Security Incident Response: Faster and Safer with PowerShell -J. Greg Mackinnon | Windows Technical Lead Windows Services | Information Technology Services Yale University

Security Incident! Security Incident! How to probe compromised systems securely? Remoting protocols like WMI and WinRM, when used with Kerberos Auth, avoids hazards of credential harvesting. How can we discover the extent of the compromise? Traditional forensic techniques involve cloning of machines. Slow!!! WinRM is faster than WMI, and easier to access though firewalls. For the win... The code is Github Enterprise, and shared with the ISO They can pull it down on their own “walled garden” systems. They can modify the code: (add scanning modules, or update regex strings in existing modules.) An early use case... We won’t get into the code here, but a link to a fork project called “Spool-FTLDrive” can be found in the footnotes. DevOps tools like “Ansible” enable rapid data collection over WinRM …but Ansible gets mixed results on the Windows platform. PowerShell remoting can be fast, too… it’s a “simple matter of programming”. Supports multi-threading in the form of “Jobs”

Start-FTLDrive Inspired by Ansible: Faster-than-Light! (Props to “Battlestar” for the PowerShell-friendly name) Rides on WinRM, PowerShell remoting, and PS Jobs Modules are just PowerShell: No C#, YAML, or T-SQL required. Most modules configured to run against PowerShell 2.0 or later (ability to scan legacy Server 2003 hosts from modern systems) Features: Queue management function Modular action scripts Dead-host detection Discovery running against 800 hosts can complete in about 15 minutes (Previous single-threaded processing took in excess of 8 hours.)

Where Can I Get It? How Can I Help? https://github.com/jgregmac/Start-FTLDrive