IOCScanner

    IOCScanner
    PowerShell Incident Response Framework 
    Eslam Elkobia | eng.baher@hotmail.com
    v0.1 - Janurary 2017

[About IOCScanner]

IOCScanner searches for a pre-defined list of IOCs in remote Windows hosts using PowerShell, identifies compromised machines, generates HTML report including IOC details for each remote host and it can quarantine compromised hosts if required

[How to use]

1. Prepare a text file includes a list of hosts to be scanned

2. Popoulate the IOCs.csv file with the IOCs each in its column

3. enable PSRemoting on all remote hosts using the following command options

A- PS C:\> PsExec.exe \\192.168.0.10 -u [admin account] -p [password] -h -d powershell.exe "Enable-PSRemoting -Force"

Download PsExec from https://technet.microsoft.com/en-us/sysinternals/bb897553.aspx

Repeat the command for each remote host or use a script for automate it

B- Using PowerShell script as a start-up script,however, you need to wait untill all hosts get the next update

4. Run IOCScanner

PS .\IOCScanner.ps1 -targets servers.txt -IOCList iocs.csv -UserName DomainName\UserName -Password password123 -Block

PS Get-help .\IOCScanner.ps1 -examples

[Parameters]

 -target   :  a txt file including remote hosts each in a separate line to scan for IOCs
 -IOCList  :  CSV list of IOCs with a psecific formate, use the template provided
 -UserName :  Domain account with local admin privilege on all remote hosts
 -Password :  Domain account password
 -Block    :  Quarantine the compromised host

[Report]

HTML report will be automatically generated inside the report folder including details about IOCs found for each remote host, in addition to a nice statistics dashboard

[License]

Licensed under the Apache License, Version 2.0 (the "License"); you may not use this file except in compliance with the License. You may obtain a copy of the License at

   http://www.apache.org/licenses/LICENSE-2.0