to generate incident summary report
210
function Generate-IncidentSummary {
211
    param(
212
        [array]$TimelineEvents,
213
        [array]$CorrelatedEvents
214
    )
215

216
    Write-Host "=== Generating Incident Summary Report ===" -ForegroundColor Yellow
217

218
    $report = @{
219
        AnalysisTime = Get-Date
220
        TotalEvents = $TimelineEvents.Count
221
        TimeRange = @{
222
            Start = ($TimelineEvents | Sort-Object TimeCreated)[0].TimeCreated
223
            End = ($TimelineEvents | Sort-Object TimeCreated)[-1].TimeCreated
224
        }
225
        EventBreakdown = @{}
226
        HighRiskCorrelations = @()
227
        KeyFindings = @()
228
        Recommendations = @()
229
    }
230

231
    # Event breakdown by type
232
    $eventTypes = $TimelineEvents | Group-Object EventType
233
    foreach ($type in $eventTypes) {
234
        $report.EventBreakdown[$type.Name] = $type.Count
235
    }
236

237
    # High-risk correlations
238
    $report.HighRiskCorrelations = $CorrelatedEvents | Where-Object { $_.RiskLevel -eq "High" }
239

240
    # Key findings analysis
241
    $findings = @()
242

243
    # Check for potential malware execution
244
    $suspiciousProcesses = $TimelineEvents | Where-Object {
245
        $_.EventType -eq "Process Created" -and
246
        ($_.Image -match "temp|appdata|users.*desktop" -or
247
         $_.CommandLine -match "powershell.*-enc|-w hidden|-nop|-exec bypass")
248
    }
249

250
    if ($suspiciousProcesses) {
251
        $findings += "Suspicious process executions detected: $($suspiciousProcesses.Count) instances"
252
    }
253

254
    # Check for lateral movement
255
    $networkConnections = $TimelineEvents | Where-Object {
256
        $_.EventType -eq "Network Connection" -and
257
        $_.DestinationIp -match "^(10\.|172\.(1[6-9]|2[0-9]|3[01])\.|192\.168\.)"
258
    }
259

260
    if ($networkConnections.Count -gt 10) {
261
        $findings += "High volume of internal network connections: $($networkConnections.Count) connections"
262
    }
263

264
    # Check for privilege escalation
265
    $privilegeEscalation = $TimelineEvents | Where-Object {
266
        $_.EventType -eq "Successful Logon" -and
267
        $_.TargetUserName -match "admin|root|system"
268
    }
269

270
    if ($privilegeEscalation) {
271
        $findings += "Privileged account logons detected: $($privilegeEscalation.Count) instances"
272
    }
273

274
    # Check for persistence mechanisms
275
    $persistence = $TimelineEvents | Where-Object {
276
        $_.EventType -in @("Scheduled Task Created", "Service Installation") -or
277
        ($_.Message -match "Run.*Registry" -and $_.EventID -eq 4657)
278
    }
279

280
    if ($persistence) {
281
        $findings += "Persistence mechanisms detected: $($persistence.Count) instances"
282
    }
283

284
    $report.KeyFindings = $findings
285

286
    # Generate recommendations
287
    $recommendations = @()
288

289
    if ($suspiciousProcesses) {
290
        $recommendations += "Immediately quarantine systems with suspicious process executions"
291
        $recommendations += "Perform full antimalware scan on affected systems"
292
    }
293

294
    if ($networkConnections.Count -gt 20) {
295
        $recommendations += "Review network segmentation and implement additional monitoring"
296
        $recommendations += "Consider network isolation for affected systems"
297
    }
298

299
    if ($privilegeEscalation) {
300
        $recommendations += "Reset passwords for all privileged accounts"
301
        $recommendations += "Review and audit privileged account usage"
302
    }
303

304
    if ($persistence) {
305
        $recommendations += "Review and validate all scheduled tasks and services"
306
        $recommendations += "Implement stricter controls on task/service creation"
307
    }
308

309
    $recommendations += "Continue monitoring for 48-72 hours post-incident"
310
    $recommendations += "Update detection rules based on observed TTPs"
311

312
    $report.Recommendations = $recommendations
313

314
    return $report
315
}
316

317
# Usage example
318
$incidentStart = Get-Date "2025-01-10 08:00:00"
319
$incidentEnd = Get-Date "2025-01-10 18:00:00"
320

321
Write-Host "Starting Comprehensive Incident Timeline Analysis..." -ForegroundColor Green
322

323
# Build timeline
324
$timeline = Build-IncidentTimeline -IncidentStart $incidentStart -IncidentEnd $incidentEnd
325

326
# Correlate events
327
$correlations = Correlate-IncidentEvents -TimelineEvents $timeline -CorrelationWindowMinutes 5
328

329
# Generate summary
330
$summary = Generate-IncidentSummary -TimelineEvents $timeline -CorrelatedEvents $correlations
331

332
# Display results
333
Write-Host "=== INCIDENT ANALYSIS SUMMARY ===" -ForegroundColor Yellow
334
Write-Host "Analysis Time: $($summary.AnalysisTime)" -ForegroundColor Cyan
335
Write-Host "Total Events Analyzed: $($summary.TotalEvents)" -ForegroundColor Cyan
336
Write-Host "Time Range: $($summary.TimeRange.Start) to $($summary.TimeRange.End)" -ForegroundColor Cyan
337

338
Write-Host "`n=== EVENT BREAKDOWN ===" -ForegroundColor Yellow
339
$summary.EventBreakdown.GetEnumerator() | Sort-Object Value -Descending | ForEach-Object {
340
    Write-Host "$($_.Key): $($_.Value)" -ForegroundColor White
341
}
342

343
if ($summary.HighRiskCorrelations) {
344
    Write-Host "`n=== HIGH-RISK CORRELATIONS ===" -ForegroundColor Red
345
    foreach ($correlation in $summary.HighRiskCorrelations) {
346
        Write-Host "Time: $($correlation.TimeStart) - Duration: $($correlation.Duration)s - Events: $($correlation.EventCount)" -ForegroundColor White
347
        foreach ($pattern in $correlation.Patterns) {
348
            Write-Host "  - $pattern" -ForegroundColor Yellow
349
        }
350
    }
351
}
352

353
Write-Host "`n=== KEY FINDINGS ===" -ForegroundColor Yellow
354
foreach ($finding in $summary.KeyFindings) {
355
    Write-Host "• $finding" -ForegroundColor White
356
}
357

358
Write-Host "`n=== RECOMMENDATIONS ===" -ForegroundColor Cyan
359
foreach ($recommendation in $summary.Recommendations) {
360
    Write-Host "• $recommendation" -ForegroundColor White
361
}

Malware Analysis Queries#

File and Process Analysis#

1
# Malware-Analysis-Queries.ps1 - Advanced malware detection and analysis
2

3
# Function to analyze suspicious file activities
4
function Analyze-SuspiciousFileActivity {
5
    param(
6
        [datetime]$StartTime = (Get-Date).AddDays(-7),
7
        [datetime]$EndTime = (Get-Date),
8
        [string[]]$SuspiciousExtensions = @('.exe', '.bat', '.cmd', '.ps1', '.vbs', '.scr', '.com', '.pif'),
9
        [string[]]$SuspiciousPaths = @('temp', 'appdata', 'desktop', 'downloads', 'public')
10
    )
11

12
    Write-Host "=== Analyzing Suspicious File Activities ===" -ForegroundColor Yellow
13

14
    $suspiciousFiles = @()
15

16
    # Get Sysmon file creation events (Event ID 11)
17
    try {
18
        $fileEvents = Get-WinEvent -FilterHashtable @{
19
            LogName = 'Microsoft-Windows-Sysmon/Operational'
20
            ID = 11  # File created
21
            StartTime = $StartTime
22
            EndTime = $EndTime
23
        } -ErrorAction SilentlyContinue
24

25
        foreach ($event in $fileEvents) {
26
            $xml = [xml]$event.ToXml()
27
            $eventData = $xml.Event.EventData.Data
28

29
            $fileName = ($eventData | Where-Object {$_.Name -eq 'TargetFilename'}).'#text'
30
            $processName = ($eventData | Where-Object {$_.Name -eq 'Image'}).'#text'
31
            $processId = ($eventData | Where-Object {$_.Name -eq 'ProcessId'}).'#text'
32

33
            # Check for suspicious characteristics
34
            $riskFactors = @()
35

36
            # Check file extension
37
            foreach ($ext in $SuspiciousExtensions) {
38
                if ($fileName -like "*$ext") {
39
                    $riskFactors += "Executable file type: $ext"
40
                    break
41
                }
42
            }
43

44
            # Check file path
45
            foreach ($path in $SuspiciousPaths) {
46
                if ($fileName -match $path) {
47
                    $riskFactors += "Suspicious location: $path"
48
                    break
49
                }
50
            }
51

52
            # Check for temporary or random names
53
            if ($fileName -match "\\(tmp|temp|~)[a-fA-F0-9]{6,}") {
54
                $riskFactors += "Temporary/random filename"
55
            }
56

57
            # Check for common malware patterns
58
            if ($fileName -match "(svchost|winlogon|explorer|lsass)\.exe$" -and
59
                $fileName -notmatch "\\(system32|syswow64)\\") {
60
                $riskFactors += "System process name in non-system location"
61
            }
62

63
            # Check for double extensions
64
            if ($fileName -match "\.[a-zA-Z]{2,4}\.[a-zA-Z]{2,4}$") {
65
                $riskFactors += "Double file extension"
66
            }
67

68
            if ($riskFactors.Count -gt 0) {
69
                $fileAnalysis = @{
70
                    TimeCreated = $event.TimeCreated
71
                    FileName = $fileName
72
                    ProcessName = $processName
73
                    ProcessId = $processId
74
                    RiskFactors = $riskFactors
75
                    RiskLevel = if ($riskFactors.Count -gt 2) { "High" } elseif ($riskFactors.Count -gt 1) { "Medium" } else { "Low" }
76
                }
77

78
                $suspiciousFiles += New-Object PSObject -Property $fileAnalysis
79
            }
80
        }
81
    }
82
    catch {
83
        Write-Warning "Could not retrieve Sysmon file events: $($_.Exception.Message)"
84
    }
85

86
    return $suspiciousFiles | Sort-Object TimeCreated -Descending
87
}
88

89
# Function to analyze process injection techniques
90
function Analyze-ProcessInjection {
91
    param(
92
        [datetime]$StartTime = (Get-Date).AddDays(-7),
93
        [datetime]$EndTime = (Get-Date)
94
    )
95

96
    Write-Host "=== Analyzing Process Injection Techniques ===" -ForegroundColor Yellow
97

98
    $injectionEvents = @()
99

100
    # Get Sysmon process access events (Event ID 10)
101
    try {
102
        $processAccessEvents = Get-WinEvent -FilterHashtable @{
103
            LogName = 'Microsoft-Windows-Sysmon/Operational'
104
            ID = 10  # Process accessed
105
            StartTime = $StartTime
106
            EndTime = $EndTime
107
        } -ErrorAction SilentlyContinue
108

109
        foreach ($event in $processAccessEvents) {
110
            $xml = [xml]$event.ToXml()
111
            $eventData = $xml.Event.EventData.Data
112

113
            $sourceImage = ($eventData | Where-Object {$_.Name -eq 'SourceImage'}).'#text'
114
            $targetImage = ($eventData | Where-Object {$_.Name -eq 'TargetImage'}).'#text'
115
            $grantedAccess = ($eventData | Where-Object {$_.Name -eq 'GrantedAccess'}).'#text'
116
            $callTrace = ($eventData | Where-Object {$_.Name -eq 'CallTrace'}).'#text'
117

118
            # Check for suspicious access patterns
119
            $suspiciousAccess = @(
120
                '0x1010',   # PROCESS_CREATE_THREAD | PROCESS_QUERY_INFORMATION
121
                '0x1410',   # PROCESS_CREATE_THREAD | PROCESS_QUERY_INFORMATION | PROCESS_VM_READ
122
                '0x143a',   # Multiple access rights including VM_WRITE
123
                '0x1f0fff', # PROCESS_ALL_ACCESS
124
                '0x1f1fff', # PROCESS_ALL_ACCESS
125
                '0x1f2fff', # PROCESS_ALL_ACCESS
126
                '0x1f3fff'  # PROCESS_ALL_ACCESS
127
            )
128

129
            if ($grantedAccess -in $suspiciousAccess) {
130
                $injectionAnalysis = @{
131
                    TimeCreated = $event.TimeCreated
132
                    SourceImage = $sourceImage
133
                    TargetImage = $targetImage
134
                    GrantedAccess = $grantedAccess
135
                    CallTrace = $callTrace
136
                    InjectionTechnique = "Unknown"
137
                    Severity = "Medium"
138
                }
139

140
                # Identify specific injection techniques
141
                if ($callTrace -match "ntdll\.dll.*VirtualAllocEx") {
142
                    $injectionAnalysis.InjectionTechnique = "VirtualAllocEx Injection"
143
                    $injectionAnalysis.Severity = "High"
144
                } elseif ($callTrace -match "ntdll\.dll.*WriteProcessMemory") {
145
                    $injectionAnalysis.InjectionTechnique = "WriteProcessMemory Injection"
146
                    $injectionAnalysis.Severity = "High"
147
                } elseif ($callTrace -match "ntdll\.dll.*CreateRemoteThread") {
148
                    $injectionAnalysis.InjectionTechnique = "CreateRemoteThread Injection"
149
                    $injectionAnalysis.Severity = "High"
150
                } elseif ($callTrace -match "kernel32\.dll.*SetThreadContext") {
151
                    $injectionAnalysis.InjectionTechnique = "Thread Context Hijacking"
152
                    $injectionAnalysis.Severity = "Critical"
153
                } elseif ($grantedAccess -eq '0x1010' -and $targetImage -match "(lsass|csrss|winlogon)\.exe") {
154
                    $injectionAnalysis.InjectionTechnique = "Potential Credential Dumping"
155
                    $injectionAnalysis.Severity = "Critical"
156
                }
157

158
                $injectionEvents += New-Object PSObject -Property $injectionAnalysis
159
            }
160
        }
161
    }
162
    catch {
163
        Write-Warning "Could not retrieve Sysmon process access events: $($_.Exception.Message)"
164
    }
165

166
    # Get Sysmon CreateRemoteThread events (Event ID 8)
167
    try {
168
        $remoteThreadEvents = Get-WinEvent -FilterHashtable @{
169
            LogName = 'Microsoft-Windows-Sysmon/Operational'
170
            ID = 8  # CreateRemoteThread
171
            StartTime = $StartTime
172
            EndTime = $EndTime
173
        } -ErrorAction SilentlyContinue
174

175
        foreach ($event in $remoteThreadEvents) {
176
            $xml = [xml]$event.ToXml()
177
            $eventData = $xml.Event.EventData.Data
178

179
            $sourceImage = ($eventData | Where-Object {$_.Name -eq 'SourceImage'}).'#text'
180
            $targetImage = ($eventData | Where-Object {$_.Name -eq 'TargetImage'}).'#text'
181
            $startAddress = ($eventData | Where-Object {$_.Name -eq 'StartAddress'}).'#text'
182
            $startModule = ($eventData | Where-Object {$_.Name -eq 'StartModule'}).'#text'
183
            $startFunction = ($eventData | Where-Object {$_.Name -eq 'StartFunction'}).'#text'
184

185
            $remoteThreadAnalysis = @{
186
                TimeCreated = $event.TimeCreated
187
                SourceImage = $sourceImage
188
                TargetImage = $targetImage
189
                StartAddress = $startAddress
190
                StartModule = $startModule
191
                StartFunction = $startFunction
192
                InjectionTechnique = "CreateRemoteThread"
193
                Severity = "High"
194
            }
195

196
            # Check for specific malicious patterns
197
            if ($startModule -eq "ntdll.dll" -and $startFunction -match "Ldr.*LoadDll") {
198
                $remoteThreadAnalysis.InjectionTechnique = "Manual DLL Loading"
199
                $remoteThreadAnalysis.Severity = "Critical"
200
            } elseif ($startAddress -match "^0x[0-9a-fA-F]{16}$" -and $startModule -eq "") {
201
                $remoteThreadAnalysis.InjectionTechnique = "Reflective DLL Injection"
202
                $remoteThreadAnalysis.Severity = "Critical"
203
            }
204

205
            $injectionEvents += New-Object PSObject -Property $remoteThreadAnalysis
206
        }
207
    }
208
    catch {
209
        Write-Warning "Could not retrieve Sysmon CreateRemoteThread events: $($_.Exception.Message)"
210
    }
211

212
    return $injectionEvents | Sort-Object TimeCreated -Descending
213
}
214

215
# Function to analyze image/DLL loading patterns
216
function Analyze-ImageLoading {
217
    param(
218
        [datetime]$StartTime = (Get-Date).AddDays(-7),
219
        [datetime]$EndTime = (Get-Date)
220
    )
221

222
    Write-Host "=== Analyzing Suspicious Image/DLL Loading ===" -ForegroundColor Yellow
223

224
    $suspiciousLoads = @()
225

226
    # Get Sysmon image load events (Event ID 7)
227
    try {
228
        $imageLoadEvents = Get-WinEvent -FilterHashtable @{
229
            LogName = 'Microsoft-Windows-Sysmon/Operational'
230
            ID = 7  # Image loaded
231
            StartTime = $StartTime
232
            EndTime = $EndTime
233
        } -ErrorAction SilentlyContinue
234

235
        foreach ($event in $imageLoadEvents) {
236
            $xml = [xml]$event.ToXml()
237
            $eventData = $xml.Event.EventData.Data
238

239
            $processName = ($eventData | Where-Object {$_.Name -eq 'Image'}).'#text'
240
            $imageLoaded = ($eventData | Where-Object {$_.Name -eq 'ImageLoaded'}).'#text'
241
            $signed = ($eventData | Where-Object {$_.Name -eq 'Signed'}).'#text'
242
            $signature = ($eventData | Where-Object {$_.Name -eq 'Signature'}).'#text'
243
            $signatureStatus = ($eventData | Where-Object {$_.Name -eq 'SignatureStatus'}).'#text'
244

245
            $riskFactors = @()
246

247
            # Check for unsigned or invalid signatures
248
            if ($signed -eq 'false' -or $signatureStatus -ne 'Valid') {
249
                $riskFactors += "Unsigned or invalid signature"
250
            }
251

252
            # Check for loading from suspicious locations
253
            $suspiciousImagePaths = @('temp', 'appdata', 'programdata', 'users.*desktop', 'downloads')
254
            foreach ($path in $suspiciousImagePaths) {
255
                if ($imageLoaded -match $path) {
256
                    $riskFactors += "Suspicious load location: $path"
257
                    break
258
                }
259
            }
260

261
            # Check for known malicious DLLs
262
            $maliciousDLLNames = @(
263
                'payload\.dll', 'shell\.dll', 'backdoor\.dll', 'rat\.dll',
264
                'inject\.dll', 'hook\.dll', 'keylog\.dll'
265
            )
266
            foreach ($dllName in $maliciousDLLNames) {
267
                if ($imageLoaded -match $dllName) {
268
                    $riskFactors += "Suspicious DLL name: $dllName"
269
                    break
270
                }
271
            }
272

273
            # Check for reflective DLL loading (no file on disk)
274
            if ($imageLoaded -match "^0x[0-9a-fA-F]{16}$") {
275
                $riskFactors += "Reflective DLL loading"
276
            }
277

278
            # Check for hollowing indicators
279
            if ($processName -match "(svchost|explorer|winlogon)\.exe" -and
280
                $imageLoaded -notmatch "\\(system32|syswow64|program files)" -and
281
                $signed -eq 'false') {
282
                $riskFactors += "Possible process hollowing"
283
            }
284

285
            if ($riskFactors.Count -gt 0) {
286
                $loadAnalysis = @{
287
                    TimeCreated = $event.TimeCreated
288
                    ProcessName = $processName
289
                    ImageLoaded = $imageLoaded
290
                    Signed = $signed
291
                    Signature = $signature
292
                    SignatureStatus = $signatureStatus
293
                    RiskFactors = $riskFactors
294
                    RiskLevel = if ($riskFactors.Count -gt 2) { "High" } elseif ($riskFactors.Count -gt 1) { "Medium" } else { "Low" }
295
                }
296

297
                $suspiciousLoads += New-Object PSObject -Property $loadAnalysis
298
            }
299
        }
300
    }
301
    catch {
302
        Write-Warning "Could not retrieve Sysmon image load events: $($_.Exception.Message)"
303
    }
304

305
    return $suspiciousLoads | Sort-Object TimeCreated -Descending
306
}
307

308
# Function to analyze registry modifications for malware persistence
309
function Analyze-MalwarePersistence {
310
    param(
311
        [datetime]$StartTime = (Get-Date).AddDays(-7),
312
        [datetime]$EndTime = (Get-Date)
313
    )
314

315
    Write-Host "=== Analyzing Malware Persistence Mechanisms ===" -ForegroundColor Yellow
316

317
    $persistenceEvents = @()
318

319
    # Get Sysmon registry events (Event ID 13)
320
    try {
321
        $registryEvents = Get-WinEvent -FilterHashtable @{
322
            LogName = 'Microsoft-Windows-Sysmon/Operational'
323
            ID = 13  # Registry value set
324
            StartTime = $StartTime
325
            EndTime = $EndTime
326
        } -ErrorAction SilentlyContinue
327

328
        # Define persistence registry keys
329
        $persistenceKeys = @(
330
            'HKLM.*\\Run',
331
            'HKLM.*\\RunOnce',
332
            'HKCU.*\\Run',
333
            'HKCU.*\\RunOnce',
334
            'HKLM.*\\Winlogon\\Shell',
335
            'HKLM.*\\Winlogon\\Userinit',
336
            'HKLM.*\\Image File Execution Options',
337
            'HKLM.*\\CurrentVersion\\Windows\\Load',
338
            'HKLM.*\\CurrentVersion\\Windows\\Run',
339
            'HKLM.*\\Services\\.*\\ImagePath',
340
            'HKLM.*\\Microsoft\\Windows NT\\CurrentVersion\\Windows\\AppInit_DLLs'
341
        )
342

343
        foreach ($event in $registryEvents) {
344
            $xml = [xml]$event.ToXml()
345
            $eventData = $xml.Event.EventData.Data
346

347
            $targetObject = ($eventData | Where-Object {$_.Name -eq 'TargetObject'}).'#text'
348
            $details = ($eventData | Where-Object {$_.Name -eq 'Details'}).'#text'
349
            $processName = ($eventData | Where-Object {$_.Name -eq 'Image'}).'#text'
350

351
            foreach ($key in $persistenceKeys) {
352
                if ($targetObject -match $key) {
353
                    $persistenceType = switch -Regex ($targetObject) {
354
                        'Run.*' { "Autorun Registry" }
355
                        'Winlogon' { "Winlogon Persistence" }
356
                        'Image File Execution Options' { "IFEO Persistence" }
357
                        'Services' { "Service Persistence" }
358
                        'AppInit_DLLs' { "AppInit DLL Persistence" }
359
                        default { "Unknown Persistence" }
360
                    }
361

362
                    $riskFactors = @()
363

364
                    # Check for suspicious values
365
                    if ($details -match '(temp|appdata|programdata).*\.(exe|bat|cmd|ps1)') {
366
                        $riskFactors += "Suspicious file location in persistence value"
367
                    }
368

369
                    if ($details -match '(powershell|cmd).*-enc|-w hidden|-nop|-exec bypass') {
370
                        $riskFactors += "Suspicious PowerShell/command line arguments"
371
                    }
372

373
                    if ($details -match 'rundll32.*,.*#[0-9]+') {
374
                        $riskFactors += "Suspicious rundll32 usage"
375
                    }
376

377
                    $persistenceAnalysis = @{
378
                        TimeCreated = $event.TimeCreated
379
                        ProcessName = $processName
380
                        TargetObject = $targetObject
381
                        Details = $details
382
                        PersistenceType = $persistenceType
383
                        RiskFactors = $riskFactors
384
                        RiskLevel = if ($riskFactors.Count -gt 1) { "High" } elseif ($riskFactors.Count -eq 1) { "Medium" } else { "Low" }
385
                    }
386

387
                    $persistenceEvents += New-Object PSObject -Property $persistenceAnalysis
388
                    break
389
                }
390
            }
391
        }
392
    }
393
    catch {
394
        Write-Warning "Could not retrieve Sysmon registry events: $($_.Exception.Message)"
395
    }
396

397
    return $persistenceEvents | Sort-Object TimeCreated -Descending
398
}
399

400
# Main execution
401
Write-Host "Starting Comprehensive Malware Analysis..." -ForegroundColor Green
402

403
# Analyze suspicious files
404
$suspiciousFiles = Analyze-SuspiciousFileActivity -StartTime (Get-Date).AddDays(-7)
405
$highRiskFiles = $suspiciousFiles | Where-Object { $_.RiskLevel -eq "High" }
406

407
if ($highRiskFiles) {
408
    Write-Host "=== HIGH-RISK FILE ACTIVITIES ===" -ForegroundColor Red
409
    $highRiskFiles | Select-Object TimeCreated, FileName, ProcessName, RiskFactors |
410
        Sort-Object TimeCreated -Descending | Format-Table -AutoSize
411
}
412

413
# Analyze process injection
414
$injectionEvents = Analyze-ProcessInjection -StartTime (Get-Date).AddDays(-7)
415
$criticalInjections = $injectionEvents | Where-Object { $_.Severity -eq "Critical" }
416

417
if ($criticalInjections) {
418
    Write-Host "=== CRITICAL PROCESS INJECTION EVENTS ===" -ForegroundColor Red
419
    $criticalInjections | Select-Object TimeCreated, SourceImage, TargetImage, InjectionTechnique |
420
        Sort-Object TimeCreated -Descending | Format-Table -AutoSize
421
}
422

423
# Analyze image loading
424
$suspiciousLoads = Analyze-ImageLoading -StartTime (Get-Date).AddDays(-7)
425
$highRiskLoads = $suspiciousLoads | Where-Object { $_.RiskLevel -eq "High" }
426

427
if ($highRiskLoads) {
428
    Write-Host "=== HIGH-RISK IMAGE LOADING ===" -ForegroundColor Red
429
    $highRiskLoads | Select-Object TimeCreated, ProcessName, ImageLoaded, RiskFactors |
430
        Sort-Object TimeCreated -Descending | Format-Table -AutoSize
431
}
432

433
# Analyze persistence mechanisms
434
$persistenceEvents = Analyze-MalwarePersistence -StartTime (Get-Date).AddDays(-7)
435
$highRiskPersistence = $persistenceEvents | Where-Object { $_.RiskLevel -eq "High" }
436

437
if ($highRiskPersistence) {
438
    Write-Host "=== HIGH-RISK PERSISTENCE MECHANISMS ===" -ForegroundColor Red
439
    $highRiskPersistence | Select-Object TimeCreated, PersistenceType, TargetObject, RiskFactors |
440
        Sort-Object TimeCreated -Descending | Format-Table -AutoSize
441
}
442

443
# Generate summary statistics
444
Write-Host "=== MALWARE ANALYSIS SUMMARY ===" -ForegroundColor Yellow
445
Write-Host "Suspicious Files: $($suspiciousFiles.Count) (High Risk: $($highRiskFiles.Count))" -ForegroundColor Cyan
446
Write-Host "Injection Events: $($injectionEvents.Count) (Critical: $($criticalInjections.Count))" -ForegroundColor Cyan
447
Write-Host "Suspicious Loads: $($suspiciousLoads.Count) (High Risk: $($highRiskLoads.Count))" -ForegroundColor Cyan
448
Write-Host "Persistence Events: $($persistenceEvents.Count) (High Risk: $($highRiskPersistence.Count))" -ForegroundColor Cyan

Best Practices and Recommendations#

Query Optimization and Performance#

Time Range Optimization
- Use specific time ranges to reduce query load
- Implement sliding window analysis for real-time monitoring
- Archive old logs to maintain performance
Event Filtering
- Use targeted event IDs to reduce noise
- Implement whitelist filtering for known-good activities
- Correlate multiple event sources for better context
Resource Management
- Monitor system performance during query execution
- Implement query result caching for repeated analyses
- Use background jobs for long-running queries

Incident Response Integration#

Automated Analysis
- Create scheduled tasks for regular threat hunting
- Implement alerting for high-risk findings
- Integrate with SIEM platforms for centralized analysis
Documentation Standards
- Maintain query libraries for common scenarios
- Document findings with timestamps and evidence
- Create playbooks for different incident types
Team Collaboration
- Share query results in standardized formats
- Maintain centralized knowledge base
- Conduct regular training on query techniques

Conclusion#

Network unisolation queries provide powerful capabilities for incident response and forensic analysis. This guide demonstrates:

Comprehensive Analysis: Multi-layered approach to network forensics
Advanced Detection: Sophisticated threat hunting methodologies
Timeline Reconstruction: Detailed incident analysis capabilities
Malware Detection: Advanced techniques for identifying malicious activities
Correlation Analysis: Pattern recognition and event correlation

Key benefits of these query approaches:

Deep Visibility: Comprehensive view of network and system activities
Threat Detection: Advanced capabilities for identifying sophisticated attacks
Incident Response: Structured approach to investigation and analysis
Evidence Collection: Detailed forensic evidence for legal proceedings
Continuous Improvement: Iterative enhancement of detection capabilities

By implementing these query techniques, security teams can significantly improve their incident response capabilities and enhance their overall security posture through proactive threat hunting and comprehensive forensic analysis.

These queries should be tested in lab environments before production use and regularly updated based on emerging threats and attack techniques.