├── Hosts.txt ├── Recon ├── _Read_Me_1st.txt ├── Recon_List_of_MAC_OS_Versions.ps1 ├── Recon_List_of_WS_OS_Versions.ps1 └── Recon-Ping_Alive.ps1 ├── Modules ├── LOG-MD-Tasks │ ├── _Read_Me_1st_LOG-MD-Tasks.txt │ ├── Get-Log-MD-Free_Task_z_Cleanup_All.ps1 │ ├── Get-Log-MD_Task_Logs_Daily.ps1 │ ├── Get-Log-MD_Task_AutoRuns_Hourly.ps1 │ ├── Get-Log-MD_Task_Running_Processes_Hourly.ps1 │ └── Get-Log-MD_Task_Large_Keys_Daily.ps1 ├── Kansa_Legacy │ ├── _Read_Me_1st_Legacy_Kansa.txt │ ├── Net │ │ ├── Get-DNS-Cache.ps1 │ │ ├── Get-Arp.ps1 │ │ ├── Get-Net-IP-Interface.ps1 │ │ └── Get-Netstat.ps1 │ ├── Config │ │ ├── Get-Hotfix_Patches.ps1 │ │ ├── Get-Local_Accounts.ps1 │ │ ├── Get-Local_Admin_Accounts.ps1 │ │ ├── Get-Anti-MW-HealthStatus.ps1 │ │ └── Get-Anti-MW-InfectionStatus.ps1 │ ├── Log │ │ ├── Get-CBS_Log.ps1 │ │ └── Get-AppCompatCache.ps1 │ └── Disk │ │ └── Get-Temp_Dir_Listing.ps1 ├── Cleanup │ ├── _Read_Me_1st_Cleanup.txt │ └── Get-Delete_ARTHIR_Folders.ps1 ├── Info │ ├── _Read_Me_1st_Info.txt │ ├── Get-OS_Version_Details.ps1 │ └── Get-PS_Version_Logging_Details.ps1 ├── bin │ └── _Read_Me_1st_Configs.txt ├── Templates │ ├── _Read_Me_1st_Templates.txt │ ├── Get-Script-Template.ps1 │ ├── Get-Zip-Template.ps1 │ ├── Get-Binary-Template.ps1 │ ├── Get-Task-Template-Daily.ps1 │ └── Get-Task-Template-Hourly.ps1 ├── LOG-MD │ ├── _READ_Me_1st_LOG-MD.txt │ ├── Get-Log-MD_z_Cleanup_Reports.ps1 │ ├── Get-Log-MD_z_Cleanup_All.ps1 │ ├── Get-LOG-MD_1_Configs.ps1 │ ├── Get-LOG-MD_3_Configs_Hash.ps1 │ ├── Get-LOG-MD_2_Configs_Registry.ps1 │ ├── Get-Log-MD_Logs_3_Days.ps1 │ ├── Get-Log-MD_Logs_4_Days.ps1 │ ├── Get-Log-MD_Logs_5_Days.ps1 │ ├── Get-Log-MD_Logs_6_Days.ps1 │ ├── Get-Log-MD_Logs_7_Days.ps1 │ ├── Get-Log-MD_Logs_1_Day.ps1 │ ├── Get-Log-MD_Logs_2_Days.ps1 │ ├── Get-Log-MD_Running_Processes.ps1 │ ├── Get-Log-MD_Settings.ps1 │ ├── Get-Log-MD_Reg_Large_Keys.ps1 │ ├── Get-Log-MD_AutoRuns.ps1 │ └── Get-Log-MD_Settings_Audit.ps1 └── Sysinternals │ ├── Get-SigCheck64.ps1 │ └── Get-Handle64.ps1 ├── Documentation ├── Configuring WinRM_Guide v1.pdf └── _README_1st_Documentation.txt ├── ATT&CK ├── Windows Attack Matrix_Template_Example.xlsx ├── Windows_LOG-MD_ATT&CK_Cheat_Sheet_ver_Sept_2018.pdf └── Windows ATT&CK_Logging Cheat Sheet_ver_Sept_2018.pdf ├── Known_3rd_Party_Modules ├── 3rd_Party_Providers_of_Modules.txt ├── LOG-MD-Free-Edition.txt └── LOG-MD-Professional.txt ├── z_Credits.txt └── README.md /Hosts.txt: -------------------------------------------------------------------------------- 1 | ALICE-LT 2 | BOBS-PC 3 | SERVER 4 | 5 | 6 | 7 | 8 | 9 | 10 | -------------------------------------------------------------------------------- /Recon/_Read_Me_1st.txt: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/MalwareArchaeology/ARTHIR/HEAD/Recon/_Read_Me_1st.txt -------------------------------------------------------------------------------- /Modules/LOG-MD-Tasks/_Read_Me_1st_LOG-MD-Tasks.txt: -------------------------------------------------------------------------------- 1 | These are tasks used to create LOG-MD Schedule Tasks on a remote system. 2 | 3 | -------------------------------------------------------------------------------- /Documentation/Configuring WinRM_Guide v1.pdf: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/MalwareArchaeology/ARTHIR/HEAD/Documentation/Configuring WinRM_Guide v1.pdf -------------------------------------------------------------------------------- /ATT&CK/Windows Attack Matrix_Template_Example.xlsx: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/MalwareArchaeology/ARTHIR/HEAD/ATT&CK/Windows Attack Matrix_Template_Example.xlsx -------------------------------------------------------------------------------- /ATT&CK/Windows_LOG-MD_ATT&CK_Cheat_Sheet_ver_Sept_2018.pdf: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/MalwareArchaeology/ARTHIR/HEAD/ATT&CK/Windows_LOG-MD_ATT&CK_Cheat_Sheet_ver_Sept_2018.pdf -------------------------------------------------------------------------------- /ATT&CK/Windows ATT&CK_Logging Cheat Sheet_ver_Sept_2018.pdf: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/MalwareArchaeology/ARTHIR/HEAD/ATT&CK/Windows ATT&CK_Logging Cheat Sheet_ver_Sept_2018.pdf -------------------------------------------------------------------------------- /Known_3rd_Party_Modules/3rd_Party_Providers_of_Modules.txt: -------------------------------------------------------------------------------- 1 | This folder contains known modules from 3rd party tools that have created ARTHIR modules. 2 | 3 | Each file will contain information where to get the modules. 4 | -------------------------------------------------------------------------------- /Recon/Recon_List_of_MAC_OS_Versions.ps1: -------------------------------------------------------------------------------- 1 | Get-ADComputer -Filter { OperatingSystem -Like '*MAC*' } -Properties OperatingSystem, LastLogonTimestamp | Select-Object Name, OperatingSystem, LastLogonTimestamp | Export-Csv -Path "MAC_Systems.csv" 2 | -------------------------------------------------------------------------------- /Modules/Kansa_Legacy/_Read_Me_1st_Legacy_Kansa.txt: -------------------------------------------------------------------------------- 1 | This is where converted Kansa modules will reside. 2 | 3 | Just create the same structure as Kansa used and add your converted modules. 4 | 5 | This is used to desinate older converted Kansa modules. 6 | - \Kansa_Legacy\ 7 | 8 | -------------------------------------------------------------------------------- /Recon/Recon_List_of_WS_OS_Versions.ps1: -------------------------------------------------------------------------------- 1 | Get-ADComputer -Filter { OperatingSystem -Like '*WINDOWS*' } -Properties OperatingSystem, LastLogonTimestamp | Select-Object Name, OperatingSystem, @{N='LastLogonTimestamp'; E={[DateTime]::FromFileTime($_.LastLogonTimestamp)}} | Export-Csv -Path "Win_Systems.csv" -------------------------------------------------------------------------------- /Modules/Cleanup/_Read_Me_1st_Cleanup.txt: -------------------------------------------------------------------------------- 1 | This cleanup file is designed for script based modules stored in a directory named: 2 | - \ARTHIR 3 | 4 | Generally data scripts could be stored seperate from your binary modules as they can 5 | be maintained deleted differently than your binary jobs. 6 | 7 | -------------------------------------------------------------------------------- /Modules/Info/_Read_Me_1st_Info.txt: -------------------------------------------------------------------------------- 1 | These modules are designed to collect information from a system such as; 2 | - Operating System 3 | - Versions of software 4 | 5 | Generally nothing remains on the system after the module is run using the cleanup module; 6 | - Get-Delete_ARTHIR_Folders.ps1 7 | 8 | -------------------------------------------------------------------------------- /z_Credits.txt: -------------------------------------------------------------------------------- 1 | Shout outs to those that helped with this project: 2 | -------------------------------------------------- 3 | 4 | Michael Gough - @Hacker Hurricane - Malware Archaeology & IMF Security 5 | Olaf Hartong - @OlafHartong 6 | Josh Rickard - @MSAdministrator of http://letsautomate.it 7 | 8 | Want to contribute? 9 | 10 | Send us an email - info@IMFSecurity.com 11 | 12 | 13 | -------------------------------------------------------------------------------- /Modules/bin/_Read_Me_1st_Configs.txt: -------------------------------------------------------------------------------- 1 | This folder is where you store any binaries and/or Zip files that you want to push to the remote system(s). 2 | Use the -Pushbin option when using binaries that will be pushed from this directory. 3 | 4 | LOG-MD is available at: 5 | - www.LOG-MD.com 6 | 7 | Sysinternals tools are avaialble at: 8 | - https://docs.microsoft.com/en-us/sysinternals/ 9 | 10 | ############################################################################################################## 11 | -------------------------------------------------------------------------------- /Modules/Templates/_Read_Me_1st_Templates.txt: -------------------------------------------------------------------------------- 1 | Use these templates to create NEW ARTHIR modules or convert older Kansa modules. 2 | 3 | The following templates are provided; 4 | - Get-Binary-Template.ps1 Used to create a module that uses a binary utility or tool 5 | - Get-Script-Template.ps1 Used to create a module that uses a script like the older Kansa modules 6 | - Get-Task-Template-Daily.ps1 Used to create a module that creates a Daily Scheduled Task on the system 7 | - Get-Task-Template-Hourly.ps1 Used to create a module that creates an Hourly Scheduled Task on the system 8 | - Get-Zip-Template.ps1 Used to create a module that unzips a file on the system 9 | -------------------------------------------------------------------------------- /Modules/LOG-MD/_READ_Me_1st_LOG-MD.txt: -------------------------------------------------------------------------------- 1 | These are the LOG-MD Free Edition modules for ARTHIR. 2 | 3 | They are broken down into one module per feature of LOG-MD. Since ARTHIR runs modules 4 | from the modules.conf file, you can just select all the features you want and run them 5 | as many or as few as needed. 6 | 7 | ARTHIR has a TIME STARTED and TIME COMPLETED in the console output so you can determine 8 | which modules take the longest. The general rule of thumb is the longer the module takes, 9 | the lower in the modules.conf it is. 10 | 11 | Each LOG-MD modules lists the MITRE ATT&CK Techniques that they cover. Some are grouped into 12 | a special Technique Group ID to combine many Technique ID's into one grouping ID for ease of 13 | recording. 14 | 15 | -------------------------------------------------------------------------------- /Known_3rd_Party_Modules/LOG-MD-Free-Edition.txt: -------------------------------------------------------------------------------- 1 | LOG-MD Free Edition ARTHIR modules 2 | Updated - March 2019 3 | 4 | Function: LOG-MD is a Log Harvesting, Threat Hunting, and Incident Response tool. 5 | 6 | website: LOG-MD.com 7 | 8 | How to get modules: Modules are avaialble with ARTHIR and at LOG-MD.com\arthir 9 | 10 | Tool: LOG-MD Free Edition. Download it from the website above and place the binary in \bin 11 | 12 | Options: To push LOG-MD configuration files, create a zip file and push them out with the Get-LOG-MD-Free_Configs.module 13 | 14 | --------------------------------------------------------------------------------------------------------------------------- 15 | 16 | Several LOG-MD-Free Edition modules are included with ARTHIR. The following are included; 17 | 18 | - Get-LOG-MD-Free_AutoRuns.ps1 19 | - Get-LOG-MD-1-Day_Logs.ps1 20 | - Get-LOG-MD-Free_Sched_AutoRuns.ps1 21 | 22 | 23 | -------------------------------------------------------------------------------- /Modules/Cleanup/Get-Delete_ARTHIR_Folders.ps1: -------------------------------------------------------------------------------- 1 | <# 2 | .SYNOPSIS 3 | Get-Delete_ARTHIR_Folders.ps1 deletes the folder created by your scripts. Just add the folder(s) 4 | you want to delete below to cleanup after your modules. Add multiple folders if you use them. 5 | The DOWNLOAD directive is not used in this module unless you want to create a status report. 6 | 7 | Adjust the variables to what you want to do with each item: 8 | $ARTHIR_OutputDir Set to a directory you want the results of the modules to be removed 9 | $WriteEventLogEntry Create an event log entry that this module ran 'Yes' or 'No' 10 | $EventSource The name of the source the event will be written to the Application log (default is ARTHIR) 11 | $Event_ID What event ID to use in the log entry 12 | 13 | 14 | .NOTES 15 | The following DIRECTIVE lines are needed by ARTHIR.ps1 to determine how to handle output 16 | from this script. 17 | #> 18 | $ARTHIR_OutputDir = "C:\Program Files\ARTHIR" 19 | $WriteEventLogEntry = "Yes" 20 | $EventSource = "ARTHIR" 21 | $Event_ID = "1337" 22 | # 23 | # Check and delete the folder specified above. Add more entries if you are using multiple folders 24 | # 25 | if (Test-Path $ARTHIR_OutputDir) { 26 | Remove-Item -path $ARTHIR_OutputDir -recurse 27 | } else { 28 | Write-Error "ARTHIR folder not found at" $ARTHIR_OutputDir 29 | } 30 | # 31 | # Write log entry 32 | # 33 | If ($WriteEventLogEntry -eq 'No') { 34 | Break 35 | } 36 | elseif ([System.Diagnostics.EventLog]::SourceExists($EventSource) -eq $False) { 37 | New-EventLog -LogName Application -Source $EventSource 38 | Write-EventLog -LogName Application -EntryType Information -EventId $Event_ID -Source $EventSource -Message 'ARTHIR folder deleted' 39 | } 40 | else { 41 | Write-EventLog -LogName Application -EntryType Information -EventId $Event_ID -Source $EventSource -Message 'ARTHIR folder deleted' 42 | } -------------------------------------------------------------------------------- /Modules/LOG-MD/Get-Log-MD_z_Cleanup_Reports.ps1: -------------------------------------------------------------------------------- 1 | <# 2 | .SYNOPSIS 3 | Get-LOG-MD_z_Cleanup_Reports.ps1 is designed to remove all items and reports 4 | that were generated by LOG-MD for the variable: 5 | * $ARTHIR_OutputDir 6 | 7 | MITRE ATT&CK Technique IDs: none 8 | 9 | Make sure that this is the LAST module in the modules.conf so it runs last 10 | after all results are copied back to the host system launching ARTHIR. 11 | 12 | If you want to remove the binary from remote systems after it has run use the cleanup module 13 | of the $DeleteReports variable to remove all files. 14 | 15 | Adjust the variables to what you want to do with each item: 16 | $ARTHIR_Dir Set to a directory you want the results of the modules to be stored for harvesting 17 | $ARTHIR_OutputDir Set to a directory you want the results of the modules to be stored for harvesting 18 | $RenameReports Yes/No - Rename the reports to include the systemname or what you specify with $SysName variable 19 | $SysName What you want each report to be pre-pended with such as "computername" 20 | $WriteEventLogEntry Create an event log entry that this module ran 'Yes' or 'No' 21 | $EventSource The name of the source the event will be written to the Application log (default is ARTHIR) 22 | $Event_ID What event ID to use in the log entry 23 | $DeleteReports Yes/No - Deletes all the reports after the module has completed 24 | 25 | .NOTES 26 | This is a script, no download or binary needed 27 | #> 28 | $Tool_Name = "LOG-MD.exe" 29 | $ARTHIR_Dir = "C:\Program Files\LMD" 30 | $ARTHIR_OutputDir = "C:\Program Files\LMD\Results" 31 | $SysName = $env:computername 32 | $WriteEventLogEntry = "Yes" 33 | $EventSource = "ARTHIR" 34 | $Event_ID = "1337" 35 | $DeleteReports = "Yes" 36 | # 37 | # Cleanup/Delete if specified 38 | # 39 | If ($DeleteReports -eq 'No') { 40 | Write-Output "Reports not being deleted" 41 | } 42 | else { 43 | Remove-Item -path $ARTHIR_OutputDir -recurse -force 44 | } 45 | # 46 | # Write log entry 47 | # 48 | If ($WriteEventLogEntry -eq 'No') { 49 | Break 50 | } 51 | elseif ([System.Diagnostics.EventLog]::SourceExists($EventSource) -eq $False) { 52 | New-EventLog -LogName Application -Source $EventSource 53 | Write-EventLog -LogName Application -EntryType Information -EventId $Event_ID -Source $EventSource -Message 'LOG-MD Cleanup completed deleting all reports executed by Arthir' 54 | } 55 | else { 56 | Write-EventLog -LogName Application -EntryType Information -EventId $Event_ID -Source $EventSource -Message 'LOG-MD Cleanup completed deleting all reports executed by Arthir' 57 | } 58 | -------------------------------------------------------------------------------- /Modules/LOG-MD/Get-Log-MD_z_Cleanup_All.ps1: -------------------------------------------------------------------------------- 1 | <# 2 | .SYNOPSIS 3 | Get-LOG-MD_z_Cleanup_All.ps1 is designed to remove all items and reports 4 | that were generated by LOG-MD for the variable: 5 | * $ARTHIR_Dir 6 | 7 | MITRE ATT&CK Technique IDs: none 8 | 9 | Make sure that this is the LAST module in the modules.conf so it runs last 10 | after all results are copied back to the host system launching ARTHIR. 11 | 12 | If you want to remove the binary from remote systems after it has run use the cleanup module 13 | of the $DeleteAll variable to remove all files. 14 | 15 | Adjust the variables to what you want to do with each item: 16 | $ARTHIR_Dir Set to a directory you want the results of the modules to be stored for harvesting 17 | $ARTHIR_OutputDir Set to a directory you want the results of the modules to be stored for harvesting 18 | $RenameReports Yes/No - Rename the reports to include the systemname or what you specify with $SysName variable 19 | $SysName What you want each report to be pre-pended with such as "computername" 20 | $WriteEventLogEntry Create an event log entry that this module ran 'Yes' or 'No' 21 | $EventSource The name of the source the event will be written to the Application log (default is ARTHIR) 22 | $Event_ID What event ID to use in the log entry 23 | $DeleteAll Yes/No - Deletes all the reports, tool and directory after the module has completed 24 | 25 | .NOTES 26 | This is a script, no download or binary needed 27 | #> 28 | $Tool_Name = "LOG-MD.exe" 29 | $ARTHIR_Dir = "C:\Program Files\LMD" 30 | $SysName = $env:computername 31 | $WriteEventLogEntry = "Yes" 32 | $EventSource = "ARTHIR" 33 | $Event_ID = "1337" 34 | $DeleteAll = "Yes" 35 | # 36 | # Cleanup/Delete if specified 37 | # 38 | If ($DeleteAll -eq 'No') { 39 | Write-Output "Tool and reports not being deleted" 40 | } 41 | else { 42 | Get-Process $Tool_Name -ErrorAction SilentlyContinue | Stop-Process -PassThru 43 | cd.. 44 | Remove-Item -path $ARTHIR_Dir -recurse -force 45 | } 46 | # 47 | # Write log entry 48 | # 49 | If ($WriteEventLogEntry -eq 'No') { 50 | Break 51 | } 52 | elseif ([System.Diagnostics.EventLog]::SourceExists($EventSource) -eq $False) { 53 | New-EventLog -LogName Application -Source $EventSource 54 | Write-EventLog -LogName Application -EntryType Information -EventId $Event_ID -Source $EventSource -Message 'LOG-MD Cleanup completed deleting all files and reports executed by Arthir' 55 | } 56 | else { 57 | Write-EventLog -LogName Application -EntryType Information -EventId $Event_ID -Source $EventSource -Message 'LOG-MD Cleanup completed deleting all files and reports executed by Arthir' 58 | } 59 | -------------------------------------------------------------------------------- /Recon/Recon-Ping_Alive.ps1: -------------------------------------------------------------------------------- 1 | <# 2 | .SYNOPSIS 3 | Get-System_Info.ps1 needs the RSAT tools to be installed on the host running this module to access Active Directory. 4 | This module returns the following data about the system from a list of computers in "systems.txt". 5 | * Computername 6 | * Operating System 7 | 8 | RSAT can be obtained here: 9 | Win10 - https://www.microsoft.com/en-us/download/details.aspx?id=45520 10 | Win 7 - https://www.microsoft.com/en-us/download/details.aspx?id=7887 11 | 12 | Adjust the variables to what you want to do with each item: 13 | $ARTHIR_OutputDir Set to a directory you want the results of the modules to be stored for harvesting 14 | $ARTHIR_ReportName What to name the report. Match this to DOWNLOAD 15 | $SysName What you want each report to be pre-pended wiht like "computername" 16 | $MinPSVersion What minimum PowerShell veersion do you want to look for 17 | $WriteEventLogEntry Create an event log entry that this module ran 'Yes' or 'No' 18 | $EventSource The name of the source the event will be written to the Application log (default is ARTHIR) 19 | $Event_ID What event ID to use in the log entry 20 | 21 | DOWNLOAD The name of the report you will copy back to the host or launching system, wildcards are acceptable 22 | 23 | .NOTES 24 | The following DIRECTIVE lines are needed by ARTHIR.ps1 to determine how to handle output 25 | from this script. 26 | 27 | DOWNLOAD C:\Program Files\ARTHIR\Results\*Report_System_Info.txt 28 | 29 | #> 30 | 31 | $ARTHIR_OutputDir = "D:\ARTHIR\Recon" 32 | $ARTHIR_ReportName1 = "Report_Ping_Alive.txt" 33 | $ARTHIR_ReportName2 = "Report_Ping_Offline.txt" 34 | $WriteEventLogEntry = "No" 35 | $EventSource = "ARTHIR" 36 | $Event_ID = "1337" 37 | # 38 | # Get system ONLINE information 39 | # 40 | $ComputerName = Get-Content "..\hosts.txt" 41 | 42 | foreach ($System in $ComputerName) { 43 | 44 | if (test-Connection -ComputerName $System -Count 2 -Quiet ) { 45 | 46 | "$System, is online " | out-file -Append -filepath $ARTHIR_OutputDir\$ARTHIR_ReportName1 47 | 48 | } else 49 | 50 | {"$System, not online" | out-file -Append -filepath $ARTHIR_OutputDir\$ARTHIR_ReportName2 51 | 52 | } 53 | } 54 | 55 | # 56 | # Write log entry 57 | # 58 | If ($WriteEventLogEntry -eq 'No') { 59 | Break 60 | } 61 | elseif ([System.Diagnostics.EventLog]::SourceExists($EventSource) -eq $False) { 62 | New-EventLog -LogName Application -Source $EventSource 63 | Write-EventLog -LogName Application -EntryType Information -EventId $Event_ID -Source $EventSource -Message 'System info gathered by Arthir' 64 | } 65 | else { 66 | Write-EventLog -LogName Application -EntryType Information -EventId $Event_ID -Source $EventSource -Message 'System info gathered by Arthir' 67 | } -------------------------------------------------------------------------------- /Modules/Kansa_Legacy/Net/Get-DNS-Cache.ps1: -------------------------------------------------------------------------------- 1 | <# 2 | .SYNOPSIS 3 | Get-DNS-Cache.ps1 - This will collect the DNS Cache. 4 | - Looks for 5 | 6 | Use the following to record the modules applicability to the MITRE ATT&CK Framework 7 | 8 | MITRE ATT&CK Technique IDs: TBD 9 | 10 | Adjust the variables to what you want to do with each item: 11 | $ARTHIR_OutputDir Set to a directory you want the results of the modules to be stored for harvesting 12 | $ARTHIR_ReportName What to name the report used for error checking. Match this to DOWNLOAD 13 | $SysName What you want each report to be pre-pended with such as "computername" 14 | $WriteEventLogEntry Create an event log entry that this module ran 'Yes' or 'No' 15 | $EventSource The name of the source the event will be written to the Application log (default is ARTHIR) 16 | $Event_ID What event ID to use in the log entry 17 | 18 | DOWNLOAD The name of the report you will copy back to the host or launching system, wildcards are acceptable 19 | 20 | .NOTES 21 | The DOWNLOAD directive is needed by ARTHIR.ps1 to determine where how to handle 22 | output from this script. Use the wildcard * to capture the systemname in the report. 23 | - Example: C:\Program Files\LMD\Results\*Report_PS_LOG-MD-API-Settings.txt 24 | 25 | DOWNLOAD C:\Program Files\ARTHIR\*Report_DNS-Cache.txt 26 | #> 27 | $ARTHIR_OutputDir = "C:\Program Files\ARTHIR" 28 | $ARTHIR_ReportName = "Report_DNS-Cache.txt" 29 | $SysName = $env:computername 30 | # Create event in Application log 31 | $WriteEventLogEntry = "Yes" 32 | $EventSource = "ARTHIR" 33 | $Event_ID = "1337" 34 | # 35 | # Check for report folder existing, or create it 36 | # 37 | if (Test-Path $ARTHIR_OutputDir) { 38 | Write-Output $ARTHIR_OutputDir "already exists" 39 | } else { 40 | new-item $ARTHIR_OutputDir -itemtype directory 41 | } 42 | # 43 | # Get a list of all local accounts 44 | # 45 | Write-Output "List of Local Administrator accounts on - $SysName" | Out-File -FilePath $ARTHIR_OutputDir\$SysName-$ARTHIR_ReportName 46 | Write-Output "-------------------------------------------------------" | Out-File -Append -FilePath $ARTHIR_OutputDir\$SysName-$ARTHIR_ReportName 47 | invoke-command { 48 | IPConfig /DisplayDNS | where {$_ -AND $_ -notmatch "command completed successfully"} | 49 | Select -Skip 0 | Out-File -Append -FilePath $ARTHIR_OutputDir\$SysName-$ARTHIR_ReportName 50 | } 51 | # 52 | # Write log entry 53 | # 54 | If ($WriteEventLogEntry -eq 'No') { 55 | Break 56 | } 57 | elseif ([System.Diagnostics.EventLog]::SourceExists($EventSource) -eq $False) { 58 | New-EventLog -LogName Application -Source $EventSource 59 | Write-EventLog -LogName Application -EntryType Information -EventId $Event_ID -Source $EventSource -Message 'Local Admin Accounts queried by Arthir' 60 | } 61 | else { 62 | Write-EventLog -LogName Application -EntryType Information -EventId $Event_ID -Source $EventSource -Message 'Local Admin Accounts queried by Arthir' 63 | } 64 | -------------------------------------------------------------------------------- /Modules/Kansa_Legacy/Config/Get-Hotfix_Patches.ps1: -------------------------------------------------------------------------------- 1 | <# 2 | .SYNOPSIS 3 | Get-Hotfix_Patches.ps1 - This returns the installed Hotfixes and Patches (KBXXXXXX). 4 | Originally Contributed by Mike Fanning for Kansa 5 | - Shows configuration information for the Hotfixes and Patches 6 | 7 | Use the following to record the modules applicability to the MITRE ATT&CK Framework 8 | 9 | MITRE ATT&CK Technique IDs: TBD 10 | 11 | Adjust the variables to what you want to do with each item: 12 | $ARTHIR_OutputDir Set to a directory you want the results of the modules to be stored for harvesting 13 | $ARTHIR_ReportName What to name the report used for error checking. Match this to DOWNLOAD 14 | $SysName What you want each report to be pre-pended with such as "computername" 15 | $WriteEventLogEntry Create an event log entry that this module ran 'Yes' or 'No' 16 | $EventSource The name of the source the event will be written to the Application log (default is ARTHIR) 17 | $Event_ID What event ID to use in the log entry 18 | 19 | DOWNLOAD The name of the report you will copy back to the host or launching system, wildcards are acceptable 20 | 21 | .NOTES 22 | The DOWNLOAD directive is needed by ARTHIR.ps1 to determine where how to handle 23 | output from this script. Use the wildcard * to capture the systemname in the report. 24 | - Example: C:\Program Files\LMD\Results\*Report_PS_LOG-MD-API-Settings.txt 25 | 26 | DOWNLOAD C:\Program Files\ARTHIR\*Report_Hotfixes_Patches* 27 | #> 28 | $ARTHIR_OutputDir = "C:\Program Files\ARTHIR" 29 | $ARTHIR_ReportName = "Report_Hotfixes_Patches.txt" 30 | $SysName = $env:computername 31 | $WriteEventLogEntry = "Yes" 32 | $EventSource = "ARTHIR" 33 | $Event_ID = "1337" 34 | # 35 | # Check for report folder existing, or create it 36 | # 37 | if (Test-Path $ARTHIR_OutputDir) { 38 | Write-Output $ARTHIR_OutputDir "already exists" 39 | } else { 40 | new-item $ARTHIR_OutputDir -itemtype directory 41 | } 42 | # 43 | # Get a list of Hotfixes 44 | # 45 | Write-Output "Get list of Hotfixes" | out-file -Filepath $ARTHIR_OutputDir\$SysName-$ARTHIR_ReportName 46 | Write-Output "-------------------------------------------------------------------------" | out-file -Append -Filepath $ARTHIR_OutputDir\$SysName-$ARTHIR_ReportName 47 | Get-HotFix | Select-Object HotfixID, Caption, Description, InstalledBy | out-file -Append -Filepath $ARTHIR_OutputDir\$SysName-$ARTHIR_ReportName 48 | # 49 | # Write log entry 50 | # 51 | If ($WriteEventLogEntry -eq 'No') { 52 | Break 53 | } 54 | elseif ([System.Diagnostics.EventLog]::SourceExists($EventSource) -eq $False) { 55 | New-EventLog -LogName Application -Source $EventSource 56 | Write-EventLog -LogName Application -EntryType Information -EventId $Event_ID -Source $EventSource -Message 'Hotfixes and Patches queried by Arthir' 57 | } 58 | else { 59 | Write-EventLog -LogName Application -EntryType Information -EventId $Event_ID -Source $EventSource -Message 'Hotfixes and Patches Status queried by Arthir' 60 | } 61 | -------------------------------------------------------------------------------- /Modules/Kansa_Legacy/Config/Get-Local_Accounts.ps1: -------------------------------------------------------------------------------- 1 | <# 2 | .SYNOPSIS 3 | Get-Local_Accounts.ps1 - This will collect all local accounts. 4 | - Looks for Enabled Accounts 5 | - Looks for Disabled Accounts 6 | 7 | Use the following to record the modules applicability to the MITRE ATT&CK Framework 8 | 9 | MITRE ATT&CK Technique IDs: TBD 10 | 11 | Adjust the variables to what you want to do with each item: 12 | $ARTHIR_OutputDir Set to a directory you want the results of the modules to be stored for harvesting 13 | $ARTHIR_ReportName What to name the report used for error checking. Match this to DOWNLOAD 14 | $SysName What you want each report to be pre-pended with such as "computername" 15 | $WriteEventLogEntry Create an event log entry that this module ran 'Yes' or 'No' 16 | $EventSource The name of the source the event will be written to the Application log (default is ARTHIR) 17 | $Event_ID What event ID to use in the log entry 18 | 19 | DOWNLOAD The name of the report you will copy back to the host or launching system, wildcards are acceptable 20 | 21 | .NOTES 22 | The DOWNLOAD directive is needed by ARTHIR.ps1 to determine where how to handle 23 | output from this script. Use the wildcard * to capture the systemname in the report. 24 | - Example: C:\Program Files\LMD\Results\*Report_PS_LOG-MD-API-Settings.txt 25 | 26 | DOWNLOAD C:\Program Files\ARTHIR\*Report_Local_Accounts.txt 27 | #> 28 | $ARTHIR_OutputDir = "C:\Program Files\ARTHIR" 29 | $ARTHIR_ReportName = "Report_Local_Accounts.txt" 30 | $SysName = $env:computername 31 | # Create event in Application log 32 | $WriteEventLogEntry = "No" 33 | $EventSource = "ARTHIR" 34 | $Event_ID = "1337" 35 | # 36 | # Check for report folder existing, or create it 37 | # 38 | if (Test-Path $ARTHIR_OutputDir) { 39 | Write-Output $ARTHIR_OutputDir "already exists" 40 | } else { 41 | new-item $ARTHIR_OutputDir -itemtype directory 42 | } 43 | # 44 | # Get a list of all local accounts 45 | # 46 | Write-Output "Looking for Local Accounts on $SysName" | Out-File -FilePath $ARTHIR_OutputDir\$SysName-$ARTHIR_ReportName 47 | Write-Output "------------------------------------------" | Out-File -Append -FilePath $ARTHIR_OutputDir\$SysName-$ARTHIR_ReportName 48 | get-ciminstance win32_useraccount | Select Name,Description,Status,Disabled | sort Status | format-table -groupby Status -Property Name,Description,Disabled | Out-File -Append -FilePath $ARTHIR_OutputDir\$SysName-$ARTHIR_ReportName 49 | # 50 | # Write log entry 51 | # 52 | If ($WriteEventLogEntry -eq 'No') { 53 | Break 54 | } 55 | elseif ([System.Diagnostics.EventLog]::SourceExists($EventSource) -eq $False) { 56 | New-EventLog -LogName Application -Source $EventSource 57 | Write-EventLog -LogName Application -EntryType Information -EventId $Event_ID -Source $EventSource -Message 'Local Accounts queried by Arthir' 58 | } 59 | else { 60 | Write-EventLog -LogName Application -EntryType Information -EventId $Event_ID -Source $EventSource -Message 'Local Accounts queried by Arthir' 61 | } 62 | -------------------------------------------------------------------------------- /Modules/Kansa_Legacy/Config/Get-Local_Admin_Accounts.ps1: -------------------------------------------------------------------------------- 1 | <# 2 | .SYNOPSIS 3 | Get-Local_Admin_Accounts.ps1 - This will collect all local administrator accounts. 4 | - Looks for 5 | 6 | Use the following to record the modules applicability to the MITRE ATT&CK Framework 7 | 8 | MITRE ATT&CK Technique IDs: TBD 9 | 10 | Adjust the variables to what you want to do with each item: 11 | $ARTHIR_OutputDir Set to a directory you want the results of the modules to be stored for harvesting 12 | $ARTHIR_ReportName What to name the report used for error checking. Match this to DOWNLOAD 13 | $SysName What you want each report to be pre-pended with such as "computername" 14 | $WriteEventLogEntry Create an event log entry that this module ran 'Yes' or 'No' 15 | $EventSource The name of the source the event will be written to the Application log (default is ARTHIR) 16 | $Event_ID What event ID to use in the log entry 17 | 18 | DOWNLOAD The name of the report you will copy back to the host or launching system, wildcards are acceptable 19 | 20 | .NOTES 21 | The DOWNLOAD directive is needed by ARTHIR.ps1 to determine where how to handle 22 | output from this script. Use the wildcard * to capture the systemname in the report. 23 | - Example: C:\Program Files\LMD\Results\*Report_PS_LOG-MD-API-Settings.txt 24 | 25 | DOWNLOAD C:\Program Files\ARTHIR\*Report_Local_Admin_Accounts.txt 26 | #> 27 | $ARTHIR_OutputDir = "C:\Program Files\ARTHIR" 28 | $ARTHIR_ReportName = "Report_Local_Admin_Accounts.txt" 29 | $SysName = $env:computername 30 | # Create event in Application log 31 | $WriteEventLogEntry = "Yes" 32 | $EventSource = "ARTHIR" 33 | $Event_ID = "1337" 34 | # 35 | # Check for report folder existing, or create it 36 | # 37 | if (Test-Path $ARTHIR_OutputDir) { 38 | Write-Output $ARTHIR_OutputDir "already exists" 39 | } else { 40 | new-item $ARTHIR_OutputDir -itemtype directory 41 | } 42 | # 43 | # Get a list of all local accounts 44 | # 45 | Write-Output "List of Local Administrator accounts on - $SysName" | Out-File -FilePath $ARTHIR_OutputDir\$SysName-$ARTHIR_ReportName 46 | Write-Output "-------------------------------------------------------" | Out-File -Append -FilePath $ARTHIR_OutputDir\$SysName-$ARTHIR_ReportName 47 | invoke-command { 48 | net localgroup administrators | where {$_ -AND $_ -notmatch "command completed successfully"} | 49 | select -skip 4 | Out-File -Append -FilePath $ARTHIR_OutputDir\$SysName-$ARTHIR_ReportName 50 | } 51 | # 52 | # Write log entry 53 | # 54 | If ($WriteEventLogEntry -eq 'No') { 55 | Break 56 | } 57 | elseif ([System.Diagnostics.EventLog]::SourceExists($EventSource) -eq $False) { 58 | New-EventLog -LogName Application -Source $EventSource 59 | Write-EventLog -LogName Application -EntryType Information -EventId $Event_ID -Source $EventSource -Message 'Local Admin Accounts queried by Arthir' 60 | } 61 | else { 62 | Write-EventLog -LogName Application -EntryType Information -EventId $Event_ID -Source $EventSource -Message 'Local Admin Accounts queried by Arthir' 63 | } 64 | -------------------------------------------------------------------------------- /Modules/Kansa_Legacy/Net/Get-Arp.ps1: -------------------------------------------------------------------------------- 1 | <# 2 | .SYNOPSIS 3 | Get-Arp.ps1 - This will list the Arp table. 4 | - Looks for 5 | 6 | Use the following to record the modules applicability to the MITRE ATT&CK Framework 7 | 8 | MITRE ATT&CK Technique IDs: TBD 9 | 10 | Adjust the variables to what you want to do with each item: 11 | $ARTHIR_OutputDir Set to a directory you want the results of the modules to be stored for harvesting 12 | $ARTHIR_ReportName What to name the report used for error checking. Match this to DOWNLOAD 13 | $SysName What you want each report to be pre-pended with such as "computername" 14 | $WriteEventLogEntry Create an event log entry that this module ran 'Yes' or 'No' 15 | $EventSource The name of the source the event will be written to the Application log (default is ARTHIR) 16 | $Event_ID What event ID to use in the log entry 17 | 18 | DOWNLOAD The name of the report you will copy back to the host or launching system, wildcards are acceptable 19 | 20 | .NOTES 21 | The DOWNLOAD directive is needed by ARTHIR.ps1 to determine where how to handle 22 | output from this script. Use the wildcard * to capture the systemname in the report. 23 | - Example: C:\Program Files\LMD\Results\*Report_PS_LOG-MD-API-Settings.txt 24 | 25 | DOWNLOAD C:\Program Files\ARTHIR\*Report_ARP.txt 26 | #> 27 | $ARTHIR_OutputDir = "C:\Program Files\ARTHIR" 28 | $ARTHIR_ReportName = "Report_ARP.txt" 29 | $SysName = $env:computername 30 | # Create event in Application log 31 | $WriteEventLogEntry = "Yes" 32 | $EventSource = "ARTHIR" 33 | $Event_ID = "1337" 34 | # 35 | # Check for report folder existing, or create it 36 | # 37 | if (Test-Path $ARTHIR_OutputDir) { 38 | Write-Output $ARTHIR_OutputDir "already exists" 39 | } else { 40 | new-item $ARTHIR_OutputDir -itemtype directory 41 | } 42 | # 43 | # List the ARP table 44 | # 45 | Write-Output "List ARP table on - $SysName" | Out-File -FilePath $ARTHIR_OutputDir\$SysName-$ARTHIR_ReportName 46 | Write-Output "-------------------------------------------------------" | Out-File -Append -FilePath $ARTHIR_OutputDir\$SysName-$ARTHIR_ReportName 47 | if (Get-Command Get-NetNeighbor -ErrorAction SilentlyContinue) { 48 | Get-NetNeighbor | Out-File -Append -FilePath $ARTHIR_OutputDir\$SysName-$ARTHIR_ReportName 49 | } else { 50 | Invoke-Command { 51 | Arp -av | where {$_ -AND $_ -notmatch "command completed successfully"} | 52 | Select -Skip 0 | Out-File -Append -FilePath $ARTHIR_OutputDir\$SysName-$ARTHIR_ReportName 53 | } 54 | } 55 | # 56 | # Write log entry 57 | # 58 | If ($WriteEventLogEntry -eq 'No') { 59 | Break 60 | } 61 | elseif ([System.Diagnostics.EventLog]::SourceExists($EventSource) -eq $False) { 62 | New-EventLog -LogName Application -Source $EventSource 63 | Write-EventLog -LogName Application -EntryType Information -EventId $Event_ID -Source $EventSource -Message 'Local Admin Accounts queried by Arthir' 64 | } 65 | else { 66 | Write-EventLog -LogName Application -EntryType Information -EventId $Event_ID -Source $EventSource -Message 'Local Admin Accounts queried by Arthir' 67 | } 68 | -------------------------------------------------------------------------------- /Modules/Templates/Get-Script-Template.ps1: -------------------------------------------------------------------------------- 1 | <# 2 | .SYNOPSIS 3 | Get-Script-Template.ps1 - This is a template for a PowerShell script. 4 | - Looks for X 5 | - Looks for Y 6 | 7 | Use the following to record the modules applicability to the MITRE ATT&CK Framework 8 | 9 | MITRE ATT&CK Technique IDs: TBD 10 | 11 | Adjust the variables to what you want to do with each item: 12 | $ARTHIR_Dir Set to a directory you want the results of the modules to be stored for harvesting 13 | $ARTHIR_OutputDir Set to a directory you want the results of the modules to be stored for harvesting 14 | $ARTHIR_ReportName What to name the report used for error checking. Match this to DOWNLOAD 15 | $RenameReports Yes/No - Rename the reports to include the systemname or what you specify with $SysName variable 16 | $SysName What you want each report to be pre-pended with such as "computername" 17 | $WriteEventLogEntry Create an event log entry that this module ran 'Yes' or 'No' 18 | $EventSource The name of the source the event will be written to the Application log (default is ARTHIR) 19 | $Event_ID What event ID to use in the log entry 20 | 21 | DOWNLOAD The name of the report you will copy back to the host or launching system, wildcards are acceptable 22 | 23 | .NOTES 24 | The DOWNLOAD directive is needed by ARTHIR.ps1 to determine where how to handle 25 | output from this script. Use the wildcard * to capture the systemname in the report. 26 | - Example: C:\Program Files\LMD\Results\*Report_PS_LOG-MD-API-Settings.txt 27 | 28 | DOWNLOAD \* 29 | #> 30 | $ARTHIR_OutputDir = "" 31 | $ARTHIR_ReportName = "" 32 | $SysName = $env:computername 33 | $MinPSVersion = 6 34 | $WriteEventLogEntry = "No" 35 | $EventSource = "ARTHIR" 36 | $Event_ID = "1337" 37 | # 38 | # Check for minimal PowerShell version 39 | # 40 | If ($PSVersionTable.PSVersion.Major -ge $MinPSVersion) { 41 | Write-Output "System has PS $MinPSVersion or greater" 42 | Break 43 | } 44 | # 45 | # Check for report folder existing, or create it 46 | # 47 | if (Test-Path $ARTHIR_OutputDir) { 48 | Write-Output $ARTHIR_OutputDir "already exists" 49 | } else { 50 | new-item $ARTHIR_OutputDir -itemtype directory 51 | } 52 | # 53 | # Check Key XYZ for ... 54 | # 55 | Get-ItemProperty HKLM:SomeKey* | Select-Object Value1, Value2, Value3 | format-table -AutoSize -Wrap | out-file -filepath $ARTHIR_OutputDir\$SysName-$ARTHIR_ReportName 56 | 57 | # 58 | # Write log entry 59 | # 60 | If ($WriteEventLogEntry -eq 'No') { 61 | Break 62 | } 63 | elseif ([System.Diagnostics.EventLog]::SourceExists($EventSource) -eq $False) { 64 | New-EventLog -LogName Application -Source $EventSource 65 | Write-EventLog -LogName Application -EntryType Information -EventId $Event_ID -Source $EventSource -Message 'XXXX Settings queried by Arthir' 66 | } 67 | else { 68 | Write-EventLog -LogName Application -EntryType Information -EventId $Event_ID -Source $EventSource -Message 'XXXX Settings queried by Arthir' 69 | } 70 | -------------------------------------------------------------------------------- /Modules/LOG-MD/Get-LOG-MD_1_Configs.ps1: -------------------------------------------------------------------------------- 1 | <# 2 | .SYNOPSIS 3 | Get-LOG-MD_1_Configs.ps1 - Pushes out Zip file of config settings. 4 | 5 | This module will allow you to send your LOG-MD configuration files to the remote system. 6 | It includes: 7 | Whitelists 8 | Settings 9 | MasterDigest 10 | 11 | Use the following to record the modules applicability to the MITRE ATT&CK Framework 12 | 13 | MITRE ATT&CK Technique IDs: TBD 14 | 15 | When used with -PushBin argument, copies LOG-MD-Config.zip from the Modules\bin\ 16 | path to each remote host and extracts to C:\Windows or ADMIN$ folder. 17 | You may want to tweak this to target specific needs if you are after specific areas. 18 | 19 | .NOTES 20 | Next line is required by ARTHIR for proper handling of third-party binary. 21 | The BINDEP directive below tells ARTHIR where to find the third-party code. 22 | 23 | BINDEP .\Modules\bin\LOG-MD_Configs.zip 24 | DOWNLOAD C:\Program Files\LMD\Results\*Report_Zip_Main_Configs.txt 25 | #> 26 | # 27 | # Set folders where you want LOG-MD and Reports to reside 28 | # 29 | $Zip_File = "LOG-MD_Configs.zip" 30 | $ARTHIR_Dir = "C:\Program Files\LMD" 31 | $ARTHIR_OutputDir = "C:\Program Files\LMD\Results" 32 | $ARTHIR_ReportName = "Report_Zip_Main_Configs.txt" 33 | $SysName = $env:computername 34 | $WriteEventLogEntry = "Yes" 35 | $EventSource = "ARTHIR" 36 | $Event_ID = "1337" 37 | # 38 | # Check for report folder existing, or create it 39 | # 40 | if (Test-Path $ARTHIR_OutputDir) { 41 | Write-Output $ARTHIR_OutputDir "already exists" 42 | } else { 43 | new-item $ARTHIR_OutputDir -itemtype directory 44 | } 45 | # 46 | # Move archive to $ARTHIR_Dir 47 | # 48 | Move-Item -Path "$env:SystemRoot\$Zip_File" -Destination $ARTHIR_Dir 49 | # 50 | # Test if Zip was properly copied 51 | # 52 | if (Test-Path $ARTHIR_Dir\$Zip_File) { 53 | Write-Output "$Zip_File copied successfully" | out-file -filepath $ARTHIR_OutputDir\$SysName-$ARTHIR_ReportName 54 | } else { 55 | Write-Error "$Zip_File not found in $ARTHIR_Dir." 56 | Exit 57 | } 58 | # 59 | # Remove existing configs 60 | # 61 | Remove-Item $ARTHIR_Dir\Settings_*.txt -force 62 | Remove-Item $ARTHIR_Dir\Whitelist_*.txt -force 63 | Remove-Item $ARTHIR_Dir\MasterDigest.txt -force 64 | Start-Sleep -s 10 65 | # 66 | # Function to extract Zip file for all PS versions 67 | # 68 | Add-Type -AssemblyName System.IO.Compression.FileSystem 69 | function UnZip_File { 70 | param( [string]$ziparchive, [string]$extractpath ) 71 | [System.IO.Compression.ZipFile]::ExtractToDirectory( $ziparchive, $extractpath ) 72 | } 73 | UnZip_File $ARTHIR_Dir\$Zip_File $ARTHIR_Dir 74 | Start-Sleep -s 10 75 | Remove-Item $ARTHIR_Dir\$Zip_File -Force 76 | # 77 | # Write log entry 78 | # 79 | If ($WriteEventLogEntry -eq 'No') { 80 | Break 81 | } 82 | elseif ([System.Diagnostics.EventLog]::SourceExists($EventSource) -eq $False) { 83 | New-EventLog -LogName Application -Source $EventSource 84 | Write-EventLog -LogName Application -EntryType Information -EventId $Event_ID -Source $EventSource -Message 'Operating System info gathered by Arthir' 85 | } 86 | else { 87 | Write-EventLog -LogName Application -EntryType Information -EventId $Event_ID -Source $EventSource -Message 'Operating System info gathered by Arthir' 88 | } 89 | -------------------------------------------------------------------------------- /Modules/Info/Get-OS_Version_Details.ps1: -------------------------------------------------------------------------------- 1 | <# 2 | .SYNOPSIS 3 | Get-OS_Version_Details.ps1 queries the local system for its operating system. 4 | * Computername 5 | * Operating System 6 | * OS Architecture 7 | 8 | MITRE ATT&CK Technique IDs: none 9 | 10 | If you want to remove the reports and directories from remote systems after it has run 11 | use the cleanup module Get-Delete_ARTHIR_Folders.ps1. 12 | 13 | Adjust the variables to what you want to do with each item: 14 | $ARTHIR_OutputDir Set to a directory you want the results of the modules to be stored for harvesting 15 | $ARTHIR_ReportName What to name the report. Match this to DOWNLOAD 16 | $SysName What you want each report to be pre-pended wiht like "computername" 17 | $WriteEventLogEntry Create an event log entry that this module ran 'Yes' or 'No' 18 | $EventSource The name of the source the event will be written to the Application log (default is ARTHIR) 19 | $Event_ID What event ID to use in the log entry 20 | 21 | DOWNLOAD The name of the report you will copy back to the host or launching system, wildcards are acceptable 22 | 23 | .NOTES 24 | The following DIRECTIVE lines are needed by ARTHIR.ps1 to determine how to handle output 25 | from this script. 26 | 27 | DOWNLOAD C:\Program Files\ARTHIR\Results\*Report_System_Info.txt 28 | 29 | #> 30 | $ARTHIR_Dir = "C:\Program Files\ARTHIR" 31 | $ARTHIR_OutputDir = "C:\Program Files\ARTHIR\Results" 32 | $ARTHIR_ReportName = "Report_System_Info.txt" 33 | $SysName = $env:computername 34 | $MinPSVersion = 6 35 | $WriteEventLogEntry = "Yes" 36 | $EventSource = "ARTHIR" 37 | $Event_ID = "1337" 38 | # 39 | # Check for minimal PowerShell version 40 | # 41 | If ($PSVersionTable.PSVersion.Major -ge $MinPSVersion) { 42 | Write-Output "System has PS $MinPSVersion or greater" 43 | Break 44 | } 45 | # 46 | # Check for report folder existing, or create it 47 | # 48 | if (Test-Path $ARTHIR_OutputDir) { 49 | Write-Output $ARTHIR_OutputDir "already exists" 50 | } else { 51 | new-item $ARTHIR_OutputDir -itemtype directory 52 | } 53 | # 54 | # Get OS details 55 | # 56 | Write-Output $SysName | out-file -filepath $ARTHIR_OutputDir\$SysName-$ARTHIR_ReportName 57 | $wmiOS = Get-WmiObject -ComputerName $env:computername -Class Win32_OperatingSystem; 58 | $OS = $wmiOS.caption; 59 | $OS | out-file -Append -filepath $ARTHIR_OutputDir\$SysName-$ARTHIR_ReportName 60 | (Get-WmiObject win32_operatingsystem).osarchitecture | out-file -Append -filepath $ARTHIR_OutputDir\$SysName-$ARTHIR_ReportName 61 | # 62 | Write-Output "@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@" | out-file -Append -filepath $ARTHIR_OutputDir\$SysName-$ARTHIR_ReportName 63 | # 64 | # Write log entry 65 | # 66 | If ($WriteEventLogEntry -eq 'No') { 67 | Break 68 | } 69 | elseif ([System.Diagnostics.EventLog]::SourceExists($EventSource) -eq $False) { 70 | New-EventLog -LogName Application -Source $EventSource 71 | Write-EventLog -LogName Application -EntryType Information -EventId $Event_ID -Source $EventSource -Message 'Operating System info gathered by Arthir' 72 | } 73 | else { 74 | Write-EventLog -LogName Application -EntryType Information -EventId $Event_ID -Source $EventSource -Message 'Operating System info gathered by Arthir' 75 | } -------------------------------------------------------------------------------- /Modules/LOG-MD-Tasks/Get-Log-MD-Free_Task_z_Cleanup_All.ps1: -------------------------------------------------------------------------------- 1 | <# 2 | .SYNOPSIS 3 | Get-Log-MD-Free_Task_z_Cleanup_All.ps1 deletes all LOG-MD Scheduled Tasks 4 | 5 | Use the following to record the modules applicability to the MITRE ATT&CK Framework 6 | 7 | MITRE ATT&CK Technique IDs: none 8 | 9 | Scheduled Task: 10 | --------------- 11 | This module will delete all LOG-MD scheduled tasks. 12 | 13 | MITRE ATT&CK Technique IDs: none 14 | 15 | Adjust the variables to what you want to do with each item: 16 | $Tool_Name Name of the tool that you will use 17 | $ARTHIR_OutputDir Set to a directory you want the results of the modules to be stored for harvesting 18 | $ARTHIR_ReportName What to name the report. Match this to DOWNLOAD 19 | $TaskName Name of the Task 20 | $TaskDescr Description fo the Scheduled Task 21 | $TaskStartTime When you want the task to start ("2018-03-03T14:55:00") 22 | $WriteEventLogEntry Create an event log entry that this module ran 'Yes' or 'No' 23 | $EventSource The name of the source the event will be written to the Application log (default is ARTHIR) 24 | $Event_ID What event ID to use in the log entry 25 | 26 | .NOTES 27 | The following lines are required by ARTHIR.ps1. They are directives that 28 | tell ARTHIR how to treat the output of this script and where to find the 29 | binary that this script depends on. 30 | 31 | DOWNLOAD C:\Program Files\LMD\Results\*Report_Task_Deleted.txt 32 | #> 33 | # You must use the 8.3 directory name for logmdOutputDir for a Schedule Task If you use a folder with a space in it 34 | # 35 | # Edit the following variables to match what names and locations you want to use to store LOG-MD 36 | # 37 | # Where LOG-MD resides 38 | $ARTHIR_Dir = "C:\Progra~1\LMD" 39 | # Where the results/reports will be stored 40 | $ARTHIR_OutputDir = "C:\Progra~1\LMD\Results" 41 | # Name of report that contains task created successfully 42 | $ARTHIR_ReportName = "Report_Task_Deleted.txt" 43 | # Name of system to add to the report 44 | $SysName = $env:computername 45 | # Write a log entry to Application log 46 | $WriteEventLogEntry = "Yes" 47 | $EventSource = "ARTHIR" 48 | $Event_ID = "1337" 49 | # 50 | # Remove any existing $Tool_Name Task 51 | # 52 | SchTasks.exe /Delete /TN "Test_LOG-MD-AutoRuns" /F | out-file -Append -filepath $ARTHIR_OutputDir\$SysName-$ARTHIR_ReportName 53 | SchTasks.exe /Delete /TN "Test_LOG-MD-Large-Keys" /F | out-file -Append -filepath $ARTHIR_OutputDir\$SysName-$ARTHIR_ReportName 54 | SchTasks.exe /Delete /TN "Test_LOG-MD_1-Day_of_Logs" /F | out-file -Append -filepath $ARTHIR_OutputDir\$SysName-$ARTHIR_ReportName 55 | SchTasks.exe /Delete /TN "Test_LOG-MD-Running-Processes" /F | out-file -Append -filepath $ARTHIR_OutputDir\$SysName-$ARTHIR_ReportName 56 | # 57 | # Write log entry 58 | # 59 | If ($WriteEventLogEntry -eq 'No') { 60 | Break 61 | } 62 | elseif ([System.Diagnostics.EventLog]::SourceExists($EventSource) -eq $False) { 63 | New-EventLog -LogName Application -Source $EventSource 64 | Write-EventLog -LogName Application -EntryType Information -EventId $Event_ID -Source $EventSource -Message 'Added Task WMI Persitence Daily by Arthir' 65 | } 66 | else { 67 | Write-EventLog -LogName Application -EntryType Information -EventId $Event_ID -Source $EventSource -Message 'Added Task WMI Persitence Daily by Arthir' 68 | } -------------------------------------------------------------------------------- /Modules/LOG-MD/Get-LOG-MD_3_Configs_Hash.ps1: -------------------------------------------------------------------------------- 1 | <# 2 | .SYNOPSIS 3 | Get-LOG-MD_3_Configs_Hash.ps1 - Pushes out Zip file of config settings for hash modules. 4 | 5 | This module will allow you to send your LOG-MD Hash configuration files to the remote system. 6 | It includes: 7 | - Hash_Baseline.txt 8 | - Hash_Locked_Files.csv 9 | 10 | Use the following to record the modules applicability to the MITRE ATT&CK Framework 11 | 12 | MITRE ATT&CK Technique IDs: TBD 13 | 14 | When used with -PushBin argument, copies LOG-MD_Configs_Hash.zip from the Modules\bin\ 15 | path to each remote host and extracts to C:\Windows or ADMIN$ folder. 16 | You may want to tweak this to target specific needs if you are after specific areas. 17 | 18 | .NOTES 19 | Next line is required by ARTHIR for proper handling of third-party binary. 20 | The BINDEP directive below tells ARTHIR where to find the third-party code. 21 | 22 | BINDEP .\Modules\bin\LOG-MD_Configs_Hash.zip 23 | DOWNLOAD C:\Program Files\LMD\Results\*Report_Zip_Hash_Configs.txt 24 | #> 25 | # 26 | # Set folders where you want LOG-MD and Reports to reside 27 | # 28 | $Zip_File = "LOG-MD_Configs_Hash.zip" 29 | $ARTHIR_Dir = "C:\Program Files\LMD" 30 | $ARTHIR_OutputDir = "C:\Program Files\LMD\Results" 31 | $ARTHIR_ReportName = "Report_Zip_Hash_Configs.txt" 32 | $SysName = $env:computername 33 | $WriteEventLogEntry = "Yes" 34 | $EventSource = "ARTHIR" 35 | $Event_ID = "1337" 36 | # 37 | # Check for report folder existing, or create it 38 | # 39 | if (Test-Path $ARTHIR_OutputDir) { 40 | Write-Output $ARTHIR_OutputDir "already exists" 41 | } else { 42 | new-item $ARTHIR_OutputDir -itemtype directory 43 | } 44 | # 45 | # Move archive to $ARTHIR_Dir 46 | # 47 | Move-Item -Path "$env:SystemRoot\$Zip_File" -Destination $ARTHIR_Dir 48 | # 49 | # Test if Zip was properly copied 50 | # 51 | if (Test-Path $ARTHIR_Dir\$Zip_File) { 52 | Write-Output "$Zip_File copied successfully" | out-file -filepath $ARTHIR_OutputDir\$SysName-$ARTHIR_ReportName 53 | } else { 54 | Write-Error "$Zip_File not found in $ARTHIR_Dir." 55 | Exit 56 | } 57 | # 58 | # Remove existing configs 59 | # 60 | Remove-Item $ARTHIR_Dir\Hash_*.txt -force 61 | Start-Sleep -s 10 62 | # 63 | # Function to extract Zip file for all PS versions 64 | # 65 | Add-Type -AssemblyName System.IO.Compression.FileSystem 66 | function UnZip_File { 67 | param( [string]$ziparchive, [string]$extractpath ) 68 | [System.IO.Compression.ZipFile]::ExtractToDirectory( $ziparchive, $extractpath ) 69 | } 70 | UnZip_File $ARTHIR_Dir\$Zip_File $ARTHIR_Dir 71 | Start-Sleep -s 10 72 | Remove-Item $ARTHIR_Dir\$Zip_File -Force 73 | # 74 | # Write log entry 75 | # 76 | If ($WriteEventLogEntry -eq 'No') { 77 | Break 78 | } 79 | elseif ([System.Diagnostics.EventLog]::SourceExists($EventSource) -eq $False) { 80 | New-EventLog -LogName Application -Source $EventSource 81 | Write-EventLog -LogName Application -EntryType Information -EventId $Event_ID -Source $EventSource -Message 'Operating System info gathered by Arthir' 82 | } 83 | else { 84 | Write-EventLog -LogName Application -EntryType Information -EventId $Event_ID -Source $EventSource -Message 'Operating System info gathered by Arthir' 85 | } 86 | # 87 | # Function to extract Zip file in older PS versions 88 | # 89 | Add-Type -AssemblyName System.IO.Compression.FileSystem 90 | function unzip { 91 | param( [string]$ziparchive, [string]$extractpath ) 92 | [System.IO.Compression.ZipFile]::ExtractToDirectory( $ziparchive, $extractpath ) 93 | } 94 | -------------------------------------------------------------------------------- /Modules/LOG-MD/Get-LOG-MD_2_Configs_Registry.ps1: -------------------------------------------------------------------------------- 1 | <# 2 | .SYNOPSIS 3 | Get-LOG-MD_2_Configs_Registry.ps1 - Pushes out Zip file of config settings for Registry modules. 4 | 5 | This module will allow you to send your LOG-MD Registry configuration files to the remote system. 6 | It includes: 7 | - Registry_Baseline.txt 8 | 9 | Use the following to record the modules applicability to the MITRE ATT&CK Framework 10 | 11 | MITRE ATT&CK Technique IDs: TBD 12 | 13 | When used with -PushBin argument, copies LOG-MD_Configs_Registry.zip from the Modules\bin\ 14 | path to each remote host and extracts to C:\Windows or ADMIN$ folder. 15 | You may want to tweak this to target specific needs if you are after specific areas. 16 | 17 | .NOTES 18 | Next line is required by ARTHIR for proper handling of third-party binary. 19 | The BINDEP directive below tells ARTHIR where to find the third-party code. 20 | 21 | BINDEP .\Modules\bin\LOG-MD_Configs_Registry.zip 22 | DOWNLOAD C:\Program Files\LMD\Results\*Report_Zip_Registry_Configs.txt 23 | #> 24 | # 25 | # Set folders where you want LOG-MD and Reports to reside 26 | # 27 | $Zip_File = "LOG-MD_Configs_Registry.zip" 28 | $ARTHIR_Dir = "C:\Program Files\LMD" 29 | $ARTHIR_OutputDir = "C:\Program Files\LMD\Results" 30 | $ARTHIR_ReportName = "Report_Zip_Registry_Configs.txt" 31 | $SysName = $env:computername 32 | $WriteEventLogEntry = "Yes" 33 | $EventSource = "ARTHIR" 34 | $Event_ID = "1337" 35 | # 36 | # Check for report folder existing, or create it 37 | # 38 | if (Test-Path $ARTHIR_OutputDir) { 39 | Write-Output $ARTHIR_OutputDir "already exists" 40 | } else { 41 | new-item $ARTHIR_OutputDir -itemtype directory 42 | } 43 | # 44 | # Move archive to $ARTHIR_Dir 45 | # 46 | Move-Item -Path "$env:SystemRoot\$Zip_File" -Destination $ARTHIR_Dir 47 | # 48 | # Test if Zip was properly copied 49 | # 50 | if (Test-Path $ARTHIR_Dir\$Zip_File) { 51 | Write-Output "$Zip_File copied successfully" | out-file -filepath $ARTHIR_OutputDir\$SysName-$ARTHIR_ReportName 52 | } else { 53 | Write-Error "$Zip_File not found in $ARTHIR_Dir." 54 | Exit 55 | } 56 | # 57 | # Remove existing configs 58 | # 59 | Remove-Item $ARTHIR_Dir\Reg_Baseline.txt -force 60 | Start-Sleep -s 10 61 | # 62 | # Function to extract Zip file for all PS versions 63 | # 64 | Add-Type -AssemblyName System.IO.Compression.FileSystem 65 | function UnZip_File { 66 | param( [string]$ziparchive, [string]$extractpath ) 67 | [System.IO.Compression.ZipFile]::ExtractToDirectory( $ziparchive, $extractpath ) 68 | } 69 | UnZip_File $ARTHIR_Dir\$Zip_File $ARTHIR_Dir 70 | Start-Sleep -s 10 71 | Remove-Item $ARTHIR_Dir\$Zip_File -Force 72 | # 73 | # Write log entry 74 | # 75 | If ($WriteEventLogEntry -eq 'No') { 76 | Break 77 | } 78 | elseif ([System.Diagnostics.EventLog]::SourceExists($EventSource) -eq $False) { 79 | New-EventLog -LogName Application -Source $EventSource 80 | Write-EventLog -LogName Application -EntryType Information -EventId $Event_ID -Source $EventSource -Message 'Operating System info gathered by Arthir' 81 | } 82 | else { 83 | Write-EventLog -LogName Application -EntryType Information -EventId $Event_ID -Source $EventSource -Message 'Operating System info gathered by Arthir' 84 | } 85 | # 86 | # Function to extract Zip file in older PS versions 87 | # 88 | Add-Type -AssemblyName System.IO.Compression.FileSystem 89 | function unzip { 90 | param( [string]$ziparchive, [string]$extractpath ) 91 | [System.IO.Compression.ZipFile]::ExtractToDirectory( $ziparchive, $extractpath ) 92 | } 93 | -------------------------------------------------------------------------------- /Modules/Kansa_Legacy/Log/Get-CBS_Log.ps1: -------------------------------------------------------------------------------- 1 | <# 2 | .SYNOPSIS 3 | Get-CBS_Log.ps1 - This will collect the Windows CBS.Log file. CBS.log is a file which include 4 | logs about components when they get installed or uninstalled during updates 5 | 6 | Use the following to record the modules applicability to the MITRE ATT&CK Framework 7 | 8 | MITRE ATT&CK Technique IDs: TBD 9 | 10 | Adjust the variables to what you want to do with each item: 11 | $ARTHIR_OutputDir Set to a directory you want the results of the modules to be stored for harvesting 12 | $ARTHIR_ReportName What to name the report used for error checking. Match this to DOWNLOAD 13 | $SysName What you want each report to be pre-pended with such as "computername" 14 | $WriteEventLogEntry Create an event log entry that this module ran 'Yes' or 'No' 15 | $EventSource The name of the source the event will be written to the Application log (default is ARTHIR) 16 | $Event_ID What event ID to use in the log entry 17 | 18 | DOWNLOAD The name of the report you will copy back to the host or launching system, wildcards are acceptable 19 | 20 | .NOTES 21 | The DOWNLOAD directive is needed by ARTHIR.ps1 to determine where how to handle 22 | output from this script. Use the wildcard * to capture the systemname in the report. 23 | - Example: C:\Program Files\LMD\Results\*Report_PS_LOG-MD-API-Settings.txt 24 | 25 | DOWNLOAD C:\Program Files\ARTHIR\*Report_CBS_Log.txt 26 | #> 27 | $ARTHIR_OutputDir = "C:\Program Files\ARTHIR" 28 | $ARTHIR_ReportName = "Report_CBS_Log.txt" 29 | $SysName = $env:computername 30 | # Create event in Application log 31 | $WriteEventLogEntry = "No" 32 | $EventSource = "ARTHIR" 33 | $Event_ID = "1337" 34 | # 35 | # Check for report folder existing, or create it 36 | # 37 | if (Test-Path $ARTHIR_OutputDir) { 38 | Write-Output $ARTHIR_OutputDir "already exists" 39 | } else { 40 | new-item $ARTHIR_OutputDir -itemtype directory 41 | } 42 | # 43 | # Get the events from the CBS.Log 44 | # 45 | Write-Output "Collecting CBS Log events on $SysName" | Out-File -FilePath $ARTHIR_OutputDir\$SysName-$ARTHIR_ReportName 46 | Write-Output "" | Out-File -Append -FilePath $ARTHIR_OutputDir\$SysName-$ARTHIR_ReportName 47 | Write-Output "Timestamp MessageType LogSource Message" | Out-File -Append -FilePath $ARTHIR_OutputDir\$SysName-$ARTHIR_ReportName 48 | Write-Output "-------------------------------------------------------------------" | Out-File -Append -FilePath $ARTHIR_OutputDir\$SysName-$ARTHIR_ReportName 49 | Get-Content $env:windir\logs\CBS\cbs.log | % { 50 | $_ -replace "\s\s+", "`t" 51 | } | % { 52 | $r = [regex]',' 53 | $r.replace($_, "`t", 1) 54 | } | % { 55 | $o = "" | Select-Object Timestamp, MessageType, LogSource, Message 56 | $o.Timestamp, $o.MessageType, $o.LogSource, $o.Message = ($_ -split "`t").Trim() 57 | ($o | Format-Table -Autosize -HideTableHeaders | Out-String).Trim() | Out-File -Append -FilePath $ARTHIR_OutputDir\$SysName-$ARTHIR_ReportName 58 | } 59 | # 60 | # Write log entry 61 | # 62 | If ($WriteEventLogEntry -eq 'No') { 63 | Break 64 | } 65 | elseif ([System.Diagnostics.EventLog]::SourceExists($EventSource) -eq $False) { 66 | New-EventLog -LogName Application -Source $EventSource 67 | Write-EventLog -LogName Application -EntryType Information -EventId $Event_ID -Source $EventSource -Message 'CBS Log queried by Arthir' 68 | } 69 | else { 70 | Write-EventLog -LogName Application -EntryType Information -EventId $Event_ID -Source $EventSource -Message 'CBS Log queried by Arthir' 71 | } 72 | -------------------------------------------------------------------------------- /Modules/Templates/Get-Zip-Template.ps1: -------------------------------------------------------------------------------- 1 | <# 2 | .SYNOPSIS 3 | Get-Zip-Template.ps1 This template is for pushing Zip files to remote system. This is how you get 4 | configurations, support files or other data you need. You may need to break up your data into multiple Zip files 5 | 6 | - WARNING: You are limited to 52MB for this file transfers due to limitations of WinRM. 7 | 8 | Use the following to record the modules applicability to the MITRE ATT&CK Framework 9 | 10 | MITRE ATT&CK Technique IDs: none 11 | 12 | When you run ARTHIR.ps1, if you add the -Pushbin switch at the command line, ARTHIR.ps1 13 | will attempt to copy the filename.zip to each remote target's ADMIN$ share and then move it 14 | to the folder you specify below. 15 | 16 | This module will allow you to send configuration files to the remote system. 17 | It includes: 18 | - Whatever is in your Zip file 19 | - Whatever else 20 | 21 | When used with -PushBin argument, copies Whatever.zip from the Modules\bin\ 22 | path to each remote host and extracts to C:\Windows or ADMIN$ folder. 23 | You may want to tweak this to target specific needs if you are after specific areas. 24 | 25 | .NOTES 26 | Next line is required by ARTHIR for proper handling of third-party binary. 27 | The BINDEP directive below tells ARTHIR where to find the third-party code. 28 | 29 | BINDEP .\Modules\bin\Whatever.zip 30 | DOWNLOAD C:\Program Files\WhateverDir\Results\*Report_Zip_Status.txt 31 | 32 | #> 33 | # 34 | # Set folders where you want LOG-MD and Reports to reside 35 | # 36 | $Zip_File = "Whatever.zip" 37 | $ARTHIR_Dir = "C:\Program Files\Wherever" 38 | $ARTHIR_OutputDir = "C:\Program Files\WhateverDir\Results" 39 | $ARTHIR_ReportName = "Report_Zip_Status.txt" 40 | $SysName = $env:computername 41 | $WriteEventLogEntry = "Yes" 42 | $EventSource = "ARTHIR" 43 | $Event_ID = "1337" 44 | # 45 | # Check for report folder existing, or create it 46 | # 47 | if (Test-Path $ARTHIR_OutputDir) { 48 | Write-Output $ARTHIR_OutputDir "already exists" 49 | } else { 50 | new-item $ARTHIR_OutputDir -itemtype directory 51 | } 52 | # 53 | # Move archive to $ARTHIR_Dir 54 | # 55 | Move-Item -Path "$env:SystemRoot\$Zip_File" -Destination $ARTHIR_Dir 56 | # 57 | # Test if Zip was properly copied 58 | # 59 | if (Test-Path $ARTHIR_Dir\$Zip_File) { 60 | Write-Output "$Zip_File copied successfully" | out-file -filepath $ARTHIR_OutputDir\$SysName-$ARTHIR_ReportName 61 | } else { 62 | Write-Error "$Zip_File not found in $ARTHIR_Dir." 63 | Exit 64 | } 65 | # 66 | # Remove existing configs 67 | # 68 | Remove-Item $ARTHIR_Dir\ -force 69 | Start-Sleep -s 10 70 | # 71 | # Function to extract Zip file for all PS versions 72 | # 73 | Add-Type -AssemblyName System.IO.Compression.FileSystem 74 | function UnZip_File { 75 | param( [string]$ziparchive, [string]$extractpath ) 76 | [System.IO.Compression.ZipFile]::ExtractToDirectory( $ziparchive, $extractpath ) 77 | } 78 | UnZip_File $ARTHIR_Dir\$Zip_File $ARTHIR_Dir 79 | Start-Sleep -s 10 80 | Remove-Item $ARTHIR_Dir\$Zip_File -Force 81 | # 82 | # Write log entry 83 | # 84 | If ($WriteEventLogEntry -eq 'No') { 85 | Break 86 | } 87 | elseif ([System.Diagnostics.EventLog]::SourceExists($EventSource) -eq $False) { 88 | New-EventLog -LogName Application -Source $EventSource 89 | Write-EventLog -LogName Application -EntryType Information -EventId $Event_ID -Source $EventSource -Message 'Operating System info gathered by Arthir' 90 | } 91 | else { 92 | Write-EventLog -LogName Application -EntryType Information -EventId $Event_ID -Source $EventSource -Message 'Operating System info gathered by Arthir' 93 | } 94 | -------------------------------------------------------------------------------- /Modules/Kansa_Legacy/Config/Get-Anti-MW-HealthStatus.ps1: -------------------------------------------------------------------------------- 1 | <# 2 | .SYNOPSIS 3 | Get-Anti-MW-HealthStatus.ps1 - This reports Windows Defender status (Win 10, WIn 2016 and later). 4 | Originally Contributed by Mike Fanning for Kansa 5 | - Shows configuration information for the Windows Defender 6 | 7 | Use the following to record the modules applicability to the MITRE ATT&CK Framework 8 | 9 | MITRE ATT&CK Technique IDs: TBD 10 | 11 | Adjust the variables to what you want to do with each item: 12 | $ARTHIR_OutputDir Set to a directory you want the results of the modules to be stored for harvesting 13 | $ARTHIR_ReportName What to name the report used for error checking. Match this to DOWNLOAD 14 | $SysName What you want each report to be pre-pended with such as "computername" 15 | $WriteEventLogEntry Create an event log entry that this module ran 'Yes' or 'No' 16 | $EventSource The name of the source the event will be written to the Application log (default is ARTHIR) 17 | $Event_ID What event ID to use in the log entry 18 | 19 | DOWNLOAD The name of the report you will copy back to the host or launching system, wildcards are acceptable 20 | 21 | .NOTES 22 | The DOWNLOAD directive is needed by ARTHIR.ps1 to determine where how to handle 23 | output from this script. Use the wildcard * to capture the systemname in the report. 24 | - Example: C:\Program Files\LMD\Results\*Report_PS_LOG-MD-API-Settings.txt 25 | 26 | DOWNLOAD C:\Program Files\ARTHIR\*Report_Anti-MW-Health-Status.txt 27 | #> 28 | $ARTHIR_OutputDir = "C:\Program Files\ARTHIR" 29 | $ARTHIR_ReportName = "Report_Anti-MW-Health-Status.txt" 30 | $SysName = $env:computername 31 | $WriteEventLogEntry = "Yes" 32 | $EventSource = "ARTHIR" 33 | $Event_ID = "1337" 34 | # 35 | # Check if system is a supported OS (Win10, Server 2016, Server 2019) 36 | # 37 | # Get OS details 38 | # 39 | $OS_Version = Get-CimInstance Win32_Operatingsystem | select -expand Caption 40 | # 41 | If (($OS_Version -like "* Windows 10 *") -or ($OS_Version -like "* Server 2016 *") -or ($OS_Version -like "* Server 2019 *")) { 42 | Write-Output "Yup correct Windows" 43 | } else { 44 | Write-Error "Incorrect version of Windows, no Defender WMI Class" 45 | Break 46 | } 47 | # 48 | # Check for report folder existing, or create it 49 | # 50 | if (Test-Path $ARTHIR_OutputDir) { 51 | Write-Output $ARTHIR_OutputDir "already exists" 52 | } else { 53 | new-item $ARTHIR_OutputDir -itemtype directory 54 | } 55 | # 56 | # Check Windows Anti-Malware Health Status 57 | # 58 | Write-Output "Windows Anti-Malware Health Status" | out-file -Filepath $ARTHIR_OutputDir\$SysName-$ARTHIR_ReportName 59 | Write-Output "-------------------------------------------------------------------------" | out-file -Append -Filepath $ARTHIR_OutputDir\$SysName-$ARTHIR_ReportName 60 | Get-WmiObject -namespace root\Microsoft\SecurityClient -Class AntimalwareHealthStatus | format-list | out-file -Append -Filepath $ARTHIR_OutputDir\$SysName-$ARTHIR_ReportName 61 | # 62 | # Write log entry 63 | # 64 | If ($WriteEventLogEntry -eq 'No') { 65 | Break 66 | } 67 | elseif ([System.Diagnostics.EventLog]::SourceExists($EventSource) -eq $False) { 68 | New-EventLog -LogName Application -Source $EventSource 69 | Write-EventLog -LogName Application -EntryType Information -EventId $Event_ID -Source $EventSource -Message 'Windows Anti-Malware Health Status queried by Arthir' 70 | } 71 | else { 72 | Write-EventLog -LogName Application -EntryType Information -EventId $Event_ID -Source $EventSource -Message 'Windows Anti-Malware Health Status queried by Arthir' 73 | } 74 | -------------------------------------------------------------------------------- /Modules/Kansa_Legacy/Net/Get-Net-IP-Interface.ps1: -------------------------------------------------------------------------------- 1 | <# 2 | .SYNOPSIS 3 | Get-Net-IP-Interface.txt.ps1 - This will list the Network IP interfaces. 4 | - Looks for IP interfaces 5 | 6 | Use the following to record the modules applicability to the MITRE ATT&CK Framework 7 | 8 | MITRE ATT&CK Technique IDs: TBD 9 | 10 | Adjust the variables to what you want to do with each item: 11 | $ARTHIR_OutputDir Set to a directory you want the results of the modules to be stored for harvesting 12 | $ARTHIR_ReportName What to name the report used for error checking. Match this to DOWNLOAD 13 | $SysName What you want each report to be pre-pended with such as "computername" 14 | $WriteEventLogEntry Create an event log entry that this module ran 'Yes' or 'No' 15 | $EventSource The name of the source the event will be written to the Application log (default is ARTHIR) 16 | $Event_ID What event ID to use in the log entry 17 | 18 | DOWNLOAD The name of the report you will copy back to the host or launching system, wildcards are acceptable 19 | 20 | .NOTES 21 | The DOWNLOAD directive is needed by ARTHIR.ps1 to determine where how to handle 22 | output from this script. Use the wildcard * to capture the systemname in the report. 23 | - Example: C:\Program Files\LMD\Results\*Report_PS_LOG-MD-API-Settings.txt 24 | 25 | DOWNLOAD C:\Program Files\ARTHIR\*Report_Net-IP-Interface.txt 26 | #> 27 | $ARTHIR_OutputDir = "C:\Program Files\ARTHIR" 28 | $ARTHIR_ReportName = "Report_Net-IP-Interface.txt" 29 | $SysName = $env:computername 30 | # Create event in Application log 31 | $WriteEventLogEntry = "Yes" 32 | $EventSource = "ARTHIR" 33 | $Event_ID = "1337" 34 | # 35 | # Check for report folder existing, or create it 36 | # 37 | if (Test-Path $ARTHIR_OutputDir) { 38 | Write-Output $ARTHIR_OutputDir "already exists" 39 | } else { 40 | new-item $ARTHIR_OutputDir -itemtype directory 41 | } 42 | # 43 | # List the ARP table 44 | # 45 | Write-Output "List Network IP Interfaces on - $SysName" | Out-File -FilePath $ARTHIR_OutputDir\$SysName-$ARTHIR_ReportName 46 | Write-Output "-------------------------------------------------------" | Out-File -Append -FilePath $ARTHIR_OutputDir\$SysName-$ARTHIR_ReportName 47 | if (Get-Command Get-NetIPInterface -ErrorAction SilentlyContinue) { 48 | Get-NetIPInterface -AddressFamily IPv4 | Out-File -Append -FilePath $ARTHIR_OutputDir\$SysName-$ARTHIR_ReportName 49 | Write-Output "---------------------------------------------------------------------------" | Out-File -Append -FilePath $ARTHIR_OutputDir\$SysName-$ARTHIR_ReportName 50 | Get-NetIPInterface -AddressFamily IPv6 | Out-File -Append -FilePath $ARTHIR_OutputDir\$SysName-$ARTHIR_ReportName 51 | } else { 52 | (Get-WmiObject -Class Win32_NetworkAdapterConfiguration -Filter MACAddress!=null | 53 | Select-Object -Property DNSHostName, Index, IPAddress, IPEnabled, Description, Caption, DHCPEnabled, DNSServerSearchOrder, DefaultGateway, MACAddress -ExcludeProperty IPX*,WINS*) | 54 | Out-File -Append -FilePath $ARTHIR_OutputDir\$SysName-$ARTHIR_ReportName 55 | } 56 | # 57 | # Write log entry 58 | # 59 | If ($WriteEventLogEntry -eq 'No') { 60 | Break 61 | } 62 | elseif ([System.Diagnostics.EventLog]::SourceExists($EventSource) -eq $False) { 63 | New-EventLog -LogName Application -Source $EventSource 64 | Write-EventLog -LogName Application -EntryType Information -EventId $Event_ID -Source $EventSource -Message 'Local Admin Accounts queried by Arthir' 65 | } 66 | else { 67 | Write-EventLog -LogName Application -EntryType Information -EventId $Event_ID -Source $EventSource -Message 'Local Admin Accounts queried by Arthir' 68 | } 69 | -------------------------------------------------------------------------------- /Modules/Kansa_Legacy/Config/Get-Anti-MW-InfectionStatus.ps1: -------------------------------------------------------------------------------- 1 | <# 2 | .SYNOPSIS 3 | Get-Anti-MW-InfectionStatus.ps1 - This returns any Windows Defender infections (Win 10, WIn 2016 and later). 4 | Originally Contributed by Mike Fanning for Kansa 5 | - Shows configuration information for the Windows Defender 6 | 7 | Use the following to record the modules applicability to the MITRE ATT&CK Framework 8 | 9 | MITRE ATT&CK Technique IDs: TBD 10 | 11 | Adjust the variables to what you want to do with each item: 12 | $ARTHIR_OutputDir Set to a directory you want the results of the modules to be stored for harvesting 13 | $ARTHIR_ReportName What to name the report used for error checking. Match this to DOWNLOAD 14 | $SysName What you want each report to be pre-pended with such as "computername" 15 | $WriteEventLogEntry Create an event log entry that this module ran 'Yes' or 'No' 16 | $EventSource The name of the source the event will be written to the Application log (default is ARTHIR) 17 | $Event_ID What event ID to use in the log entry 18 | 19 | DOWNLOAD The name of the report you will copy back to the host or launching system, wildcards are acceptable 20 | 21 | .NOTES 22 | The DOWNLOAD directive is needed by ARTHIR.ps1 to determine where how to handle 23 | output from this script. Use the wildcard * to capture the systemname in the report. 24 | - Example: C:\Program Files\LMD\Results\*Report_PS_LOG-MD-API-Settings.txt 25 | 26 | DOWNLOAD C:\Program Files\ARTHIR\*Report_Anti-MW-Infection-Status.txt 27 | #> 28 | $ARTHIR_OutputDir = "C:\Program Files\ARTHIR" 29 | $ARTHIR_ReportName = "Report_Anti-MW-Infection-Status.txt" 30 | $SysName = $env:computername 31 | $WriteEventLogEntry = "Yes" 32 | $EventSource = "ARTHIR" 33 | $Event_ID = "1337" 34 | # 35 | # Check if system is a supported OS (Win10, Server 2016, Server 2019) 36 | # 37 | # Get OS details 38 | # 39 | $OS_Version = Get-CimInstance Win32_Operatingsystem | select -expand Caption 40 | # 41 | If (($OS_Version -like "* Windows 10 *") -or ($OS_Version -like "* Server 2016 *") -or ($OS_Version -like "* Server 2019 *")) { 42 | Write-Output "Yup correct Windows" 43 | } else { 44 | Write-Error "Incorrect version of Windows, no Defender WMI Class" 45 | Break 46 | } 47 | # 48 | # Check for report folder existing, or create it 49 | # 50 | if (Test-Path $ARTHIR_OutputDir) { 51 | Write-Output $ARTHIR_OutputDir "already exists" 52 | } else { 53 | new-item $ARTHIR_OutputDir -itemtype directory 54 | } 55 | # 56 | # Check Windows Anti-Malware Infection Status 57 | # 58 | Write-Output "Windows Anti-Malware Infection Status" | out-file -Filepath $ARTHIR_OutputDir\$SysName-$ARTHIR_ReportName 59 | Write-Output "-------------------------------------------------------------------------" | out-file -Append -Filepath $ARTHIR_OutputDir\$SysName-$ARTHIR_ReportName 60 | Get-WmiObject -Namespace root\Microsoft\SecurityClient -Class AntimalwareInfectionStatus | format-list | out-file -Append -Filepath $ARTHIR_OutputDir\$SysName-$ARTHIR_ReportName 61 | # 62 | # Write log entry 63 | # 64 | If ($WriteEventLogEntry -eq 'No') { 65 | Break 66 | } 67 | elseif ([System.Diagnostics.EventLog]::SourceExists($EventSource) -eq $False) { 68 | New-EventLog -LogName Application -Source $EventSource 69 | Write-EventLog -LogName Application -EntryType Information -EventId $Event_ID -Source $EventSource -Message 'Windows Anti-Malware Infection Statuss queried by Arthir' 70 | } 71 | else { 72 | Write-EventLog -LogName Application -EntryType Information -EventId $Event_ID -Source $EventSource -Message 'Windows Anti-Malware Infection Status queried by Arthir' 73 | } 74 | -------------------------------------------------------------------------------- /Known_3rd_Party_Modules/LOG-MD-Professional.txt: -------------------------------------------------------------------------------- 1 | LOG-MD Professional and Consulting ARTHIR modules 2 | Updated - March 2019 3 | 4 | Function: LOG-MD is a Log Harvesting, Threat Hunting, and Incident Response tool. 5 | 6 | website: LOG-MD.com 7 | 8 | How to get modules: Modules are included with the purchase of LOG-MD-Professional. A guide for 9 | using LOG-MD-Professional with ARTHIR is included with the purchase of LOG-MD-Professional 10 | 11 | Options: To push LOG-MD configuration files, create a zip file and push them out with the Get-LOG-MD-Free_Configs.module 12 | 13 | --------------------------------------------------------------------------------------------------------------------------- 14 | 15 | There are modules available for all LOG-MD-Professional and Consulting features. 16 | Also available are modules to schedule tasks for many LOG-MD-Professional features. 17 | The following modules are available; 18 | 19 | RECON SCRIPTS - Get information you want to populate Hosts.txt with 20 | ------------------------------------------------------------------- 21 | 22 | - Recon_List_of_MAC_OS_Versions.ps1 List of Apple OS systems from AD 23 | - Recon_List_of_WS_OS_Versions.ps1 List of Windows systems from AD 24 | - Recon-Ping_Alive.ps1 Ping system in Hosts.txt for being online 25 | 26 | INFO GATHERING SCRIPTS 27 | ---------------------- 28 | - Get-OS_Version_Details.ps1 Get System name, OS Version and Architecture 29 | - Get-PS_Version_Logging_Details.ps1 Get PowerShell version, and logging settings 30 | 31 | LOG-MD-Professional MODULES 32 | --------------------------- 33 | - Get-LOG-MD-API-Settings.ps1 34 | - Get-LOG-MD-Pro_1_Configs.ps1 35 | - Get-LOG-MD-Pro_2_Configs_Registry.ps1 36 | - Get-LOG-MD-Pro_3_Configs_Hash.ps1 37 | - Get-Log-MD-Pro_Settings.ps1 38 | - Get-Log-MD-Pro_AutoRuns.ps1 39 | - Get-Log-MD-Pro_AutoRuns_VirusTotal.ps1 40 | - Get-Log-MD-Pro_AutoRuns_WMI.ps1 41 | - Get-Log-MD-Pro_Hash_Baseline.ps1 42 | - Get-Log-MD-Pro_Hash_Compare.ps1 43 | - Get-Log-MD-Pro_Logs_1_Day.ps1 44 | - Get-Log-MD-Pro_Logs_1_Day_WhoIS.ps1 45 | - Get-Log-MD-Pro_Logs_2_Days.ps1 46 | - Get-Log-MD-Pro_Logs_2_Days_WhoIS.ps1 47 | - Get-Log-MD-Pro_Logs_3_Days.ps1 48 | - Get-Log-MD-Pro_Logs_3_Days_WhoIS.ps1 49 | - Get-Log-MD-Pro_Logs_4_Days.ps1 50 | - Get-Log-MD-Pro_Logs_4_Days_WhoIS.ps1 51 | - Get-Log-MD-Pro_Logs_5_Days.ps1 52 | - Get-Log-MD-Pro_Logs_5_Days_WhoIS.ps1 53 | - Get-Log-MD-Pro_Logs_6_Days.ps1 54 | - Get-Log-MD-Pro_Logs_6_Days_WhoIS.ps1 55 | - Get-Log-MD-Pro_Logs_7_Days.ps1 56 | - Get-Log-MD-Pro_Logs_7_Days_WhoIS.ps1 57 | - Get-Log-MD-Pro_Logs_99_Days.ps1 58 | - Get-Log-MD-Pro_Logs_99_Days_WhoIS.ps1 59 | - Get-Log-MD-Pro_PS_Logs_1_Day.ps1 60 | - Get-Log-MD-Pro_PS_Logs_2_Days.ps1 61 | - Get-Log-MD-Pro_PS_Logs_3_Days.ps1 62 | - Get-Log-MD-Pro_PS_Logs_4_Days.ps1 63 | - Get-Log-MD-Pro_PS_Logs_5_Days.ps1 64 | - Get-Log-MD-Pro_PS_Logs_6_Days.ps1 65 | - Get-Log-MD-Pro_PS_Logs_7_Days.ps1 66 | - Get-Log-MD-Pro_PS_Logs_99_Days.ps1 67 | - Get-Log-MD-Pro_Reg_Baseline.ps1 68 | - Get-Log-MD-Pro_Reg_Compare.ps1 69 | - Get-Log-MD-Pro_Reg_Large_Keys.ps1 70 | - Get-Log-MD-Pro_Running_Processes.ps1 71 | - Get-Log-MD-Pro_Running_Processes_VirusTotal.ps1 72 | - Get-Log-MD-Pro_SRUM.ps1 73 | 74 | LOG-MD SCHEDULE TASKS MODULES 75 | ----------------------------- 76 | - Get-Log-MD-Pro_AutoRuns_Check_VT_Hourly_Task.ps1 77 | - Get-Log-MD-Pro_AutoRuns_Hourly_Task.ps1 78 | - Get-Log-MD-Pro_Large_Keys_Daily_Task.ps1 79 | - Get-Log-MD-Pro_Logs_Daily_Task.ps1 80 | - Get-Log-MD-Pro_PS_Logs_Daily_Task.ps1 81 | - Get-Log-MD-Pro_Running_Processes_Check_VT_Hourly_Task.ps1 82 | - Get-Log-MD-Pro_Running_Processes_Hourly_Task.ps1 83 | - Get-Log-MD-Pro_WMI_Persistence_Daily_Task.ps1 84 | 85 | CLEANUP LOG-MD MODULES 86 | ---------------------- 87 | - Get-Log-MD-Pro_z_Cleanup_All.ps1 88 | - Get-Log-MD-Pro_z_Cleanup_Reports.ps1 89 | -------------------------------------------------------------------------------- /Modules/Templates/Get-Binary-Template.ps1: -------------------------------------------------------------------------------- 1 | <# 2 | .SYNOPSIS 3 | Get-Binary-Template.ps1 - This is a template for a Binary utility or tool. 4 | - Looks for X 5 | - Looks for Y 6 | 7 | Use the following to record the modules applicability to the MITRE ATT&CK Framework 8 | 9 | MITRE ATT&CK Technique IDs: TBD 10 | 11 | Adjust the variables to what you want to do with each item: 12 | $ARTHIR_Dir Set to a directory you want the results of the modules to be stored for harvesting 13 | $ARTHIR_OutputDir Set to a directory you want the results of the modules to be stored for harvesting 14 | $ARTHIR_ReportName What to name the report used for error checking. Match this to DOWNLOAD 15 | $RenameReports Yes/No - Rename the reports to include the systemname or what you specify with $SysName variable 16 | $SysName What you want each report to be pre-pended with such as "computername" 17 | $WriteEventLogEntry Create an event log entry that this module ran 'Yes' or 'No' 18 | $EventSource The name of the source the event will be written to the Application log (default is ARTHIR) 19 | $Event_ID What event ID to use in the log entry 20 | 21 | BINDEP The name of the binary/file you want to push to the remote systems 22 | DOWNLOAD The name of the report you will copy back to the host or launching system, wildcards are acceptable 23 | 24 | .NOTES 25 | The BINDEP and DOWNLOAD directives are needed by ARTHIR.ps1 to determine where to find 26 | the binary to be used and how to handle output from this script. 27 | Use the wildcard * to capture the systemname in the report. 28 | - Example: .\Modules\bin\.exe 29 | - Example: C:\Program Files\LMD\Results\*Report_PS_LOG-MD-API-Settings.txt 30 | 31 | BINDEP .\Modules\bin\.exe 32 | DOWNLOAD 33 | #> 34 | $Tool_Name = "" 35 | $ARTHIR_Dir = "" 36 | $ARTHIR_OutputDir = "" 37 | $ARTHIR_ReportName = "" 38 | $RenameReports = "Yes" 39 | $SysName = $env:computername 40 | $MinPSVersion = 6 41 | $WriteEventLogEntry = "Yes" 42 | $EventSource = "ARTHIR" 43 | $Event_ID = "1337" 44 | # 45 | # Check for report folder existing, or create it 46 | # 47 | if (Test-Path $ARTHIR_OutputDir) { 48 | Write-Output $ARTHIR_OutputDir "already exists" 49 | } else { 50 | new-item $ARTHIR_OutputDir -itemtype directory 51 | } 52 | # 53 | # Move uploaded tool to the destination directory from \Windows 54 | # 55 | Move-Item -Path "$env:SystemRoot\$Tool_Name" -Destination $ARTHIR_Dir -Force 56 | # 57 | # Run Tool XYZ 58 | # 59 | if (Test-Path $ARTHIR_Dir\$Tool_Name) { 60 | Set-Location -Path $ARTHIR_Dir 61 | & $ARTHIR_Dir\$Tool_Name $ARTHIR_OutputDir 62 | } else { 63 | Write-Error "$Tool_Name not found in $env:SystemRoot." 64 | Exit 65 | } 66 | # 67 | # Check for output to exist 68 | # 69 | if (Test-Path $ARTHIR_OutputDir\$ARTHIR_ReportName) { 70 | & Write-Output "$Tool_Name Created $ARTHIR_ReportName" } 71 | else { 72 | Write-Error "$Tool_Name failed to create $ARTHIR_ReportName" } 73 | # 74 | # Rename files with $SysName 75 | # 76 | If ($RenameReports -eq 'No') { 77 | Write-Output "Reports not being renamed" 78 | } 79 | else { 80 | Remove-Item -path $ARTHIR_OutputDir\$SysName-Report_AutoRuns* -force 81 | Get-ChildItem $ARTHIR_OutputDir\Report_AutoRuns* | Rename-Item -NewName { $_.name -Replace '',"$SysName-" } 82 | } 83 | # 84 | # Write log entry 85 | # 86 | If ($WriteEventLogEntry -eq 'No') { 87 | Break 88 | } 89 | elseif ([System.Diagnostics.EventLog]::SourceExists($EventSource) -eq $False) { 90 | New-EventLog -LogName Application -Source $EventSource 91 | Write-EventLog -LogName Application -EntryType Information -EventId $Event_ID -Source $EventSource -Message ' by Arthir' 92 | } 93 | else { 94 | Write-EventLog -LogName Application -EntryType Information -EventId $Event_ID -Source $EventSource -Message ' by Arthir' 95 | } 96 | -------------------------------------------------------------------------------- /Modules/LOG-MD/Get-Log-MD_Logs_3_Days.ps1: -------------------------------------------------------------------------------- 1 | <# 2 | .SYNOPSIS 3 | Get-LOG-MD_Logs_3_Days.ps1 harvests 3 days of log events that LOG-MD 4 | determines as security relevant. 5 | 6 | Use the following to record the modules applicability to the MITRE ATT&CK Framework 7 | 8 | MITRE ATT&CK Technique IDs: TBD - LOTS of them 9 | 10 | This script does depend on IMF Security's LOG-MD-Pro.exe, which is not 11 | packaged with ARTHIR. You will have to purchase and download it from LOG-MD.com and 12 | drop it in the .\Modules\bin\ directory. When you run ARTHIR.ps1, if you 13 | add the -Pushbin switch at the command line, ARTHIR.ps1 will attempt to 14 | copy the LOG-MD-Pro.exe binary to each remote target's ADMIN$ share (C:\Windows) 15 | and then move it to the directory specified with $ARTHIR_Dir. 16 | 17 | If you want to remove the binary and/or reports from remote systems after it has run 18 | use the cleanup module(s) or specify with the $DeleteReports and $DeleteAll variables. 19 | 20 | Adjust the variables to what you want to do with each item: 21 | $ARTHIR_Dir Set to a directory you want the tool to be stored 22 | $ARTHIR_OutputDir Set to a directory you want the results of the modules to be stored for harvesting 23 | $ARTHIR_ReportName What to name the report. Match this to DOWNLOAD 24 | $RenameReports Yes/No - Rename the reports to include the systemname or what you specify with $SysName variable 25 | $SysName What you want each report to be pre-pended with such as "computername" 26 | $WriteEventLogEntry Create an event log entry that this module ran 'Yes' or 'No' 27 | $EventSource The name of the source the event will be written to the Application log (default is ARTHIR) 28 | $Event_ID What event ID to use in the log entry 29 | 30 | BINDEP The name of the binary/file you want to push to the remote systems 31 | DOWNLOAD The name of the report you will copy back to the host or launching system, wildcards are acceptable 32 | 33 | .NOTES 34 | The BINDEP and DOWNLOAD directives are needed by ARTHIR.ps1 to determine where to find 35 | the binary to be used and how to handle output from this script. 36 | Use the wildcard * to capture the systemname in the report. 37 | - Example: C:\Program Files\LMD\Results\*Report_AutoRuns* 38 | 39 | BINDEP .\Modules\bin\Log-MD.exe 40 | DOWNLOAD C:\Program Files\LMD\Results\*Report_* 41 | #> 42 | $Tool_Name = "LOG-MD.exe" 43 | $ARTHIR_Dir = "C:\Program Files\LMD" 44 | $ARTHIR_OutputDir = "C:\Program Files\LMD\Results" 45 | $ARTHIR_ReportName = "Report_*.csv" 46 | $RenameReports = "Yes" 47 | $SysName = $env:computername 48 | $WriteEventLogEntry = "Yes" 49 | $EventSource = "ARTHIR" 50 | $Event_ID = "1337" 51 | # 52 | # Check for report folder existing, or create it 53 | # 54 | if (Test-Path $ARTHIR_OutputDir) { 55 | Write-Output $ARTHIR_OutputDir "already exists" 56 | } else { 57 | new-item $ARTHIR_OutputDir -itemtype directory 58 | } 59 | # 60 | # Move uploaded tool to the destination directory from \Windows 61 | # 62 | Move-Item -Path "$env:SystemRoot\$Tool_Name" -Destination $ARTHIR_Dir -Force 63 | # 64 | # Run LOG-MD 65 | # 66 | if (Test-Path $ARTHIR_Dir\$Tool_Name) { 67 | Set-Location -Path $ARTHIR_Dir 68 | & $ARTHIR_Dir\$Tool_Name -3 69 | } else { 70 | Write-Error "$Tool_Name not found in $ARTHIR_Dir." 71 | Exit 72 | } 73 | # 74 | # Check for output to exist 75 | # 76 | if (Test-Path $ARTHIR_OutputDir\$ARTHIR_ReportName) { 77 | & Write-Output "LOG-MD Created $ARTHIR_ReportName" 78 | } else { 79 | Write-Error "LOG-MD failed to create $ARTHIR_ReportName" 80 | } 81 | # 82 | # Rename files with $SysName 83 | # 84 | If ($RenameReports -eq 'No') { 85 | Write-Output "Reports not being renamed" 86 | } 87 | else { 88 | Remove-Item -path $ARTHIR_OutputDir\$SysName-Report* -force 89 | Move-Item -Path Report* -Destination $ARTHIR_OutputDir 90 | Get-ChildItem $ARTHIR_OutputDir\Report_* | Rename-Item -NewName { $_.name -Replace 'Report_',"$SysName-Report_" } 91 | Rename-Item $ARTHIR_OutputDir\_Report_List.txt -NewName $SysName-Report_List.txt 92 | Rename-Item $ARTHIR_OutputDir\Report.csv -NewName $SysName-Report.csv 93 | } 94 | # 95 | # Write log entry 96 | # 97 | If ($WriteEventLogEntry -eq 'No') { 98 | Break 99 | } 100 | elseif ([System.Diagnostics.EventLog]::SourceExists($EventSource) -eq $False) { 101 | New-EventLog -LogName Application -Source $EventSource 102 | Write-EventLog -LogName Application -EntryType Information -EventId $Event_ID -Source $EventSource -Message 'LOG-MD AutoRuns executed by Arthir' 103 | } 104 | else { 105 | Write-EventLog -LogName Application -EntryType Information -EventId $Event_ID -Source $EventSource -Message 'LOG-MD AutoRuns executed by Arthir' 106 | } 107 | -------------------------------------------------------------------------------- /Modules/LOG-MD/Get-Log-MD_Logs_4_Days.ps1: -------------------------------------------------------------------------------- 1 | <# 2 | .SYNOPSIS 3 | Get-LOG-MD_Logs_4_Days.ps1 harvests 4 days of log events that LOG-MD 4 | determines as security relevant. 5 | 6 | Use the following to record the modules applicability to the MITRE ATT&CK Framework 7 | 8 | MITRE ATT&CK Technique IDs: TBD - LOTS of them 9 | 10 | This script does depend on IMF Security's LOG-MD-Pro.exe, which is not 11 | packaged with ARTHIR. You will have to purchase and download it from LOG-MD.com and 12 | drop it in the .\Modules\bin\ directory. When you run ARTHIR.ps1, if you 13 | add the -Pushbin switch at the command line, ARTHIR.ps1 will attempt to 14 | copy the LOG-MD-Pro.exe binary to each remote target's ADMIN$ share (C:\Windows) 15 | and then move it to the directory specified with $ARTHIR_Dir. 16 | 17 | If you want to remove the binary and/or reports from remote systems after it has run 18 | use the cleanup module(s) or specify with the $DeleteReports and $DeleteAll variables. 19 | 20 | Adjust the variables to what you want to do with each item: 21 | $ARTHIR_Dir Set to a directory you want the tool to be stored 22 | $ARTHIR_OutputDir Set to a directory you want the results of the modules to be stored for harvesting 23 | $ARTHIR_ReportName What to name the report. Match this to DOWNLOAD 24 | $RenameReports Yes/No - Rename the reports to include the systemname or what you specify with $SysName variable 25 | $SysName What you want each report to be pre-pended with such as "computername" 26 | $WriteEventLogEntry Create an event log entry that this module ran 'Yes' or 'No' 27 | $EventSource The name of the source the event will be written to the Application log (default is ARTHIR) 28 | $Event_ID What event ID to use in the log entry 29 | 30 | BINDEP The name of the binary/file you want to push to the remote systems 31 | DOWNLOAD The name of the report you will copy back to the host or launching system, wildcards are acceptable 32 | 33 | .NOTES 34 | The BINDEP and DOWNLOAD directives are needed by ARTHIR.ps1 to determine where to find 35 | the binary to be used and how to handle output from this script. 36 | Use the wildcard * to capture the systemname in the report. 37 | - Example: C:\Program Files\LMD\Results\*Report_AutoRuns* 38 | 39 | BINDEP .\Modules\bin\Log-MD.exe 40 | DOWNLOAD C:\Program Files\LMD\Results\*Report_* 41 | #> 42 | $Tool_Name = "LOG-MD.exe" 43 | $ARTHIR_Dir = "C:\Program Files\LMD" 44 | $ARTHIR_OutputDir = "C:\Program Files\LMD\Results" 45 | $ARTHIR_ReportName = "Report_*.csv" 46 | $RenameReports = "Yes" 47 | $SysName = $env:computername 48 | $WriteEventLogEntry = "Yes" 49 | $EventSource = "ARTHIR" 50 | $Event_ID = "1337" 51 | # 52 | # Check for report folder existing, or create it 53 | # 54 | if (Test-Path $ARTHIR_OutputDir) { 55 | Write-Output $ARTHIR_OutputDir "already exists" 56 | } else { 57 | new-item $ARTHIR_OutputDir -itemtype directory 58 | } 59 | # 60 | # Move uploaded tool to the destination directory from \Windows 61 | # 62 | Move-Item -Path "$env:SystemRoot\$Tool_Name" -Destination $ARTHIR_Dir -Force 63 | # 64 | # Run LOG-MD 65 | # 66 | if (Test-Path $ARTHIR_Dir\$Tool_Name) { 67 | Set-Location -Path $ARTHIR_Dir 68 | & $ARTHIR_Dir\$Tool_Name -4 69 | } else { 70 | Write-Error "$Tool_Name not found in $ARTHIR_Dir." 71 | Exit 72 | } 73 | # 74 | # Check for output to exist 75 | # 76 | if (Test-Path $ARTHIR_OutputDir\$ARTHIR_ReportName) { 77 | & Write-Output "LOG-MD Created $ARTHIR_ReportName" 78 | } else { 79 | Write-Error "LOG-MD failed to create $ARTHIR_ReportName" 80 | } 81 | # 82 | # Rename files with $SysName 83 | # 84 | If ($RenameReports -eq 'No') { 85 | Write-Output "Reports not being renamed" 86 | } 87 | else { 88 | Remove-Item -path $ARTHIR_OutputDir\$SysName-Report* -force 89 | Move-Item -Path Report* -Destination $ARTHIR_OutputDir 90 | Get-ChildItem $ARTHIR_OutputDir\Report_* | Rename-Item -NewName { $_.name -Replace 'Report_',"$SysName-Report_" } 91 | Rename-Item $ARTHIR_OutputDir\_Report_List.txt -NewName $SysName-Report_List.txt 92 | Rename-Item $ARTHIR_OutputDir\Report.csv -NewName $SysName-Report.csv 93 | } 94 | # 95 | # Write log entry 96 | # 97 | If ($WriteEventLogEntry -eq 'No') { 98 | Break 99 | } 100 | elseif ([System.Diagnostics.EventLog]::SourceExists($EventSource) -eq $False) { 101 | New-EventLog -LogName Application -Source $EventSource 102 | Write-EventLog -LogName Application -EntryType Information -EventId $Event_ID -Source $EventSource -Message 'LOG-MD AutoRuns executed by Arthir' 103 | } 104 | else { 105 | Write-EventLog -LogName Application -EntryType Information -EventId $Event_ID -Source $EventSource -Message 'LOG-MD AutoRuns executed by Arthir' 106 | } 107 | -------------------------------------------------------------------------------- /Modules/LOG-MD/Get-Log-MD_Logs_5_Days.ps1: -------------------------------------------------------------------------------- 1 | <# 2 | .SYNOPSIS 3 | Get-LOG-MD_Logs_5_Days.ps1 harvests 5 days of log events that LOG-MD 4 | determines as security relevant. 5 | 6 | Use the following to record the modules applicability to the MITRE ATT&CK Framework 7 | 8 | MITRE ATT&CK Technique IDs: TBD - LOTS of them 9 | 10 | This script does depend on IMF Security's LOG-MD-Pro.exe, which is not 11 | packaged with ARTHIR. You will have to purchase and download it from LOG-MD.com and 12 | drop it in the .\Modules\bin\ directory. When you run ARTHIR.ps1, if you 13 | add the -Pushbin switch at the command line, ARTHIR.ps1 will attempt to 14 | copy the LOG-MD-Pro.exe binary to each remote target's ADMIN$ share (C:\Windows) 15 | and then move it to the directory specified with $ARTHIR_Dir. 16 | 17 | If you want to remove the binary and/or reports from remote systems after it has run 18 | use the cleanup module(s) or specify with the $DeleteReports and $DeleteAll variables. 19 | 20 | Adjust the variables to what you want to do with each item: 21 | $ARTHIR_Dir Set to a directory you want the tool to be stored 22 | $ARTHIR_OutputDir Set to a directory you want the results of the modules to be stored for harvesting 23 | $ARTHIR_ReportName What to name the report. Match this to DOWNLOAD 24 | $RenameReports Yes/No - Rename the reports to include the systemname or what you specify with $SysName variable 25 | $SysName What you want each report to be pre-pended with such as "computername" 26 | $WriteEventLogEntry Create an event log entry that this module ran 'Yes' or 'No' 27 | $EventSource The name of the source the event will be written to the Application log (default is ARTHIR) 28 | $Event_ID What event ID to use in the log entry 29 | 30 | BINDEP The name of the binary/file you want to push to the remote systems 31 | DOWNLOAD The name of the report you will copy back to the host or launching system, wildcards are acceptable 32 | 33 | .NOTES 34 | The BINDEP and DOWNLOAD directives are needed by ARTHIR.ps1 to determine where to find 35 | the binary to be used and how to handle output from this script. 36 | Use the wildcard * to capture the systemname in the report. 37 | - Example: C:\Program Files\LMD\Results\*Report_AutoRuns* 38 | 39 | BINDEP .\Modules\bin\Log-MD.exe 40 | DOWNLOAD C:\Program Files\LMD\Results\*Report_* 41 | #> 42 | $Tool_Name = "LOG-MD.exe" 43 | $ARTHIR_Dir = "C:\Program Files\LMD" 44 | $ARTHIR_OutputDir = "C:\Program Files\LMD\Results" 45 | $ARTHIR_ReportName = "Report_*.csv" 46 | $RenameReports = "Yes" 47 | $SysName = $env:computername 48 | $WriteEventLogEntry = "Yes" 49 | $EventSource = "ARTHIR" 50 | $Event_ID = "1337" 51 | # 52 | # Check for report folder existing, or create it 53 | # 54 | if (Test-Path $ARTHIR_OutputDir) { 55 | Write-Output $ARTHIR_OutputDir "already exists" 56 | } else { 57 | new-item $ARTHIR_OutputDir -itemtype directory 58 | } 59 | # 60 | # Move uploaded tool to the destination directory from \Windows 61 | # 62 | Move-Item -Path "$env:SystemRoot\$Tool_Name" -Destination $ARTHIR_Dir -Force 63 | # 64 | # Run LOG-MD 65 | # 66 | if (Test-Path $ARTHIR_Dir\$Tool_Name) { 67 | Set-Location -Path $ARTHIR_Dir 68 | & $ARTHIR_Dir\$Tool_Name -5 69 | } else { 70 | Write-Error "$Tool_Name not found in $ARTHIR_Dir." 71 | Exit 72 | } 73 | # 74 | # Check for output to exist 75 | # 76 | if (Test-Path $ARTHIR_OutputDir\$ARTHIR_ReportName) { 77 | & Write-Output "LOG-MD Created $ARTHIR_ReportName" 78 | } else { 79 | Write-Error "LOG-MD failed to create $ARTHIR_ReportName" 80 | } 81 | # 82 | # Rename files with $SysName 83 | # 84 | If ($RenameReports -eq 'No') { 85 | Write-Output "Reports not being renamed" 86 | } 87 | else { 88 | Remove-Item -path $ARTHIR_OutputDir\$SysName-Report* -force 89 | Move-Item -Path Report* -Destination $ARTHIR_OutputDir 90 | Get-ChildItem $ARTHIR_OutputDir\Report_* | Rename-Item -NewName { $_.name -Replace 'Report_',"$SysName-Report_" } 91 | Rename-Item $ARTHIR_OutputDir\_Report_List.txt -NewName $SysName-Report_List.txt 92 | Rename-Item $ARTHIR_OutputDir\Report.csv -NewName $SysName-Report.csv 93 | } 94 | # 95 | # Write log entry 96 | # 97 | If ($WriteEventLogEntry -eq 'No') { 98 | Break 99 | } 100 | elseif ([System.Diagnostics.EventLog]::SourceExists($EventSource) -eq $False) { 101 | New-EventLog -LogName Application -Source $EventSource 102 | Write-EventLog -LogName Application -EntryType Information -EventId $Event_ID -Source $EventSource -Message 'LOG-MD AutoRuns executed by Arthir' 103 | } 104 | else { 105 | Write-EventLog -LogName Application -EntryType Information -EventId $Event_ID -Source $EventSource -Message 'LOG-MD AutoRuns executed by Arthir' 106 | } 107 | -------------------------------------------------------------------------------- /Modules/LOG-MD/Get-Log-MD_Logs_6_Days.ps1: -------------------------------------------------------------------------------- 1 | <# 2 | .SYNOPSIS 3 | Get-LOG-MD_Logs_6_Days.ps1 harvests 6 days of log events that LOG-MD 4 | determines as security relevant. 5 | 6 | Use the following to record the modules applicability to the MITRE ATT&CK Framework 7 | 8 | MITRE ATT&CK Technique IDs: TBD - LOTS of them 9 | 10 | This script does depend on IMF Security's LOG-MD-Pro.exe, which is not 11 | packaged with ARTHIR. You will have to purchase and download it from LOG-MD.com and 12 | drop it in the .\Modules\bin\ directory. When you run ARTHIR.ps1, if you 13 | add the -Pushbin switch at the command line, ARTHIR.ps1 will attempt to 14 | copy the LOG-MD-Pro.exe binary to each remote target's ADMIN$ share (C:\Windows) 15 | and then move it to the directory specified with $ARTHIR_Dir. 16 | 17 | If you want to remove the binary and/or reports from remote systems after it has run 18 | use the cleanup module(s) or specify with the $DeleteReports and $DeleteAll variables. 19 | 20 | Adjust the variables to what you want to do with each item: 21 | $ARTHIR_Dir Set to a directory you want the tool to be stored 22 | $ARTHIR_OutputDir Set to a directory you want the results of the modules to be stored for harvesting 23 | $ARTHIR_ReportName What to name the report. Match this to DOWNLOAD 24 | $RenameReports Yes/No - Rename the reports to include the systemname or what you specify with $SysName variable 25 | $SysName What you want each report to be pre-pended with such as "computername" 26 | $WriteEventLogEntry Create an event log entry that this module ran 'Yes' or 'No' 27 | $EventSource The name of the source the event will be written to the Application log (default is ARTHIR) 28 | $Event_ID What event ID to use in the log entry 29 | 30 | BINDEP The name of the binary/file you want to push to the remote systems 31 | DOWNLOAD The name of the report you will copy back to the host or launching system, wildcards are acceptable 32 | 33 | .NOTES 34 | The BINDEP and DOWNLOAD directives are needed by ARTHIR.ps1 to determine where to find 35 | the binary to be used and how to handle output from this script. 36 | Use the wildcard * to capture the systemname in the report. 37 | - Example: C:\Program Files\LMD\Results\*Report_AutoRuns* 38 | 39 | BINDEP .\Modules\bin\Log-MD.exe 40 | DOWNLOAD C:\Program Files\LMD\Results\*Report_* 41 | #> 42 | $Tool_Name = "LOG-MD.exe" 43 | $ARTHIR_Dir = "C:\Program Files\LMD" 44 | $ARTHIR_OutputDir = "C:\Program Files\LMD\Results" 45 | $ARTHIR_ReportName = "Report_*.csv" 46 | $RenameReports = "Yes" 47 | $SysName = $env:computername 48 | $WriteEventLogEntry = "Yes" 49 | $EventSource = "ARTHIR" 50 | $Event_ID = "1337" 51 | # 52 | # Check for report folder existing, or create it 53 | # 54 | if (Test-Path $ARTHIR_OutputDir) { 55 | Write-Output $ARTHIR_OutputDir "already exists" 56 | } else { 57 | new-item $ARTHIR_OutputDir -itemtype directory 58 | } 59 | # 60 | # Move uploaded tool to the destination directory from \Windows 61 | # 62 | Move-Item -Path "$env:SystemRoot\$Tool_Name" -Destination $ARTHIR_Dir -Force 63 | # 64 | # Run LOG-MD 65 | # 66 | if (Test-Path $ARTHIR_Dir\$Tool_Name) { 67 | Set-Location -Path $ARTHIR_Dir 68 | & $ARTHIR_Dir\$Tool_Name -6 69 | } else { 70 | Write-Error "$Tool_Name not found in $ARTHIR_Dir." 71 | Exit 72 | } 73 | # 74 | # Check for output to exist 75 | # 76 | if (Test-Path $ARTHIR_OutputDir\$ARTHIR_ReportName) { 77 | & Write-Output "LOG-MD Created $ARTHIR_ReportName" 78 | } else { 79 | Write-Error "LOG-MD failed to create $ARTHIR_ReportName" 80 | } 81 | # 82 | # Rename files with $SysName 83 | # 84 | If ($RenameReports -eq 'No') { 85 | Write-Output "Reports not being renamed" 86 | } 87 | else { 88 | Remove-Item -path $ARTHIR_OutputDir\$SysName-Report* -force 89 | Move-Item -Path Report* -Destination $ARTHIR_OutputDir 90 | Get-ChildItem $ARTHIR_OutputDir\Report_* | Rename-Item -NewName { $_.name -Replace 'Report_',"$SysName-Report_" } 91 | Rename-Item $ARTHIR_OutputDir\_Report_List.txt -NewName $SysName-Report_List.txt 92 | Rename-Item $ARTHIR_OutputDir\Report.csv -NewName $SysName-Report.csv 93 | } 94 | # 95 | # Write log entry 96 | # 97 | If ($WriteEventLogEntry -eq 'No') { 98 | Break 99 | } 100 | elseif ([System.Diagnostics.EventLog]::SourceExists($EventSource) -eq $False) { 101 | New-EventLog -LogName Application -Source $EventSource 102 | Write-EventLog -LogName Application -EntryType Information -EventId $Event_ID -Source $EventSource -Message 'LOG-MD AutoRuns executed by Arthir' 103 | } 104 | else { 105 | Write-EventLog -LogName Application -EntryType Information -EventId $Event_ID -Source $EventSource -Message 'LOG-MD AutoRuns executed by Arthir' 106 | } 107 | -------------------------------------------------------------------------------- /Modules/LOG-MD/Get-Log-MD_Logs_7_Days.ps1: -------------------------------------------------------------------------------- 1 | <# 2 | .SYNOPSIS 3 | Get-LOG-MD_Logs_7_Days.ps1 harvests 7 days of log events that LOG-MD 4 | determines as security relevant. 5 | 6 | Use the following to record the modules applicability to the MITRE ATT&CK Framework 7 | 8 | MITRE ATT&CK Technique IDs: TBD - LOTS of them 9 | 10 | This script does depend on IMF Security's LOG-MD-Pro.exe, which is not 11 | packaged with ARTHIR. You will have to purchase and download it from LOG-MD.com and 12 | drop it in the .\Modules\bin\ directory. When you run ARTHIR.ps1, if you 13 | add the -Pushbin switch at the command line, ARTHIR.ps1 will attempt to 14 | copy the LOG-MD-Pro.exe binary to each remote target's ADMIN$ share (C:\Windows) 15 | and then move it to the directory specified with $ARTHIR_Dir. 16 | 17 | If you want to remove the binary and/or reports from remote systems after it has run 18 | use the cleanup module(s) or specify with the $DeleteReports and $DeleteAll variables. 19 | 20 | Adjust the variables to what you want to do with each item: 21 | $ARTHIR_Dir Set to a directory you want the tool to be stored 22 | $ARTHIR_OutputDir Set to a directory you want the results of the modules to be stored for harvesting 23 | $ARTHIR_ReportName What to name the report. Match this to DOWNLOAD 24 | $RenameReports Yes/No - Rename the reports to include the systemname or what you specify with $SysName variable 25 | $SysName What you want each report to be pre-pended with such as "computername" 26 | $WriteEventLogEntry Create an event log entry that this module ran 'Yes' or 'No' 27 | $EventSource The name of the source the event will be written to the Application log (default is ARTHIR) 28 | $Event_ID What event ID to use in the log entry 29 | 30 | BINDEP The name of the binary/file you want to push to the remote systems 31 | DOWNLOAD The name of the report you will copy back to the host or launching system, wildcards are acceptable 32 | 33 | .NOTES 34 | The BINDEP and DOWNLOAD directives are needed by ARTHIR.ps1 to determine where to find 35 | the binary to be used and how to handle output from this script. 36 | Use the wildcard * to capture the systemname in the report. 37 | - Example: C:\Program Files\LMD\Results\*Report_AutoRuns* 38 | 39 | BINDEP .\Modules\bin\Log-MD.exe 40 | DOWNLOAD C:\Program Files\LMD\Results\*Report_* 41 | #> 42 | $Tool_Name = "LOG-MD.exe" 43 | $ARTHIR_Dir = "C:\Program Files\LMD" 44 | $ARTHIR_OutputDir = "C:\Program Files\LMD\Results" 45 | $ARTHIR_ReportName = "Report_*.csv" 46 | $RenameReports = "Yes" 47 | $SysName = $env:computername 48 | $WriteEventLogEntry = "Yes" 49 | $EventSource = "ARTHIR" 50 | $Event_ID = "1337" 51 | # 52 | # Check for report folder existing, or create it 53 | # 54 | if (Test-Path $ARTHIR_OutputDir) { 55 | Write-Output $ARTHIR_OutputDir "already exists" 56 | } else { 57 | new-item $ARTHIR_OutputDir -itemtype directory 58 | } 59 | # 60 | # Move uploaded tool to the destination directory from \Windows 61 | # 62 | Move-Item -Path "$env:SystemRoot\$Tool_Name" -Destination $ARTHIR_Dir -Force 63 | # 64 | # Run LOG-MD 65 | # 66 | if (Test-Path $ARTHIR_Dir\$Tool_Name) { 67 | Set-Location -Path $ARTHIR_Dir 68 | & $ARTHIR_Dir\$Tool_Name -7 69 | } else { 70 | Write-Error "$Tool_Name not found in $ARTHIR_Dir." 71 | Exit 72 | } 73 | # 74 | # Check for output to exist 75 | # 76 | if (Test-Path $ARTHIR_OutputDir\$ARTHIR_ReportName) { 77 | & Write-Output "LOG-MD Created $ARTHIR_ReportName" 78 | } else { 79 | Write-Error "LOG-MD failed to create $ARTHIR_ReportName" 80 | } 81 | # 82 | # Rename files with $SysName 83 | # 84 | If ($RenameReports -eq 'No') { 85 | Write-Output "Reports not being renamed" 86 | } 87 | else { 88 | Remove-Item -path $ARTHIR_OutputDir\$SysName-Report* -force 89 | Move-Item -Path Report* -Destination $ARTHIR_OutputDir 90 | Get-ChildItem $ARTHIR_OutputDir\Report_* | Rename-Item -NewName { $_.name -Replace 'Report_',"$SysName-Report_" } 91 | Rename-Item $ARTHIR_OutputDir\_Report_List.txt -NewName $SysName-Report_List.txt 92 | Rename-Item $ARTHIR_OutputDir\Report.csv -NewName $SysName-Report.csv 93 | } 94 | # 95 | # Write log entry 96 | # 97 | If ($WriteEventLogEntry -eq 'No') { 98 | Break 99 | } 100 | elseif ([System.Diagnostics.EventLog]::SourceExists($EventSource) -eq $False) { 101 | New-EventLog -LogName Application -Source $EventSource 102 | Write-EventLog -LogName Application -EntryType Information -EventId $Event_ID -Source $EventSource -Message 'LOG-MD AutoRuns executed by Arthir' 103 | } 104 | else { 105 | Write-EventLog -LogName Application -EntryType Information -EventId $Event_ID -Source $EventSource -Message 'LOG-MD AutoRuns executed by Arthir' 106 | } 107 | -------------------------------------------------------------------------------- /Modules/LOG-MD/Get-Log-MD_Logs_1_Day.ps1: -------------------------------------------------------------------------------- 1 | <# 2 | .SYNOPSIS 3 | Get-LOG-MD_Logs_1_Day.ps1 harvests 1 day of log events that LOG-MD 4 | determines as security relevant. 5 | 6 | Use the following to record the modules applicability to the MITRE ATT&CK Framework 7 | 8 | MITRE ATT&CK Technique IDs: TBD - LOTS of them 9 | 10 | This script does depend on IMF Security's LOG-MD-Pro.exe, which is not 11 | packaged with ARTHIR. You will have to purchase and download it from LOG-MD.com and 12 | drop it in the .\Modules\bin\ directory. When you run ARTHIR.ps1, if you 13 | add the -Pushbin switch at the command line, ARTHIR.ps1 will attempt to 14 | copy the LOG-MD-Pro.exe binary to each remote target's ADMIN$ share (C:\Windows) 15 | and then move it to the directory specified with $ARTHIR_Dir. 16 | 17 | If you want to remove the binary and/or reports from remote systems after it has run 18 | use the cleanup module(s) or specify with the $DeleteReports and $DeleteAll variables. 19 | 20 | Adjust the variables to what you want to do with each item: 21 | $ARTHIR_Dir Set to a directory you want the tool to be stored 22 | $ARTHIR_OutputDir Set to a directory you want the results of the modules to be stored for harvesting 23 | $ARTHIR_ReportName What to name the report. Match this to DOWNLOAD 24 | $RenameReports Yes/No - Rename the reports to include the systemname or what you specify with $SysName variable 25 | $SysName What you want each report to be pre-pended with such as "computername" 26 | $WriteEventLogEntry Create an event log entry that this module ran 'Yes' or 'No' 27 | $EventSource The name of the source the event will be written to the Application log (default is ARTHIR) 28 | $Event_ID What event ID to use in the log entry 29 | 30 | BINDEP The name of the binary/file you want to push to the remote systems 31 | DOWNLOAD The name of the report you will copy back to the host or launching system, wildcards are acceptable 32 | 33 | .NOTES 34 | The BINDEP and DOWNLOAD directives are needed by ARTHIR.ps1 to determine where to find 35 | the binary to be used and how to handle output from this script. 36 | Use the wildcard * to capture the systemname in the report. 37 | - Example: C:\Program Files\LMD\Results\*Report_AutoRuns* 38 | 39 | BINDEP .\Modules\bin\Log-MD.exe 40 | DOWNLOAD C:\Program Files\LMD\Results\*Report_* 41 | #> 42 | $Tool_Name = "LOG-MD.exe" 43 | $ARTHIR_Dir = "C:\Program Files\LMD" 44 | $ARTHIR_OutputDir = "C:\Program Files\LMD\Results" 45 | $ARTHIR_ReportName = "Report_*.csv" 46 | $RenameReports = "Yes" 47 | $SysName = $env:computername 48 | $WriteEventLogEntry = "Yes" 49 | $EventSource = "ARTHIR" 50 | $Event_ID = "1337" 51 | 52 | # 53 | # Check for report folder existing, or create it 54 | # 55 | if (Test-Path $ARTHIR_OutputDir) { 56 | Write-Output $ARTHIR_OutputDir "already exists" 57 | } else { 58 | new-item $ARTHIR_OutputDir -itemtype directory 59 | } 60 | # 61 | # Move uploaded tool to the destination directory from \Windows 62 | # 63 | Move-Item -Path "$env:SystemRoot\$Tool_Name" -Destination $ARTHIR_Dir -Force 64 | # 65 | # Run LOG-MD 66 | # 67 | if (Test-Path $ARTHIR_Dir\$Tool_Name) { 68 | Set-Location -Path $ARTHIR_Dir 69 | & $ARTHIR_Dir\$Tool_Name -1 70 | } else { 71 | Write-Error "$Tool_Name not found in $ARTHIR_Dir." 72 | Exit 73 | } 74 | # 75 | # Check for output to exist 76 | # 77 | if (Test-Path $ARTHIR_OutputDir\$ARTHIR_ReportName) { 78 | & Write-Output "LOG-MD Created $ARTHIR_ReportName" 79 | } else { 80 | Write-Error "LOG-MD failed to create $ARTHIR_ReportName" 81 | } 82 | # 83 | # Rename files with $SysName 84 | # 85 | If ($RenameReports -eq 'No') { 86 | Write-Output "Reports not being renamed" 87 | } 88 | else { 89 | Remove-Item -path $ARTHIR_OutputDir\$SysName-Report* -force 90 | Move-Item -Path Report* -Destination $ARTHIR_OutputDir 91 | Get-ChildItem $ARTHIR_OutputDir\Report_* | Rename-Item -NewName { $_.name -Replace 'Report_',"$SysName-Report_" } 92 | Rename-Item $ARTHIR_OutputDir\_Report_List.txt -NewName $SysName-Report_List.txt 93 | Rename-Item $ARTHIR_OutputDir\Report.csv -NewName $SysName-Report.csv 94 | } 95 | # 96 | # Write log entry 97 | # 98 | If ($WriteEventLogEntry -eq 'No') { 99 | Break 100 | } 101 | elseif ([System.Diagnostics.EventLog]::SourceExists($EventSource) -eq $False) { 102 | New-EventLog -LogName Application -Source $EventSource 103 | Write-EventLog -LogName Application -EntryType Information -EventId $Event_ID -Source $EventSource -Message 'LOG-MD AutoRuns executed by Arthir' 104 | } 105 | else { 106 | Write-EventLog -LogName Application -EntryType Information -EventId $Event_ID -Source $EventSource -Message 'LOG-MD AutoRuns executed by Arthir' 107 | } 108 | -------------------------------------------------------------------------------- /Modules/LOG-MD/Get-Log-MD_Logs_2_Days.ps1: -------------------------------------------------------------------------------- 1 | <# 2 | .SYNOPSIS 3 | Get-LOG-MD_Logs_2_Days.ps1 harvests 2 days of log events that LOG-MD 4 | determines as security relevant. 5 | 6 | Use the following to record the modules applicability to the MITRE ATT&CK Framework 7 | 8 | MITRE ATT&CK Technique IDs: TBD - LOTS of them 9 | 10 | This script does depend on IMF Security's LOG-MD-Pro.exe, which is not 11 | packaged with ARTHIR. You will have to purchase and download it from LOG-MD.com and 12 | drop it in the .\Modules\bin\ directory. When you run ARTHIR.ps1, if you 13 | add the -Pushbin switch at the command line, ARTHIR.ps1 will attempt to 14 | copy the LOG-MD-Pro.exe binary to each remote target's ADMIN$ share (C:\Windows) 15 | and then move it to the directory specified with $ARTHIR_Dir. 16 | 17 | If you want to remove the binary and/or reports from remote systems after it has run 18 | use the cleanup module(s) or specify with the $DeleteReports and $DeleteAll variables. 19 | 20 | Adjust the variables to what you want to do with each item: 21 | $ARTHIR_Dir Set to a directory you want the tool to be stored 22 | $ARTHIR_OutputDir Set to a directory you want the results of the modules to be stored for harvesting 23 | $ARTHIR_ReportName What to name the report. Match this to DOWNLOAD 24 | $RenameReports Yes/No - Rename the reports to include the systemname or what you specify with $SysName variable 25 | $SysName What you want each report to be pre-pended with such as "computername" 26 | $WriteEventLogEntry Create an event log entry that this module ran 'Yes' or 'No' 27 | $EventSource The name of the source the event will be written to the Application log (default is ARTHIR) 28 | $Event_ID What event ID to use in the log entry 29 | 30 | BINDEP The name of the binary/file you want to push to the remote systems 31 | DOWNLOAD The name of the report you will copy back to the host or launching system, wildcards are acceptable 32 | 33 | .NOTES 34 | The BINDEP and DOWNLOAD directives are needed by ARTHIR.ps1 to determine where to find 35 | the binary to be used and how to handle output from this script. 36 | Use the wildcard * to capture the systemname in the report. 37 | - Example: C:\Program Files\LMD\Results\*Report_AutoRuns* 38 | 39 | BINDEP .\Modules\bin\Log-MD.exe 40 | DOWNLOAD C:\Program Files\LMD\Results\*Report_* 41 | #> 42 | $Tool_Name = "LOG-MD.exe" 43 | $ARTHIR_Dir = "C:\Program Files\LMD" 44 | $ARTHIR_OutputDir = "C:\Program Files\LMD\Results" 45 | $ARTHIR_ReportName = "Report_*.csv" 46 | $RenameReports = "Yes" 47 | $SysName = $env:computername 48 | $WriteEventLogEntry = "Yes" 49 | $EventSource = "ARTHIR" 50 | $Event_ID = "1337" 51 | 52 | # 53 | # Check for report folder existing, or create it 54 | # 55 | if (Test-Path $ARTHIR_OutputDir) { 56 | Write-Output $ARTHIR_OutputDir "already exists" 57 | } else { 58 | new-item $ARTHIR_OutputDir -itemtype directory 59 | } 60 | # 61 | # Move uploaded tool to the destination directory from \Windows 62 | # 63 | Move-Item -Path "$env:SystemRoot\$Tool_Name" -Destination $ARTHIR_Dir -Force 64 | # 65 | # Run LOG-MD 66 | # 67 | if (Test-Path $ARTHIR_Dir\$Tool_Name) { 68 | Set-Location -Path $ARTHIR_Dir 69 | & $ARTHIR_Dir\$Tool_Name -2 70 | } else { 71 | Write-Error "$Tool_Name not found in $ARTHIR_Dir." 72 | Exit 73 | } 74 | # 75 | # Check for output to exist 76 | # 77 | if (Test-Path $ARTHIR_OutputDir\$ARTHIR_ReportName) { 78 | & Write-Output "LOG-MD Created $ARTHIR_ReportName" 79 | } else { 80 | Write-Error "LOG-MD failed to create $ARTHIR_ReportName" 81 | } 82 | # 83 | # Rename files with $SysName 84 | # 85 | If ($RenameReports -eq 'No') { 86 | Write-Output "Reports not being renamed" 87 | } 88 | else { 89 | Remove-Item -path $ARTHIR_OutputDir\$SysName-Report* -force 90 | Move-Item -Path Report* -Destination $ARTHIR_OutputDir 91 | Get-ChildItem $ARTHIR_OutputDir\Report_* | Rename-Item -NewName { $_.name -Replace 'Report_',"$SysName-Report_" } 92 | Rename-Item $ARTHIR_OutputDir\_Report_List.txt -NewName $SysName-Report_List.txt 93 | Rename-Item $ARTHIR_OutputDir\Report.csv -NewName $SysName-Report.csv 94 | } 95 | # 96 | # Write log entry 97 | # 98 | If ($WriteEventLogEntry -eq 'No') { 99 | Break 100 | } 101 | elseif ([System.Diagnostics.EventLog]::SourceExists($EventSource) -eq $False) { 102 | New-EventLog -LogName Application -Source $EventSource 103 | Write-EventLog -LogName Application -EntryType Information -EventId $Event_ID -Source $EventSource -Message 'LOG-MD AutoRuns executed by Arthir' 104 | } 105 | else { 106 | Write-EventLog -LogName Application -EntryType Information -EventId $Event_ID -Source $EventSource -Message 'LOG-MD AutoRuns executed by Arthir' 107 | } 108 | -------------------------------------------------------------------------------- /Modules/LOG-MD/Get-Log-MD_Running_Processes.ps1: -------------------------------------------------------------------------------- 1 | <# 2 | .SYNOPSIS 3 | Get-LOG-MD_Running_Processes.ps1 returns output from all running processes 4 | and their modules to find malicious or unknown running processes. 5 | 6 | Use the following to record the modules applicability to the MITRE ATT&CK Framework 7 | 8 | MITRE ATT&CK Technique IDs: TBD 9 | 10 | This script does depend on IMF Security's LOG-MD.exe, which is not 11 | packaged with ARTHIR. You will have to purchase and download it from LOG-MD.com and 12 | drop it in the .\Modules\bin\ directory. When you run ARTHIR.ps1, if you 13 | add the -Pushbin switch at the command line, ARTHIR.ps1 will attempt to 14 | copy the LOG-MD.exe binary to each remote target's ADMIN$ share (C:\Windows) 15 | and then move it to the directory specified with $ARTHIR_Dir. 16 | 17 | If you want to remove the binary and/or reports from remote systems after it has run 18 | use the cleanup module(s) or specify with the $DeleteReports and $DeleteAll variables. 19 | 20 | Adjust the variables to what you want to do with each item: 21 | $ARTHIR_Dir Set to a directory you want the tool to be stored 22 | $ARTHIR_OutputDir Set to a directory you want the results of the modules to be stored for harvesting 23 | $ARTHIR_ReportName What to name the report. Match this to DOWNLOAD 24 | $RenameReports Yes/No - Rename the reports to include the systemname or what you specify with $SysName variable 25 | $SysName What you want each report to be pre-pended with such as "computername" 26 | $WriteEventLogEntry Create an event log entry that this module ran 'Yes' or 'No' 27 | $EventSource The name of the source the event will be written to the Application log (default is ARTHIR) 28 | $Event_ID What event ID to use in the log entry 29 | 30 | BINDEP The name of the binary/file you want to push to the remote systems 31 | DOWNLOAD The name of the report you will copy back to the host or launching system, wildcards are acceptable 32 | 33 | .NOTES 34 | The BINDEP and DOWNLOAD directives are needed by ARTHIR.ps1 to determine where to find 35 | the binary to be used and how to handle output from this script. 36 | Use the wildcard * to capture the systemname in the report. 37 | - Example: C:\Program Files\LMD\Results\*Report_AutoRuns* 38 | 39 | BINDEP .\Modules\bin\Log-MD.exe 40 | DOWNLOAD C:\Program Files\LMD\Results\*Report_Process_and_Modules_Running* 41 | #> 42 | $Tool_Name = "LOG-MD.exe" 43 | $ARTHIR_Dir = "C:\Program Files\LMD" 44 | $ARTHIR_OutputDir = "C:\Program Files\LMD\Results" 45 | $ARTHIR_ReportName = "Report_Process_and_Modules_Running.csv" 46 | $RenameReports = "Yes" 47 | $SysName = $env:computername 48 | $WriteEventLogEntry = "Yes" 49 | $EventSource = "ARTHIR" 50 | $Event_ID = "1337" 51 | # 52 | # Check for report folder existing, or create it 53 | # 54 | if (Test-Path $ARTHIR_OutputDir) { 55 | Write-Output $ARTHIR_OutputDir "already exists" 56 | } else { 57 | new-item $ARTHIR_OutputDir -itemtype directory 58 | } 59 | # 60 | # Move uploaded tool to the destination directory from \Windows 61 | # 62 | Move-Item -Path "$env:SystemRoot\$Tool_Name" -Destination $ARTHIR_Dir -Force 63 | # 64 | # Run LOG-MD 65 | # 66 | if (Test-Path $ARTHIR_Dir\$Tool_Name) { 67 | Set-Location -Path $ARTHIR_Dir 68 | & $ARTHIR_Dir\$Tool_Name -proc -o $ARTHIR_OutputDir 69 | } else { 70 | Write-Error "$Tool_Name not found in $ARTHIR_Dir." 71 | Exit 72 | } 73 | # 74 | # Check for output to exist 75 | # 76 | if (Test-Path $ARTHIR_OutputDir\$ARTHIR_ReportName) { 77 | & Write-Output "LOG-MD Created $ARTHIR_ReportName" 78 | } else { 79 | Write-Error "LOG-MD failed to create $ARTHIR_ReportName" 80 | } 81 | # 82 | # Rename files with $SysName 83 | # 84 | If ($RenameReports -eq 'No') { 85 | Write-Output "Reports not being renamed" 86 | } 87 | else { 88 | Remove-Item -path $ARTHIR_OutputDir\$SysName-Report* -force 89 | Move-Item -Path Report_Process_and_Modules*.csv -Destination $ARTHIR_OutputDir 90 | Get-ChildItem $ARTHIR_OutputDir\Report_Process_and_Modules* | Rename-Item -NewName { $_.name -Replace 'Report_Process_and_Modules',"$SysName-Report_Process_and_Modules" } 91 | } 92 | 93 | # 94 | # Write log entry 95 | # 96 | If ($WriteEventLogEntry -eq 'No') { 97 | Break 98 | } 99 | elseif ([System.Diagnostics.EventLog]::SourceExists($EventSource) -eq $False) { 100 | New-EventLog -LogName Application -Source $EventSource 101 | Write-EventLog -LogName Application -EntryType Information -EventId $Event_ID -Source $EventSource -Message 'LOG-MD AutoRuns executed by Arthir' 102 | } 103 | else { 104 | Write-EventLog -LogName Application -EntryType Information -EventId $Event_ID -Source $EventSource -Message 'LOG-MD AutoRuns executed by Arthir' 105 | } 106 | -------------------------------------------------------------------------------- /Modules/LOG-MD/Get-Log-MD_Settings.ps1: -------------------------------------------------------------------------------- 1 | <# 2 | .SYNOPSIS 3 | Get-LOG-MD_Settings.ps1 returns output of the LOG-MD configurations from: 4 | - Whitelists_.txt 5 | - Settings_PowerShell.txt 6 | 7 | This will help you assess the configurartion LOG-MD is using and if there are any issues 8 | with your settings or whitelists. 9 | 10 | Use the following to record the modules applicability to the MITRE ATT&CK Framework 11 | 12 | MITRE ATT&CK Technique IDs: none 13 | 14 | This script does depend on IMF Security's LOG-MD.exe, which is not 15 | packaged with ARTHIR. You will have to purchase and download it from LOG-MD.com and 16 | drop it in the .\Modules\bin\ directory. When you run ARTHIR.ps1, if you 17 | add the -Pushbin switch at the command line, ARTHIR.ps1 will attempt to 18 | copy the LOG-MD.exe binary to each remote target's ADMIN$ share (C:\Windows) 19 | and then move it to the directory specified with $ARTHIR_Dir. 20 | 21 | If you want to remove the binary and/or reports from remote systems after it has run 22 | use the cleanup module(s) or specify with the $DeleteReports and $DeleteAll variables. 23 | 24 | Adjust the variables to what you want to do with each item: 25 | $ARTHIR_Dir Set to a directory you want the tool to be stored 26 | $ARTHIR_OutputDir Set to a directory you want the results of the modules to be stored for harvesting 27 | $ARTHIR_ReportName What to name the report. Match this to DOWNLOAD 28 | $RenameReports Yes/No - Rename the reports to include the systemname or what you specify with $SysName variable 29 | $SysName What you want each report to be pre-pended with such as "computername" 30 | $WriteEventLogEntry Create an event log entry that this module ran 'Yes' or 'No' 31 | $EventSource The name of the source the event will be written to the Application log (default is ARTHIR) 32 | $Event_ID What event ID to use in the log entry 33 | 34 | BINDEP The name of the binary/file you want to push to the remote systems 35 | DOWNLOAD The name of the report you will copy back to the host or launching system, wildcards are acceptable 36 | 37 | .NOTES 38 | The BINDEP and DOWNLOAD directives are needed by ARTHIR.ps1 to determine where to find 39 | the binary to be used and how to handle output from this script. 40 | Use the wildcard * to capture the systemname in the report. 41 | - Example: C:\Program Files\LMD\Results\*Report_AutoRuns* 42 | 43 | BINDEP .\Modules\bin\Log-MD.exe 44 | DOWNLOAD C:\Program Files\LMD\Results\*Report_Configuration* 45 | #> 46 | $Tool_Name = "LOG-MD.exe" 47 | $ARTHIR_Dir = "C:\Program Files\LMD" 48 | $ARTHIR_OutputDir = "C:\Program Files\LMD\Results" 49 | $ARTHIR_ReportName = "Report_Configuration.txt" 50 | $RenameReports = "Yes" 51 | $SysName = $env:computername 52 | $WriteEventLogEntry = "Yes" 53 | $EventSource = "ARTHIR" 54 | $Event_ID = "1337" 55 | # 56 | # Check for report folder existing, or create it 57 | # 58 | if (Test-Path $ARTHIR_OutputDir) { 59 | Write-Output $ARTHIR_OutputDir "already exists" 60 | } else { 61 | new-item $ARTHIR_OutputDir -itemtype directory 62 | } 63 | # 64 | # Move uploaded tool to the destination directory from \Windows 65 | # 66 | Move-Item -Path "$env:SystemRoot\$Tool_Name" -Destination $ARTHIR_Dir -Force 67 | # 68 | # Run LOG-MD 69 | # 70 | if (Test-Path $ARTHIR_Dir\$Tool_Name) { 71 | Set-Location -Path $ARTHIR_Dir 72 | & $ARTHIR_Dir\$Tool_Name -c > $ARTHIR_OutputDir\$ARTHIR_ReportName 73 | } else { 74 | Write-Error "$Tool_Name not found in $ARTHIR_Dir." 75 | } 76 | # 77 | # Check for output to exist 78 | # 79 | if (Test-Path $ARTHIR_OutputDir\$ARTHIR_ReportName) { 80 | & Write-Output "$Tool_Name Created $ARTHIR_ReportName" } 81 | else { 82 | Write-Error "$Tool_Name failed to create $ARTHIR_ReportName" } 83 | # 84 | # Rename files with $SysName 85 | # 86 | If ($RenameReports -eq 'No') { 87 | Write-Output "Reports not being renamed" 88 | } 89 | else { 90 | Remove-Item -path $ARTHIR_OutputDir\$SysName-Report_Configuration* -force 91 | Move-Item -Path Report_Configuration* -Destination $ARTHIR_OutputDir 92 | Get-ChildItem $ARTHIR_OutputDir\Report_Configuration* | Rename-Item -NewName { $_.name -Replace 'Report_Configuration',"$SysName-Report_Configuration" } 93 | } 94 | 95 | # 96 | # Write log entry 97 | # 98 | If ($WriteEventLogEntry -eq 'No') { 99 | Break 100 | } 101 | elseif ([System.Diagnostics.EventLog]::SourceExists($EventSource) -eq $False) { 102 | New-EventLog -LogName Application -Source $EventSource 103 | Write-EventLog -LogName Application -EntryType Information -EventId $Event_ID -Source $EventSource -Message 'LOG-MD AutoRuns executed by Arthir' 104 | } 105 | else { 106 | Write-EventLog -LogName Application -EntryType Information -EventId $Event_ID -Source $EventSource -Message 'LOG-MD AutoRuns executed by Arthir' 107 | } 108 | -------------------------------------------------------------------------------- /Modules/LOG-MD/Get-Log-MD_Reg_Large_Keys.ps1: -------------------------------------------------------------------------------- 1 | <# 2 | .SYNOPSIS 3 | Get-LOG-MD_Reg_Large_Keys.ps1 looks for large data within values in a registry keys 4 | to help find malicious registry behavior where scripts and binaries can be stored. 5 | 6 | NOTE: 20k is the default, you can adjust the $RegSize variable based on what you want to look for. 7 | The smaller you go, the more entries there will be. 8 | 9 | Use the following to record the modules applicability to the MITRE ATT&CK Framework 10 | 11 | MITRE ATT&CK Technique IDs: TBD 12 | 13 | This script does depend on IMF Security's LOG-MD.exe, which is not 14 | packaged with ARTHIR. You will have to purchase and download it from LOG-MD.com and 15 | drop it in the .\Modules\bin\ directory. When you run ARTHIR.ps1, if you 16 | add the -Pushbin switch at the command line, ARTHIR.ps1 will attempt to 17 | copy the LOG-MD.exe binary to each remote target's ADMIN$ share (C:\Windows) 18 | and then move it to the directory specified with $ARTHIR_Dir. 19 | 20 | If you want to remove the binary and/or reports from remote systems after it has run 21 | use the cleanup module(s) or specify with the $DeleteReports and $DeleteAll variables. 22 | 23 | Adjust the variables to what you want to do with each item: 24 | $ARTHIR_Dir Set to a directory you want the tool to be stored 25 | $ARTHIR_OutputDir Set to a directory you want the results of the modules to be stored for harvesting 26 | $ARTHIR_ReportName What to name the report. Match this to DOWNLOAD 27 | $RenameReports Yes/No - Rename the reports to include the systemname or what you specify with $SysName variable 28 | $SysName What you want each report to be pre-pended with such as "computername" 29 | $WriteEventLogEntry Create an event log entry that this module ran 'Yes' or 'No' 30 | $EventSource The name of the source the event will be written to the Application log (default is ARTHIR) 31 | $Event_ID What event ID to use in the log entry 32 | 33 | BINDEP The name of the binary/file you want to push to the remote systems 34 | DOWNLOAD The name of the report you will copy back to the host or launching system, wildcards are acceptable 35 | 36 | .NOTES 37 | The BINDEP and DOWNLOAD directives are needed by ARTHIR.ps1 to determine where to find 38 | the binary to be used and how to handle output from this script. 39 | Use the wildcard * to capture the systemname in the report. 40 | - Example: C:\Program Files\LMD\Results\*Report_AutoRuns* 41 | 42 | BINDEP .\Modules\bin\Log-MD.exe 43 | DOWNLOAD C:\Program Files\LMD\Results\*Reg_Keys_Large* 44 | #> 45 | $Tool_Name = "LOG-MD.exe" 46 | $ARTHIR_Dir = "C:\Program Files\LMD" 47 | $ARTHIR_OutputDir = "C:\Program Files\LMD\Results" 48 | $ARTHIR_ReportName = "Reg_Keys_Large.csv" 49 | $RenameReports = "Yes" 50 | $SysName = $env:computername 51 | $KeySize = 20 52 | $WriteEventLogEntry = "Yes" 53 | $EventSource = "ARTHIR" 54 | $Event_ID = "1337" 55 | 56 | # 57 | # Check for report folder existing, or create it 58 | # 59 | if (Test-Path $ARTHIR_OutputDir) { 60 | Write-Output $ARTHIR_OutputDir "already exists" 61 | } else { 62 | new-item $ARTHIR_OutputDir -itemtype directory 63 | } 64 | # 65 | # Move uploaded tool to the destination directory from \Windows 66 | # 67 | Move-Item -Path "$env:SystemRoot\$Tool_Name" -Destination $ARTHIR_Dir -Force 68 | # 69 | # Run LOG-MD 70 | # 71 | if (Test-Path $ARTHIR_Dir\$Tool_Name) { 72 | Set-Location -Path $ARTHIR_Dir 73 | & $ARTHIR_Dir\$Tool_Name -rs $KeySize -o $ARTHIR_OutputDir 74 | } else { 75 | Write-Error "$Tool_Name not found in $ARTHIR_Dir." 76 | Exit 77 | } 78 | # 79 | # Check for output to exist 80 | # 81 | if (Test-Path $ARTHIR_Dir\$ARTHIR_ReportName) { 82 | & Write-Output "LOG-MD Created $ARTHIR_ReportName" 83 | } else { 84 | Write-Error "LOG-MD failed to create $ARTHIR_ReportName" 85 | } 86 | # 87 | # Rename files with $SysName 88 | # 89 | If ($RenameReports -eq 'No') { 90 | Write-Output "Reports not being renamed" 91 | } 92 | else { 93 | Remove-Item -path $ARTHIR_OutputDir\$SysName-Report* -force 94 | Move-Item -Path Reg_Keys_Large* -Destination $ARTHIR_OutputDir 95 | Get-ChildItem $ARTHIR_OutputDir\Reg_Keys_Large* | Rename-Item -NewName { $_.name -Replace 'Reg_Keys_Large',"$SysName-Reg_Keys_Large" } 96 | } 97 | # 98 | # Write log entry 99 | # 100 | If ($WriteEventLogEntry -eq 'No') { 101 | Break 102 | } 103 | elseif ([System.Diagnostics.EventLog]::SourceExists($EventSource) -eq $False) { 104 | New-EventLog -LogName Application -Source $EventSource 105 | Write-EventLog -LogName Application -EntryType Information -EventId $Event_ID -Source $EventSource -Message 'LOG-MD AutoRuns executed by Arthir' 106 | } 107 | else { 108 | Write-EventLog -LogName Application -EntryType Information -EventId $Event_ID -Source $EventSource -Message 'LOG-MD AutoRuns executed by Arthir' 109 | } 110 | -------------------------------------------------------------------------------- /Modules/LOG-MD/Get-Log-MD_AutoRuns.ps1: -------------------------------------------------------------------------------- 1 | <# 2 | .SYNOPSIS 3 | Get-LOG-MD_AutoRuns.ps1 returns output from AutoRuns (ASEP) 4 | compared to the MasterDigest for find malicious or unknown autoruns. 5 | 6 | Use the following to record the modules applicability to the MITRE ATT&CK Framework 7 | 8 | MITRE ATT&CK Technique IDs: T1015 (Accessibity Features), T1182 (AppCert Dlls), T1103 (AppInit Dlls) 9 | T1131 (Auth Package), T1122 (COM Hijack), T1183 (Image File Exec Options injection) 10 | T1177 (Lsass Driver), T1031 (Modify Existing Service), T1050 (New Service), 11 | T1013 (Port Monitors), T1060 (Reg Run/Startup folder), T1053 (Schedule Task), 12 | T1084 (WMI Event Subscription) 13 | ATT&CK TechID Grouping ID: TGxxxxx 14 | 15 | This script does depend on IMF Security's LOG-MD.exe, which is not 16 | packaged with ARTHIR. You will have to purchase and download it from LOG-MD.com and 17 | drop it in the .\Modules\bin\ directory. When you run ARTHIR.ps1, if you 18 | add the -Pushbin switch at the command line, ARTHIR.ps1 will attempt to 19 | copy the LOG-MD.exe binary to each remote target's ADMIN$ share (C:\Windows) 20 | and then move it to the directory specified with $ARTHIR_Dir. 21 | 22 | If you want to remove the binary and/or reports from remote systems after it has run 23 | use the cleanup module(s) or specify with the $DeleteReports and $DeleteAll variables. 24 | 25 | Adjust the variables to what you want to do with each item: 26 | $ARTHIR_Dir Set to a directory you want the tool to be stored 27 | $ARTHIR_OutputDir Set to a directory you want the results of the modules to be stored for harvesting 28 | $ARTHIR_ReportName What to name the report. Match this to DOWNLOAD 29 | $RenameReports Yes/No - Rename the reports to include the systemname or what you specify with $SysName variable 30 | $SysName What you want each report to be pre-pended with such as "computername" 31 | $WriteEventLogEntry Create an event log entry that this module ran 'Yes' or 'No' 32 | $EventSource The name of the source the event will be written to the Application log (default is ARTHIR) 33 | $Event_ID What event ID to use in the log entry 34 | 35 | BINDEP The name of the binary/file you want to push to the remote systems 36 | DOWNLOAD The name of the report you will copy back to the host or launching system, wildcards are acceptable 37 | 38 | .NOTES 39 | The BINDEP and DOWNLOAD directives are needed by ARTHIR.ps1 to determine where to find 40 | the binary to be used and how to handle output from this script. 41 | Use the wildcard * to capture the systemname in the report. 42 | - Example: C:\Program Files\LMD\Results\*Report_AutoRuns* 43 | 44 | BINDEP .\Modules\bin\Log-MD.exe 45 | DOWNLOAD C:\Program Files\LMD\Results\*Report_AutoRuns* 46 | #> 47 | $Tool_Name = "LOG-MD.exe" 48 | $ARTHIR_Dir = "C:\Program Files\LMD" 49 | $ARTHIR_OutputDir = "C:\Program Files\LMD\Results" 50 | $ARTHIR_ReportName = "Report_AutoRuns.csv" 51 | $RenameReports = "Yes" 52 | $SysName = $env:computername 53 | $WriteEventLogEntry = "Yes" 54 | $EventSource = "ARTHIR" 55 | $Event_ID = "1337" 56 | 57 | # 58 | # Check for report folder existing, or create it 59 | # 60 | if (Test-Path $ARTHIR_OutputDir) { 61 | Write-Output $ARTHIR_OutputDir "already exists" 62 | } else { 63 | new-item $ARTHIR_OutputDir -itemtype directory 64 | } 65 | # 66 | # Move uploaded tool to the destination directory from \Windows 67 | # 68 | Move-Item -Path "$env:SystemRoot\$Tool_Name" -Destination $ARTHIR_Dir -Force 69 | # 70 | # Run LOG-MD 71 | # 72 | if (Test-Path $ARTHIR_Dir\$Tool_Name) { 73 | Set-Location -Path $ARTHIR_Dir 74 | & $ARTHIR_Dir\$Tool_Name -ar 75 | } else { 76 | Write-Error "$Tool_Name not found in $env:SystemRoot." 77 | Exit 78 | } 79 | # 80 | # Check for output to exist 81 | # 82 | if (Test-Path $ARTHIR_Dir\$ARTHIR_ReportName) { 83 | & Write-Output "$Tool_Name Created $ARTHIR_ReportName" } 84 | else { 85 | Write-Error "$Tool_Name failed to create $ARTHIR_ReportName" } 86 | # 87 | # Rename files with $SysName 88 | # 89 | If ($RenameReports -eq 'No') { 90 | Write-Output "Reports not being renamed" 91 | } 92 | else { 93 | Remove-Item -path $ARTHIR_OutputDir\$SysName-Report_AutoRuns* -force 94 | Move-Item -Path Report_Autoruns*.csv -Destination $ARTHIR_OutputDir 95 | Get-ChildItem $ARTHIR_OutputDir\Report_AutoRuns* | Rename-Item -NewName { $_.name -Replace 'Report_AutoRuns',"$SysName-Report_AutoRuns" } 96 | } 97 | # 98 | # Write log entry 99 | # 100 | If ($WriteEventLogEntry -eq 'No') { 101 | Break 102 | } 103 | elseif ([System.Diagnostics.EventLog]::SourceExists($EventSource) -eq $False) { 104 | New-EventLog -LogName Application -Source $EventSource 105 | Write-EventLog -LogName Application -EntryType Information -EventId $Event_ID -Source $EventSource -Message 'LOG-MD AutoRuns executed by Arthir' 106 | } 107 | else { 108 | Write-EventLog -LogName Application -EntryType Information -EventId $Event_ID -Source $EventSource -Message 'LOG-MD AutoRuns executed by Arthir' 109 | } 110 | -------------------------------------------------------------------------------- /Modules/Sysinternals/Get-SigCheck64.ps1: -------------------------------------------------------------------------------- 1 | <# 2 | .SYNOPSIS 3 | Get-Sigcheck64.ps1 - This tool looks at details of files. Run Sigcheck64 /? for all 4 | features. Using -i cannot create a CSV. 5 | 6 | Use the following to record the modules applicability to the MITRE ATT&CK Framework 7 | 8 | MITRE ATT&CK Technique IDs: TBD 9 | 10 | Adjust the variables to what you want to do with each item: 11 | $Tool_Name Name of the binary utility used 12 | $ARTHIR_Dir Set to a directory you want the results of the modules to be stored for harvesting 13 | $ARTHIR_OutputDir Set to a directory you want the results of the modules to be stored for harvesting 14 | $ARTHIR_ReportName What to name the report used for error checking. Match this to DOWNLOAD 15 | $RenameReports Yes/No - Rename the reports to include the systemname or what you specify with $SysName variable 16 | $SysName What you want each report to be pre-pended with such as "computername" 17 | $WriteEventLogEntry Create an event log entry that this module ran 'Yes' or 'No' 18 | $EventSource The name of the source the event will be written to the Application log (default is ARTHIR) 19 | $Event_ID What event ID to use in the log entry 20 | 21 | BINDEP The name of the binary/file you want to push to the remote systems 22 | DOWNLOAD The name of the report you will copy back to the host or launching system, wildcards are acceptable 23 | 24 | .NOTES 25 | The BINDEP and DOWNLOAD directives are needed by ARTHIR.ps1 to determine where to find 26 | the binary to be used and how to handle output from this script. 27 | Use the wildcard * to capture the systemname in the report. 28 | - Example: .\Modules\bin\.exe 29 | - Example: C:\Program Files\LMD\Results\*Report_PS_LOG-MD-API-Settings.txt 30 | 31 | BINDEP .\Modules\bin\SigCheck64.exe 32 | DOWNLOAD C:\Program Files\ARTHIR\*Report_Sigcheck* 33 | #> 34 | $Tool_Name = "Sigcheck64.exe" 35 | $Check_Folder = "c:\users\*.*" 36 | $ARTHIR_Dir = "C:\Program Files\ARTHIR" 37 | $ARTHIR_OutputDir = "C:\Program Files\ARTHIR" 38 | $ARTHIR_ReportName = "Report_Sigcheck.txt" 39 | $RenameReports = "Yes" 40 | $SysName = $env:computername 41 | $WriteEventLogEntry = "Yes" 42 | $EventSource = "ARTHIR" 43 | $Event_ID = "1337" 44 | # 45 | # Remove existing report 46 | # 47 | Remove-Item -path $ARTHIR_OutputDir\$SysName-Report_Sigcheck* -force | Out-Null 48 | Write-Output "Running Sigcheck" | out-file -filepath $ARTHIR_OutputDir\$SysName-Report_Sigcheck_Status.txt 49 | # 50 | # Check for report folder existing, or create it 51 | # 52 | if (Test-Path $ARTHIR_OutputDir) { 53 | Write-Output "$ARTHIR_OutputDir already exists" | out-file -Append -filepath $ARTHIR_OutputDir\$SysName-Report_Sigcheck_Status.txt 54 | } else { 55 | new-item $ARTHIR_OutputDir -itemtype directory | out-file -Append -filepath $ARTHIR_OutputDir\$SysName-Report_Sigcheck_Status.txt 56 | } 57 | # 58 | # Move uploaded tool to the destination directory from \Windows 59 | # 60 | Move-Item -Path "$env:SystemRoot\$Tool_Name" -Destination $ARTHIR_Dir -Force 61 | # 62 | # Check and run Sigcheck 63 | # 64 | if (Test-Path $ARTHIR_Dir\$Tool_Name) { 65 | Set-Location -Path $ARTHIR_Dir 66 | & .\$Tool_Name /accepteula -nobanner -a -e -i -h -s -w $ARTHIR_ReportName $Check_Folder | out-file -Append -filepath $ARTHIR_OutputDir\$SysName-Report_Sigcheck_Status.txt 67 | } else { 68 | Write-Error "$Tool_Name not found in $env:SystemRoot." 69 | Exit 70 | } 71 | # 72 | # Check for output to exist 73 | # 74 | Write-Output "Waiting for Sigcheck report to be created..." | out-file -Append -filepath $ARTHIR_OutputDir\$SysName-Report_Sigcheck_Status.txt 75 | while (!(Test-Path $ARTHIR_OutputDir\$ARTHIR_ReportName)) { Start-Sleep 10 | out-file -Append -filepath $ARTHIR_OutputDir\$SysName-Report_Sigcheck_Status.txt } 76 | # 77 | # Wait 5 seconds to allow closing of files 78 | # 79 | Start-Sleep -s 5 80 | # 81 | # Rename files with $SysName 82 | # 83 | If ($RenameReports -eq 'No') { 84 | Write-Output "Reports not being renamed" | out-file -Append -filepath $ARTHIR_OutputDir\$SysName-Report_Sigcheck_Status.txt 85 | } 86 | else { 87 | Rename-Item $ARTHIR_ReportName -NewName $SysName-$ARTHIR_ReportName | out-file -Append -filepath $ARTHIR_OutputDir\$SysName-Report_Sigcheck_Status.txt 88 | } 89 | # 90 | # Write log entry 91 | # 92 | If ($WriteEventLogEntry -eq 'No') { 93 | Break 94 | } 95 | elseif ([System.Diagnostics.EventLog]::SourceExists($EventSource) -eq $False) { 96 | New-EventLog -LogName Application -Source $EventSource 97 | Write-EventLog -LogName Application -EntryType Information -EventId $Event_ID -Source $EventSource -Message 'Sigcheck executed by Arthir' 98 | } 99 | else { 100 | Write-EventLog -LogName Application -EntryType Information -EventId $Event_ID -Source $EventSource -Message 'Sigcheck executed by Arthir' 101 | } 102 | Write-Output "Running Sigcheck complete" | out-file -Append -filepath $ARTHIR_OutputDir\$SysName-Report_Sigcheck_Status.txt 103 | -------------------------------------------------------------------------------- /Modules/Kansa_Legacy/Log/Get-AppCompatCache.ps1: -------------------------------------------------------------------------------- 1 | <# 2 | .SYNOPSIS 3 | Get-AppCompatCache.ps1 - This tool looks at Application Compatibility Cache details from 4 | Eric Zimmermans AppCompatParser utility available at: 5 | - https://github.com/EricZimmerman/AppCompatCacheParser/releases 6 | 7 | Use the following to record the modules applicability to the MITRE ATT&CK Framework 8 | 9 | MITRE ATT&CK Technique IDs: TBD 10 | 11 | Adjust the variables to what you want to do with each item: 12 | $Tool_Name Name of the binary utility used 13 | $ARTHIR_Dir Set to a directory you want the results of the modules to be stored for harvesting 14 | $ARTHIR_OutputDir Set to a directory you want the results of the modules to be stored for harvesting 15 | $ARTHIR_ReportName What to name the report used for error checking. Match this to DOWNLOAD 16 | $RenameReports Yes/No - Rename the reports to include the systemname or what you specify with $SysName variable 17 | $SysName What you want each report to be pre-pended with such as "computername" 18 | $WriteEventLogEntry Create an event log entry that this module ran 'Yes' or 'No' 19 | $EventSource The name of the source the event will be written to the Application log (default is ARTHIR) 20 | $Event_ID What event ID to use in the log entry 21 | 22 | BINDEP The name of the binary/file you want to push to the remote systems 23 | DOWNLOAD The name of the report you will copy back to the host or launching system, wildcards are acceptable 24 | 25 | .NOTES 26 | The BINDEP and DOWNLOAD directives are needed by ARTHIR.ps1 to determine where to find 27 | the binary to be used and how to handle output from this script. 28 | Use the wildcard * to capture the systemname in the report. 29 | - Example: .\Modules\bin\AppCompatCacheParser.exe 30 | - Example: C:\Program Files\LMD\Results\*Report_Report_AppCompatCache.csv 31 | 32 | BINDEP .\Modules\bin\AppCompatCacheParser.exe 33 | DOWNLOAD C:\Program Files\ARTHIR\*Report_AppCompatCache* 34 | #> 35 | $Tool_Name = "AppCompatCacheParser.exe" 36 | $ARTHIR_Dir = "C:\Program Files\ARTHIR" 37 | $ARTHIR_OutputDir = "C:\Program Files\ARTHIR" 38 | $ARTHIR_ReportName = "*_AppCompatCache.csv" 39 | $RenameReports = "Yes" 40 | $SysName = $env:computername 41 | $WriteEventLogEntry = "Yes" 42 | $EventSource = "ARTHIR" 43 | $Event_ID = "1337" 44 | # 45 | # Remove existing report 46 | # 47 | Remove-Item -path $ARTHIR_OutputDir\$SysName-Report_AppCompatCache* -force | Out-Null 48 | Write-Output "Running AppCompatCacheParser" | out-file -filepath $ARTHIR_OutputDir\$SysName-Report_AppCompatCache_Status.txt 49 | # 50 | # Check for report folder existing, or create it 51 | # 52 | if (Test-Path $ARTHIR_OutputDir) { 53 | Write-Output "$ARTHIR_OutputDir already exists" | out-file -Append -filepath $ARTHIR_OutputDir\$SysName-Report_AppCompatCache_Status.txt 54 | } else { 55 | new-item $ARTHIR_OutputDir -itemtype directory | out-file -Append -filepath $ARTHIR_OutputDir\$SysName-Report_AppCompatCache_Status.txt 56 | } 57 | # 58 | # Move uploaded tool to the destination directory from \Windows 59 | # 60 | Move-Item -Path "$env:SystemRoot\$Tool_Name" -Destination $ARTHIR_Dir -Force 61 | # 62 | # Check and run AppCompatCache 63 | # 64 | if (Test-Path $ARTHIR_Dir\$Tool_Name) { 65 | Set-Location -Path $ARTHIR_Dir 66 | & .\$Tool_Name -t --csv $ARTHIR_OutputDir | out-file -Append -filepath $ARTHIR_OutputDir\$SysName-Report_AppCompatCache_Status.txt 67 | } else { 68 | Write-Error "$Tool_Name not found in $env:SystemRoot." 69 | Exit 70 | } 71 | # 72 | # Check for output to exist 73 | # 74 | Write-Output "Waiting for AppCompatCache report to be created..." | out-file -Append -filepath $ARTHIR_OutputDir\$SysName-Report_AppCompatCache_Status.txt 75 | while (!(Test-Path $ARTHIR_OutputDir\$ARTHIR_ReportName)) { Start-Sleep 10 | out-file -Append -filepath $ARTHIR_OutputDir\$SysName-Report_AppCompatCache_Status.txt } 76 | # 77 | # Wait 5 seconds to allow closing of files 78 | # 79 | Start-Sleep -s 5 80 | # 81 | # Rename files with $SysName 82 | # 83 | If ($RenameReports -eq 'No') { 84 | Write-Output "Reports not being renamed" | out-file -Append -filepath $ARTHIR_OutputDir\$SysName-Report_AppCompatCache_Status.txt 85 | } 86 | else { 87 | $Compat_ReportName = Get-ChildItem -Path *_AppCompatCache.csv -Name 88 | Copy-Item $Compat_ReportName -Destination $SysName-Report_AppCompatCache.csv 89 | } 90 | # 91 | # Write log entry 92 | # 93 | If ($WriteEventLogEntry -eq 'No') { 94 | Break 95 | } 96 | elseif ([System.Diagnostics.EventLog]::SourceExists($EventSource) -eq $False) { 97 | New-EventLog -LogName Application -Source $EventSource 98 | Write-EventLog -LogName Application -EntryType Information -EventId $Event_ID -Source $EventSource -Message 'AppCompatCache executed by Arthir' 99 | } 100 | else { 101 | Write-EventLog -LogName Application -EntryType Information -EventId $Event_ID -Source $EventSource -Message 'AppCompatCache executed by Arthir' 102 | } 103 | Write-Output "Running AppCompatCacheParser complete" | out-file -Append -filepath $ARTHIR_OutputDir\$SysName-Report_AppCompatCache_Status.txt 104 | -------------------------------------------------------------------------------- /Modules/LOG-MD/Get-Log-MD_Settings_Audit.ps1: -------------------------------------------------------------------------------- 1 | <# 2 | .SYNOPSIS 3 | Get-LOG-MD_Settings_Audit.ps1 returns output from the Windows Advanced Audit Policy check. 4 | It checks for a PASS or FAIL condition, 5 | 6 | This will help you assess the Advanced Audit Policy settngs on the system you 7 | run this module on. 8 | 9 | Use the following to record the modules applicability to the MITRE ATT&CK Framework 10 | 11 | MITRE ATT&CK Technique IDs: TBD 12 | 13 | This script does depend on IMF Security's LOG-MD.exe, which is not 14 | packaged with ARTHIR. You will have to purchase and download it from LOG-MD.com and 15 | drop it in the .\Modules\bin\ directory. When you run ARTHIR.ps1, if you 16 | add the -Pushbin switch at the command line, ARTHIR.ps1 will attempt to 17 | copy the LOG-MD.exe binary to each remote target's ADMIN$ share (C:\Windows) 18 | and then move it to the directory specified with $ARTHIR_Dir. 19 | 20 | If you want to remove the binary and/or reports from remote systems after it has run 21 | use the cleanup module(s) or specify with the $DeleteReports and $DeleteAll variables. 22 | 23 | Adjust the variables to what you want to do with each item: 24 | $ARTHIR_Dir Set to a directory you want the tool to be stored 25 | $ARTHIR_OutputDir Set to a directory you want the results of the modules to be stored for harvesting 26 | $ARTHIR_ReportName What to name the report. Match this to DOWNLOAD 27 | $RenameReports Yes/No - Rename the reports to include the systemname or what you specify with $SysName variable 28 | $SysName What you want each report to be pre-pended with such as "computername" 29 | $WriteEventLogEntry Create an event log entry that this module ran 'Yes' or 'No' 30 | $EventSource The name of the source the event will be written to the Application log (default is ARTHIR) 31 | $Event_ID What event ID to use in the log entry 32 | 33 | BINDEP The name of the binary/file you want to push to the remote systems 34 | DOWNLOAD The name of the report you will copy back to the host or launching system, wildcards are acceptable 35 | 36 | .NOTES 37 | The BINDEP and DOWNLOAD directives are needed by ARTHIR.ps1 to determine where to find 38 | the binary to be used and how to handle output from this script. 39 | Use the wildcard * to capture the systemname in the report. 40 | - Example: C:\Program Files\LMD\Results\*Report_AutoRuns* 41 | 42 | BINDEP .\Modules\bin\Log-MD-Pro.exe 43 | DOWNLOAD C:\Program Files\LMD\Results\*Report_Audit_Score* 44 | #> 45 | $Tool_Name = "LOG-MD.exe" 46 | $ARTHIR_Dir = "C:\Program Files\LMD" 47 | $ARTHIR_OutputDir = "C:\Program Files\LMD\Results" 48 | $ARTHIR_ReportName = "Report_Audit_Score.txt" 49 | $RenameReports = "Yes" 50 | $DeletePassReport = "No" 51 | $TextString = "Score = PASS" 52 | $SysName = $env:computername 53 | $WriteEventLogEntry = "Yes" 54 | $EventSource = "ARTHIR" 55 | $Event_ID = "1337" 56 | 57 | # 58 | # Check for report folder existing, or create it 59 | # 60 | if (Test-Path $ARTHIR_OutputDir) { 61 | Write-Output $ARTHIR_OutputDir "already exists" 62 | } else { 63 | new-item $ARTHIR_OutputDir -itemtype directory 64 | } 65 | # 66 | # Move uploaded tool to the destination directory from \Windows 67 | # 68 | Move-Item -Path "$env:SystemRoot\$Tool_Name" -Destination $ARTHIR_Dir -Force 69 | # 70 | # Run LOG-MD 71 | # 72 | if (Test-Path $ARTHIR_Dir\$Tool_Name) { 73 | Set-Location -Path $ARTHIR_Dir 74 | & $ARTHIR_Dir\$Tool_Name -a > $ARTHIR_OutputDir\$ARTHIR_ReportName 75 | } else { 76 | Write-Error "$Tool_Name not found in $ARTHIR_Dir." 77 | } 78 | # 79 | # Delete report if system passed 80 | # 81 | If ($DeletePassReport -eq 'Yes') { 82 | if (Select-String -Path $ARTHIR_OutputDir\$ARTHIR_ReportName -Pattern $TextString) { 83 | Remove-Item -Path $ARTHIR_OutputDir\$ARTHIR_ReportName -force 84 | } else { 85 | Write-Output "You passed your Advanced Audit Policy Check" 86 | } 87 | } else { 88 | Write-Output "You did not pass your Advanced Audit Policy Check" 89 | } 90 | # 91 | # Check for output to exist 92 | # 93 | if (Test-Path $ARTHIR_OutputDir\$ARTHIR_ReportName) { 94 | & Write-Output "$Tool_Name Created $ARTHIR_ReportName" } 95 | else { 96 | Write-Output "System must have passed the audit settings" } 97 | # 98 | # Rename files with $SysName 99 | # 100 | If ($RenameReports -eq 'No') { 101 | Write-Output "Reports not being renamed" 102 | } 103 | else { 104 | Remove-Item -path $ARTHIR_OutputDir\$SysName-Report_Audit_Score* -force 105 | Get-ChildItem $ARTHIR_OutputDir\Report_Audit_Score.txt* | Rename-Item -NewName { $_.name -Replace 'Report_Audit_Score',"$SysName-Report_Audit_Score" } 106 | } 107 | 108 | # 109 | # Write log entry 110 | # 111 | If ($WriteEventLogEntry -eq 'No') { 112 | Break 113 | } 114 | elseif ([System.Diagnostics.EventLog]::SourceExists($EventSource) -eq $False) { 115 | New-EventLog -LogName Application -Source $EventSource 116 | Write-EventLog -LogName Application -EntryType Information -EventId $Event_ID -Source $EventSource -Message 'LOG-MD Audit Score executed by Arthir' 117 | } 118 | else { 119 | Write-EventLog -LogName Application -EntryType Information -EventId $Event_ID -Source $EventSource -Message 'LOG-MD Audit Score executed by Arthir' 120 | } 121 | -------------------------------------------------------------------------------- /Modules/Templates/Get-Task-Template-Daily.ps1: -------------------------------------------------------------------------------- 1 | <# 2 | .SYNOPSIS 3 | Get-Task-Template-Daily.ps1 This template creates an Daily task. 4 | - Runs Whatever.exe and places output in $ARTHIR_OutputDir 5 | 6 | Use the following to record the modules applicability to the MITRE ATT&CK Framework 7 | 8 | MITRE ATT&CK Technique IDs: TBD 9 | 10 | Scheduled Task: 11 | --------------- 12 | This module will create a schedule task at the date and time you want it to begin 13 | and then each hour, every day it will run placing the Report files into the 14 | output folder you specify below. 15 | 16 | CLEANUP: 17 | -------- 18 | Use a cleanup module "Get-Whatever_Cleanup_Tasks_All.ps1" to remove all 19 | the scheduled tasks that you specify in that module. 20 | MITRE ATT&CK Technique IDs: none 21 | 22 | Adjust the variables to what you want to do with each item: 23 | $Tool_Name Name of the tool that you will use 24 | $ARTHIR_OutputDir Set to a directory you want the results of the modules to be stored for harvesting 25 | $ARTHIR_ReportName What to name the report. Match this to DOWNLOAD 26 | $TaskName Name of the Task 27 | $TaskDescr Description fo the Scheduled Task 28 | $TaskStartTime When you want the task to start ("2018-03-03T14:55:00") 29 | $WriteEventLogEntry Create an event log entry that this module ran 'Yes' or 'No' 30 | $EventSource The name of the source the event will be written to the Application log (default is ARTHIR) 31 | $Event_ID What event ID to use in the log entry 32 | 33 | .NOTES 34 | The following lines are required by ARTHIR.ps1. They are directives that 35 | tell ARTHIR how to treat the output of this script and where to find the 36 | binary that this script depends on. 37 | 38 | BINDEP .\Modules\bin\Whatever.exe 39 | DOWNLOAD C:\Program Files\Wherever\Results\*Report_Task_Created.txt 40 | #> 41 | # You must use the 8.3 directory name for logmdOutputDir for a Schedule Task If you use a folder with a space in it 42 | # 43 | # Edit the following variables to match what names and locations you want to use to store LOG-MD 44 | # 45 | # Tool Name 46 | $Tool_Name = "Whatever.exe" 47 | # Where LOG-MD resides 48 | $ARTHIR_Dir = "C:\Progra~1\Wherever" 49 | # Where the results/reports will be stored 50 | $ARTHIR_OutputDir = "C:\Progra~1\Wherever\Results" 51 | # Name of report that contains task created successfully 52 | $ARTHIR_ReportName = "Report_Task_Created.txt" 53 | # Name of system to add to the report 54 | $SysName = $env:computername 55 | # The name of the scheduled task 56 | $TaskName = "My Kewl Daily Task" 57 | # Description of the scheduled task 58 | $TaskDescr = "Create a Daily Check for Something Task" 59 | # The date and time you want the task to start to run each day and hour (e.g 2pm or 14:00:00) 60 | $TaskStartTime = "2019-03-03T14:15:00" 61 | # Name of Tool used 62 | $TaskCommand = "$Tool_Name" 63 | # The Task Action command argument 64 | $TaskArg = "Tools arguments -o $ARTHIR_OutputDir" 65 | # Write a log entry to Application log 66 | $WriteEventLogEntry = "Yes" 67 | $EventSource = "ARTHIR" 68 | $Event_ID = "1337" 69 | # 70 | # Check for report folder existing, or create it 71 | # 72 | if (Test-Path $ARTHIR_OutputDir) { 73 | Write-Output $ARTHIR_OutputDir "already exists" 74 | } else { 75 | new-item $ARTHIR_OutputDir -itemtype directory 76 | } 77 | # 78 | # Remove any existing $Tool_Name Task 79 | # 80 | SchTasks.exe /Delete /TN \$TaskName /F 81 | # 82 | # Create Schedule Task to run Something 83 | # 84 | # attach the Task Scheduler com object 85 | $service = new-object -ComObject("Schedule.Service") 86 | $service.Connect() 87 | $rootFolder = $service.GetFolder("\") 88 | 89 | $TaskDefinition = $service.NewTask(0) 90 | $TaskDefinition.RegistrationInfo.Description = "$TaskDescr" 91 | $TaskDefinition.Settings.Enabled = $true 92 | $TaskDefinition.Settings.AllowDemandStart = $true 93 | $TaskDefinition.Principal.RunLevel = 1 94 | $TaskDefinition.Settings.ExecutionTimeLimit = 'PT1H' 95 | 96 | $triggers = $TaskDefinition.Triggers 97 | 98 | $trigger = $triggers.Create(2) 99 | #$trigger.repetition.Interval = 'PT60M' 100 | $trigger.StartBoundary = $TaskStartTime 101 | $trigger.Enabled = $true 102 | $trigger.ExecutionTimeLimit = 'PT1H' 103 | 104 | $Action = $TaskDefinition.Actions.Create(0) 105 | $action.Path = "$TaskCommand" 106 | $action.Arguments = "$TaskArg" 107 | $action.WorkingDirectory = $ARTHIR_Dir 108 | 109 | $rootFolder.RegisterTaskDefinition("$TaskName",$TaskDefinition,6,"System",$null,5) 110 | # 111 | # Move $Tool_Name to directory 112 | # 113 | Move-Item -Path "$env:SystemRoot\$Tool_Name" -Destination $ARTHIR_Dir -Force 114 | # 115 | # Printout Task completed 116 | # 117 | Schtasks /query /FO TABLE /TN $TaskName | out-file -filepath $ARTHIR_OutputDir\$SysName-$ARTHIR_ReportName 118 | # 119 | # Write log entry 120 | # 121 | If ($WriteEventLogEntry -eq 'No') { 122 | Break 123 | } 124 | elseif ([System.Diagnostics.EventLog]::SourceExists($EventSource) -eq $False) { 125 | New-EventLog -LogName Application -Source $EventSource 126 | Write-EventLog -LogName Application -EntryType Information -EventId $Event_ID -Source $EventSource -Message 'Added Task Large Reg Keys Daily by Arthir' 127 | } 128 | else { 129 | Write-EventLog -LogName Application -EntryType Information -EventId $Event_ID -Source $EventSource -Message 'Added Task Large Reg Keys Daily by Arthir' 130 | } -------------------------------------------------------------------------------- /Modules/Templates/Get-Task-Template-Hourly.ps1: -------------------------------------------------------------------------------- 1 | <# 2 | .SYNOPSIS 3 | Get-Task-Template-Hourly.ps1 This template creates an Daily task that repeats Hourly. 4 | - Runs Whatever.exe and places output in $ARTHIR_OutputDir 5 | 6 | Use the following to record the modules applicability to the MITRE ATT&CK Framework 7 | 8 | MITRE ATT&CK Technique IDs: TBD 9 | 10 | Scheduled Task: 11 | --------------- 12 | This module will create a schedule task at the date and time you want it to begin 13 | and then each hour, every day it will run placing the Report files into the 14 | output folder you specify below. 15 | 16 | CLEANUP: 17 | -------- 18 | Use a cleanup module "Get-Whatever_z_Cleanup_Tasks_All.ps1" to remove all 19 | the scheduled tasks that you specify in that module. (LOG-MD has a sample task cleanup) 20 | 21 | MITRE ATT&CK Technique IDs: none 22 | 23 | Adjust the variables to what you want to do with each item: 24 | $Tool_Name Name of the tool that you will use 25 | $ARTHIR_OutputDir Set to a directory you want the results of the modules to be stored for harvesting 26 | $ARTHIR_ReportName What to name the report. Match this to DOWNLOAD 27 | $TaskName Name of the Task 28 | $TaskDescr Description fo the Scheduled Task 29 | $TaskStartTime When you want the task to start ("2018-03-03T14:55:00") 30 | $WriteEventLogEntry Create an event log entry that this module ran 'Yes' or 'No' 31 | $EventSource The name of the source the event will be written to the Application log (default is ARTHIR) 32 | $Event_ID What event ID to use in the log entry 33 | 34 | .NOTES 35 | The following lines are required by ARTHIR.ps1. They are directives that 36 | tell ARTHIR how to treat the output of this script and where to find the 37 | binary that this script depends on. 38 | 39 | BINDEP .\Modules\bin\Whatever.exe 40 | DOWNLOAD C:\Program Files\Wherever\Results\*Report_Task_Created.txt 41 | #> 42 | # You must use the 8.3 directory name for logmdOutputDir for a Schedule Task If you use a folder with a space in it 43 | # 44 | # Edit the following variables to match what names and locations you want to use to store LOG-MD 45 | # 46 | # Tool Name 47 | $Tool_Name = "Whatever.exe" 48 | # Where LOG-MD resides 49 | $ARTHIR_Dir = "C:\Progra~1\Wherever" 50 | # Where the results/reports will be stored 51 | $ARTHIR_OutputDir = "C:\Progra~1\Wherever\Results" 52 | # Name of report that contains task created successfully 53 | $ARTHIR_ReportName = "Report_Task_Created.txt" 54 | # Name of system to add to the report 55 | $SysName = $env:computername 56 | # The name of the scheduled task 57 | $TaskName = "My Kewl Task" 58 | # Description of the scheduled task 59 | $TaskDescr = "Create a Hourly Check for Something checks Task" 60 | # The date and time you want the task to start to run each day and hour (e.g 2pm or 14:00:00) 61 | $TaskStartTime = "2019-03-03T14:15:00" 62 | # Name of your tool 63 | $TaskCommand = "$Tool_Name" 64 | # The Task Action command argument 65 | $TaskArg = "Whatever arguments you have -o $ARTHIR_OutputDir" 66 | 67 | # Write a log entry to Application log 68 | $WriteEventLogEntry = "Yes" 69 | $EventSource = "ARTHIR" 70 | $Event_ID = "1337" 71 | # 72 | # Check for report folder existing, or create it 73 | # 74 | if (Test-Path $ARTHIR_OutputDir) { 75 | Write-Output $ARTHIR_OutputDir "already exists" 76 | } else { 77 | new-item $ARTHIR_OutputDir -itemtype directory 78 | } 79 | # 80 | # Remove any existing $Tool_Name Task 81 | # 82 | SchTasks.exe /Delete /TN $TaskName /F 83 | # 84 | # Create Schedule Task to run Something 85 | # 86 | # attach the Task Scheduler com object 87 | $service = new-object -ComObject("Schedule.Service") 88 | $service.Connect() 89 | $rootFolder = $service.GetFolder("\") 90 | 91 | $TaskDefinition = $service.NewTask(0) 92 | $TaskDefinition.RegistrationInfo.Description = "$TaskDescr" 93 | $TaskDefinition.Settings.Enabled = $true 94 | $TaskDefinition.Settings.AllowDemandStart = $true 95 | $TaskDefinition.Principal.RunLevel = 1 96 | $TaskDefinition.Settings.ExecutionTimeLimit = 'PT1H' 97 | 98 | $triggers = $TaskDefinition.Triggers 99 | 100 | $trigger = $triggers.Create(2) 101 | $trigger.repetition.Interval = 'PT60M' 102 | $trigger.StartBoundary = $TaskStartTime 103 | $trigger.Enabled = $true 104 | $trigger.ExecutionTimeLimit = 'PT1H' 105 | 106 | $Action = $TaskDefinition.Actions.Create(0) 107 | $action.Path = "$TaskCommand" 108 | $action.Arguments = "$TaskArg" 109 | $action.WorkingDirectory = $ARTHIR_Dir 110 | 111 | $rootFolder.RegisterTaskDefinition("$TaskName",$TaskDefinition,6,"System",$null,5) 112 | # 113 | # Move $Tool_Name to directory 114 | # 115 | Move-Item -Path "$env:SystemRoot\$Tool_Name" -Destination $ARTHIR_Dir -Force 116 | # 117 | # Printout Task completed 118 | # 119 | Schtasks /query /FO TABLE /TN $TaskName | out-file -filepath $ARTHIR_OutputDir\$SysName-$ARTHIR_ReportName 120 | # 121 | # Write log entry 122 | # 123 | If ($WriteEventLogEntry -eq 'No') { 124 | Break 125 | } 126 | elseif ([System.Diagnostics.EventLog]::SourceExists($EventSource) -eq $False) { 127 | New-EventLog -LogName Application -Source $EventSource 128 | Write-EventLog -LogName Application -EntryType Information -EventId $Event_ID -Source $EventSource -Message 'Added Task AutoRuns VT Hourly by Arthir' 129 | } 130 | else { 131 | Write-EventLog -LogName Application -EntryType Information -EventId $Event_ID -Source $EventSource -Message 'Added Task AutoRuns VT Hourly by Arthir' 132 | } -------------------------------------------------------------------------------- /Modules/Kansa_Legacy/Disk/Get-Temp_Dir_Listing.ps1: -------------------------------------------------------------------------------- 1 | <# 2 | .SYNOPSIS 3 | Get-Temp_Dir_Listing.ps1 - This returns a list of files in User Temp directories. 4 | 5 | Use the following to record the modules applicability to the MITRE ATT&CK Framework 6 | 7 | MITRE ATT&CK Technique IDs: TBD 8 | 9 | Adjust the variables to what you want to do with each item: 10 | $ARTHIR_OutputDir Set to a directory you want the results of the modules to be stored for harvesting 11 | $ARTHIR_ReportName What to name the report used for error checking. Match this to DOWNLOAD 12 | $SysName What you want each report to be pre-pended with such as "computername" 13 | $WriteEventLogEntry Create an event log entry that this module ran 'Yes' or 'No' 14 | $EventSource The name of the source the event will be written to the Application log (default is ARTHIR) 15 | $Event_ID What event ID to use in the log entry 16 | 17 | DOWNLOAD The name of the report you will copy back to the host or launching system, wildcards are acceptable 18 | 19 | .NOTES 20 | The DOWNLOAD directive is needed by ARTHIR.ps1 to determine where how to handle 21 | output from this script. Use the wildcard * to capture the systemname in the report. 22 | - Example: C:\Program Files\LMD\Results\*Report_PS_LOG-MD-API-Settings.txt 23 | 24 | DOWNLOAD C:\Program Files\ARTHIR\*Report_Temp_Dir_Listing* 25 | #> 26 | $ARTHIR_OutputDir = "C:\Program Files\ARTHIR" 27 | $ARTHIR_ReportName = "Report_Temp_Dir_Listing.txt" 28 | $SysName = $env:computername 29 | $WriteEventLogEntry = "Yes" 30 | $EventSource = "ARTHIR" 31 | $Event_ID = "1337" 32 | # 33 | # Check for report folder existing, or create it 34 | # 35 | if (Test-Path $ARTHIR_OutputDir) { 36 | Write-Output $ARTHIR_OutputDir "already exists" 37 | } else { 38 | new-item $ARTHIR_OutputDir -itemtype directory 39 | } 40 | # 41 | # Get a list of Files in the Users Temp Directory 42 | # 43 | Write-Output "List of all files in Temp directories" | out-file -Filepath $ARTHIR_OutputDir\$SysName-$ARTHIR_ReportName 44 | Write-Output "-------------------------------------------------------------------------" | out-file -Append -Filepath $ARTHIR_OutputDir\$SysName-$ARTHIR_ReportName 45 | foreach($userpath in (Get-WmiObject win32_userprofile | Select-Object -ExpandProperty localpath)) { 46 | if (Test-Path(($userpath + "\AppData\Local\Temp\"))) { 47 | Get-ChildItem -Force ($userpath + "\AppData\Local\Temp\*") | Format-Table -Wrap -Autosize -Property CreationTimeUtc, LastAccessTimeUtc, LastWriteTimeUtc, FullName | out-file -Append -Filepath $ARTHIR_OutputDir\$SysName-$ARTHIR_ReportName 48 | Write-Output "List of EXE files in Temp directories" | out-file -Append -Filepath $ARTHIR_OutputDir\$SysName-$ARTHIR_ReportName 49 | Write-Output "-------------------------------------------------------------------------" | out-file -Append -Filepath $ARTHIR_OutputDir\$SysName-$ARTHIR_ReportName 50 | Get-ChildItem -Force ($userpath + "\AppData\Local\Temp\*.exe") | Format-Table -Wrap -Autosize -Property CreationTimeUtc, LastAccessTimeUtc, LastWriteTimeUtc, FullName | out-file -Append -Filepath $ARTHIR_OutputDir\$SysName-$ARTHIR_ReportName 51 | Write-Output "List of BAT files in Temp directories" | out-file -Append -Filepath $ARTHIR_OutputDir\$SysName-$ARTHIR_ReportName 52 | Write-Output "-------------------------------------------------------------------------" | out-file -Append -Filepath $ARTHIR_OutputDir\$SysName-$ARTHIR_ReportName 53 | Get-ChildItem -Force ($userpath + "\AppData\Local\Temp\*.bat") | Format-Table -Wrap -Autosize -Property CreationTimeUtc, LastAccessTimeUtc, LastWriteTimeUtc, FullName | out-file -Append -Filepath $ARTHIR_OutputDir\$SysName-$ARTHIR_ReportName 54 | Write-Output "List of CMD files in Temp directories" | out-file -Append -Filepath $ARTHIR_OutputDir\$SysName-$ARTHIR_ReportName 55 | Write-Output "-------------------------------------------------------------------------" | out-file -Append -Filepath $ARTHIR_OutputDir\$SysName-$ARTHIR_ReportName 56 | Get-ChildItem -Force ($userpath + "\AppData\Local\Temp\*.cmd") | Format-Table -Wrap -Autosize -Property CreationTimeUtc, LastAccessTimeUtc, LastWriteTimeUtc, FullName | out-file -Append -Filepath $ARTHIR_OutputDir\$SysName-$ARTHIR_ReportName 57 | Write-Output "List of Cmdline files in Temp directories" | out-file -Append -Filepath $ARTHIR_OutputDir\$SysName-$ARTHIR_ReportName 58 | Write-Output "-------------------------------------------------------------------------" | out-file -Append -Filepath $ARTHIR_OutputDir\$SysName-$ARTHIR_ReportName 59 | Get-ChildItem -Force ($userpath + "\AppData\Local\Temp\*.cmdline") | Format-Table -Wrap -Autosize -Property CreationTimeUtc, LastAccessTimeUtc, LastWriteTimeUtc, FullName | out-file -Append -Filepath $ARTHIR_OutputDir\$SysName-$ARTHIR_ReportName 60 | Write-Output "List of PS1 files in Temp directories" | out-file -Append -Filepath $ARTHIR_OutputDir\$SysName-$ARTHIR_ReportName 61 | Write-Output "-------------------------------------------------------------------------" | out-file -Append -Filepath $ARTHIR_OutputDir\$SysName-$ARTHIR_ReportName 62 | Get-ChildItem -Force ($userpath + "\AppData\Local\Temp\*.ps1") | Format-Table -Wrap -Autosize -Property CreationTimeUtc, LastAccessTimeUtc, LastWriteTimeUtc, FullName | out-file -Append -Filepath $ARTHIR_OutputDir\$SysName-$ARTHIR_ReportName 63 | } 64 | }# 65 | # Write log entry 66 | # 67 | If ($WriteEventLogEntry -eq 'No') { 68 | Break 69 | } 70 | elseif ([System.Diagnostics.EventLog]::SourceExists($EventSource) -eq $False) { 71 | New-EventLog -LogName Application -Source $EventSource 72 | Write-EventLog -LogName Application -EntryType Information -EventId $Event_ID -Source $EventSource -Message 'List files in Users Temp Dir queried by Arthir' 73 | } 74 | else { 75 | Write-EventLog -LogName Application -EntryType Information -EventId $Event_ID -Source $EventSource -Message 'List files in Users Temp Dir queried by Arthir' 76 | } 77 | -------------------------------------------------------------------------------- /Modules/LOG-MD-Tasks/Get-Log-MD_Task_Logs_Daily.ps1: -------------------------------------------------------------------------------- 1 | <# 2 | .SYNOPSIS 3 | Get-Log-MD_Logs_Daily_Task.ps1 creates a daily task to run LOG-MD -1 log harvest. 4 | - Runs LOG-MD -1 -o $ARTHIR_OutputDir 5 | 6 | Use the following to record the modules applicability to the MITRE ATT&CK Framework 7 | 8 | MITRE ATT&CK Technique IDs: 9 | 10 | This script does depend on IMF Security's LOG-MD.exe, which is not 11 | packaged with ARTHIR. You will have to purchase and download it from LOG-MD.com and 12 | drop it in the .\Modules\bin\ directory. When you run ARTHIR.ps1, if you 13 | add the -Pushbin switch at the command line, ARTHIR.ps1 will attempt to 14 | copy the LOG-MD.exe binary to each remote target's ADMIN$ share and then move it 15 | to the folder you specify below. 16 | 17 | Scheduled Task: 18 | --------------- 19 | This module will create a schedule task at the date and time you want it to begin 20 | and then each hour, every day it will run placing the Report files into the 21 | output folder you specify below. 22 | 23 | CLEANUP: 24 | -------- 25 | Use the cleanup module "Get-Log-MD-Pro_z_Cleanup_Tasks_All.ps1" to remove all 26 | the LOG-MD scheduled tasks that you specify in that module. 27 | 28 | MITRE ATT&CK Technique IDs: none 29 | 30 | Adjust the variables to what you want to do with each item: 31 | $Tool_Name Name of the tool that you will use 32 | $ARTHIR_OutputDir Set to a directory you want the results of the modules to be stored for harvesting 33 | $ARTHIR_ReportName What to name the report. Match this to DOWNLOAD 34 | $TaskName Name of the Task 35 | $TaskDescr Description fo the Scheduled Task 36 | $TaskStartTime When you want the task to start ("2018-03-03T14:55:00") 37 | $WriteEventLogEntry Create an event log entry that this module ran 'Yes' or 'No' 38 | $EventSource The name of the source the event will be written to the Application log (default is ARTHIR) 39 | $Event_ID What event ID to use in the log entry 40 | 41 | .NOTES 42 | The following lines are required by ARTHIR.ps1. They are directives that 43 | tell ARTHIR how to treat the output of this script and where to find the 44 | binary that this script depends on. 45 | 46 | BINDEP .\Modules\bin\Log-MD.exe 47 | DOWNLOAD C:\Program Files\LMD\Results\*Report_Task_Created.txt 48 | #> 49 | # You must use the 8.3 directory name for logmdOutputDir for a Schedule Task If you use a folder with a space in it 50 | # 51 | # Edit the following variables to match what names and locations you want to use to store LOG-MD 52 | # 53 | # Tool Name 54 | $Tool_Name = "LOG-MD.exe" 55 | # Where LOG-MD resides 56 | $ARTHIR_Dir = "C:\Progra~1\LMD" 57 | # Where the results/reports will be stored 58 | $ARTHIR_OutputDir = "C:\Progra~1\LMD\Results" 59 | # Name of report that contains task created successfully 60 | $ARTHIR_ReportName = "Report_Task_Created.txt" 61 | # Name of system to add to the report 62 | $SysName = $env:computername 63 | # The name of the scheduled task 64 | $TaskName = "Test_LOG-MD_1-Day_of_Logs" 65 | # Description of the scheduled task 66 | $TaskDescr = "Create a LOG-MD Daily Check for 1 Day of Logs" 67 | # The date and time you want the task to start to run each day and hour (e.g 2pm or 14:00:00) 68 | $TaskStartTime = "2019-03-03T14:55:00" 69 | # Name of Tool used 70 | $TaskCommand = "$Tool_Name" 71 | # The Task Action command argument 72 | $TaskArg = "-1" 73 | # Write a log entry to Application log 74 | $WriteEventLogEntry = "Yes" 75 | $EventSource = "ARTHIR" 76 | $Event_ID = "1337" 77 | # 78 | # Check for report folder existing, or create it 79 | # 80 | if (Test-Path $ARTHIR_OutputDir) { 81 | Write-Output $ARTHIR_OutputDir "already exists" 82 | } else { 83 | new-item $ARTHIR_OutputDir -itemtype directory 84 | } 85 | # 86 | # Remove any existing $Tool_Name Task 87 | # 88 | $schedule = new-object -com("Schedule.Service") 89 | $schedule.connect() 90 | $tasks = $schedule.getfolder("\").gettasks(0) 91 | $tasks | Select-Object Name | Where-Object { $_.Name -eq $TaskName } 92 | # 93 | if ($tasks | Select-Object Name | Where-Object { $_.Name -eq $TaskName }) { 94 | SchTasks.exe /Delete /TN $TaskName /F | out-file -filepath $ARTHIR_OutputDir\$SysName-$ARTHIR_ReportName 95 | } else { 96 | Write-Output $TaskName "$TaskName does not already exist on the system" | out-file -filepath $ARTHIR_OutputDir\$SysName-$ARTHIR_ReportName 97 | } 98 | # 99 | # Create Schedule Task to run Daily 1 Day of Logs 100 | # 101 | # attach the Task Scheduler com object 102 | $service = new-object -ComObject("Schedule.Service") 103 | $service.Connect() 104 | $rootFolder = $service.GetFolder("\") 105 | 106 | $TaskDefinition = $service.NewTask(0) 107 | $TaskDefinition.RegistrationInfo.Description = "$TaskDescr" 108 | $TaskDefinition.Settings.Enabled = $true 109 | $TaskDefinition.Settings.AllowDemandStart = $true 110 | $TaskDefinition.Principal.RunLevel = 1 111 | $TaskDefinition.Settings.ExecutionTimeLimit = 'PT1H' 112 | 113 | $triggers = $TaskDefinition.Triggers 114 | 115 | $trigger = $triggers.Create(2) 116 | #$trigger.repetition.Interval = 'PT60M' 117 | $trigger.StartBoundary = $TaskStartTime 118 | $trigger.Enabled = $true 119 | $trigger.ExecutionTimeLimit = 'PT1H' 120 | 121 | $Action = $TaskDefinition.Actions.Create(0) 122 | $action.Path = "$TaskCommand" 123 | $action.Arguments = "$TaskArg" 124 | $action.WorkingDirectory = $ARTHIR_Dir 125 | 126 | $rootFolder.RegisterTaskDefinition("$TaskName",$TaskDefinition,6,"System",$null,5) 127 | # 128 | # Move $Tool_Name to directory 129 | # 130 | Move-Item -Path "$env:SystemRoot\$Tool_Name" -Destination $ARTHIR_Dir -Force 131 | # 132 | # Printout Task completed 133 | # 134 | Schtasks /query /FO TABLE /TN $TaskName | out-file -Append -filepath $ARTHIR_OutputDir\$SysName-$ARTHIR_ReportName 135 | # 136 | # Write log entry 137 | # 138 | If ($WriteEventLogEntry -eq 'No') { 139 | Break 140 | } 141 | elseif ([System.Diagnostics.EventLog]::SourceExists($EventSource) -eq $False) { 142 | New-EventLog -LogName Application -Source $EventSource 143 | Write-EventLog -LogName Application -EntryType Information -EventId $Event_ID -Source $EventSource -Message 'Added Task Logs Daily by Arthir' 144 | } 145 | else { 146 | Write-EventLog -LogName Application -EntryType Information -EventId $Event_ID -Source $EventSource -Message 'Added Task Logs Daily by Arthir' 147 | } -------------------------------------------------------------------------------- /Modules/LOG-MD-Tasks/Get-Log-MD_Task_AutoRuns_Hourly.ps1: -------------------------------------------------------------------------------- 1 | <# 2 | .SYNOPSIS 3 | Get-LOG-MD_AutoRuns_Hourly_Task.ps1 creates an hourly task to run LOG-MD AutoRuns feature. 4 | - Runs LOG-MD -ar -o $ARTHIR_OutputDir 5 | 6 | Use the following to record the modules applicability to the MITRE ATT&CK Framework 7 | 8 | MITRE ATT&CK Technique IDs: 9 | 10 | This script does depend on IMF Security's LOG-MD.exe, which is not 11 | packaged with ARTHIR. You will have to purchase and download it from LOG-MD.com and 12 | drop it in the .\Modules\bin\ directory. When you run ARTHIR.ps1, if you 13 | add the -Pushbin switch at the command line, ARTHIR.ps1 will attempt to 14 | copy the LOG-MD.exe binary to each remote target's ADMIN$ share and then move it 15 | to the folder you specify below. 16 | 17 | Scheduled Task: 18 | --------------- 19 | This module will create a schedule task at the date and time you want it to begin 20 | and then each hour, every day it will run placing the Report files into the 21 | output folder you specify below. 22 | 23 | CLEANUP: 24 | -------- 25 | Use the cleanup module "Get-Log-MD_z_Cleanup_Tasks_All.ps1" to remove all 26 | the LOG-MD scheduled tasks that you specify in that module. 27 | 28 | MITRE ATT&CK Technique IDs: none 29 | 30 | Adjust the variables to what you want to do with each item: 31 | $Tool_Name Name of the tool that you will use 32 | $ARTHIR_OutputDir Set to a directory you want the results of the modules to be stored for harvesting 33 | $ARTHIR_ReportName What to name the report. Match this to DOWNLOAD 34 | $TaskName Name of the Task 35 | $TaskDescr Description fo the Scheduled Task 36 | $TaskStartTime When you want the task to start ("2018-03-03T14:55:00") 37 | $WriteEventLogEntry Create an event log entry that this module ran 'Yes' or 'No' 38 | $EventSource The name of the source the event will be written to the Application log (default is ARTHIR) 39 | $Event_ID What event ID to use in the log entry 40 | 41 | .NOTES 42 | The following lines are required by ARTHIR.ps1. They are directives that 43 | tell ARTHIR how to treat the output of this script and where to find the 44 | binary that this script depends on. 45 | 46 | BINDEP .\Modules\bin\Log-MD.exe 47 | DOWNLOAD C:\Program Files\LMD\Results\*Report_Task_Created.txt 48 | #> 49 | # You must use the 8.3 directory name for logmdOutputDir for a Schedule Task If you use a folder with a space in it 50 | # 51 | # Edit the following variables to match what names and locations you want to use to store LOG-MD 52 | # 53 | # Tool Name 54 | $Tool_Name = "LOG-MD.exe" 55 | # Where LOG-MD resides 56 | $ARTHIR_Dir = "C:\Progra~1\LMD" 57 | # Where the results/reports will be stored 58 | $ARTHIR_OutputDir = "C:\Progra~1\LMD\Results" 59 | # Name of report that contains task created successfully 60 | $ARTHIR_ReportName = "Report_Task_Created.txt" 61 | # Name of system to add to the report 62 | $SysName = $env:computername 63 | # The name of the scheduled task 64 | $TaskName = "Test_LOG-MD-AutoRuns Hourly" 65 | # Description of the scheduled task 66 | $TaskDescr = "Create a LOG-MD Hourly Check for Autoruns Task" 67 | # The date and time you want the task to start to run each day and hour (e.g 2pm or 14:00:00) 68 | $TaskStartTime = "2019-03-03T14:55:00" 69 | # Name of Tool used 70 | $TaskCommand = "$Tool_Name" 71 | # The Task Action command argument 72 | $TaskArg = "-ar" 73 | # Write a log entry to Application log 74 | $WriteEventLogEntry = "Yes" 75 | $EventSource = "ARTHIR" 76 | $Event_ID = "1337" 77 | # 78 | # Check for report folder existing, or create it 79 | # 80 | if (Test-Path $ARTHIR_OutputDir) { 81 | Write-Output $ARTHIR_OutputDir "already exists" 82 | } else { 83 | new-item $ARTHIR_OutputDir -itemtype directory 84 | } 85 | # 86 | # Move $Tool_Name to directory 87 | # 88 | Move-Item -Path "$env:SystemRoot\$Tool_Name" -Destination $ARTHIR_Dir -Force 89 | # 90 | # Remove any existing $Tool_Name Task 91 | # 92 | $schedule = new-object -com("Schedule.Service") 93 | $schedule.connect() 94 | $tasks = $schedule.getfolder("\").gettasks(0) 95 | $tasks | Select-Object Name | Where-Object { $_.Name -eq $TaskName } 96 | # 97 | if ($tasks | Select-Object Name | Where-Object { $_.Name -eq $TaskName }) { 98 | SchTasks.exe /Delete /TN $TaskName /F | out-file -filepath $ARTHIR_OutputDir\$SysName-$ARTHIR_ReportName 99 | } else { 100 | Write-Output $TaskName "$TaskName does not already exist on the system" | out-file -filepath $ARTHIR_OutputDir\$SysName-$ARTHIR_ReportName 101 | } 102 | # 103 | # Create Schedule Task to run Autoruns Hourly 104 | # 105 | # attach the Task Scheduler com object 106 | $service = new-object -ComObject("Schedule.Service") 107 | $service.Connect() 108 | $rootFolder = $service.GetFolder("\") 109 | 110 | $TaskDefinition = $service.NewTask(0) 111 | $TaskDefinition.RegistrationInfo.Description = "$TaskDescr" 112 | $TaskDefinition.Settings.Enabled = $true 113 | $TaskDefinition.Settings.AllowDemandStart = $true 114 | $TaskDefinition.Principal.RunLevel = 1 115 | $TaskDefinition.Settings.ExecutionTimeLimit = 'PT2H' 116 | 117 | $triggers = $TaskDefinition.Triggers 118 | 119 | $trigger = $triggers.Create(2) 120 | $trigger.repetition.Interval = 'PT60M' 121 | $trigger.StartBoundary = $TaskStartTime 122 | $trigger.Enabled = $true 123 | $trigger.ExecutionTimeLimit = 'PT2H' 124 | 125 | $Action = $TaskDefinition.Actions.Create(0) 126 | $action.Path = "$TaskCommand" 127 | $action.Arguments = "$TaskArg" 128 | $action.WorkingDirectory = $ARTHIR_Dir 129 | 130 | $rootFolder.RegisterTaskDefinition("$TaskName",$TaskDefinition,6,"System",$null,5) 131 | # 132 | # Printout Task completed 133 | # 134 | Schtasks /query /FO TABLE /TN $TaskName | out-file -Append -filepath $ARTHIR_OutputDir\$SysName-$ARTHIR_ReportName 135 | # 136 | # Write log entry 137 | # 138 | If ($WriteEventLogEntry -eq 'No') { 139 | Break 140 | } 141 | elseif ([System.Diagnostics.EventLog]::SourceExists($EventSource) -eq $False) { 142 | New-EventLog -LogName Application -Source $EventSource 143 | Write-EventLog -LogName Application -EntryType Information -EventId $Event_ID -Source $EventSource -Message 'Added Task AutoRuns Hourly by Arthir' 144 | } 145 | else { 146 | Write-EventLog -LogName Application -EntryType Information -EventId $Event_ID -Source $EventSource -Message 'Added Task AutoRuns Hourly by Arthir' 147 | } -------------------------------------------------------------------------------- /Modules/LOG-MD-Tasks/Get-Log-MD_Task_Running_Processes_Hourly.ps1: -------------------------------------------------------------------------------- 1 | <# 2 | .SYNOPSIS 3 | Get-Log-MD_Running_Processes_Hourly_Task.ps1 creates an hourly task to run LOG-MD Running Processes feature. 4 | - Runs LOG-MD -proc -o $ARTHIR_OutputDir 5 | 6 | Use the following to record the modules applicability to the MITRE ATT&CK Framework 7 | 8 | MITRE ATT&CK Technique IDs: 9 | 10 | This script does depend on IMF Security's LOG-MD.exe, which is not 11 | packaged with ARTHIR. You will have to purchase and download it from LOG-MD.com and 12 | drop it in the .\Modules\bin\ directory. When you run ARTHIR.ps1, if you 13 | add the -Pushbin switch at the command line, ARTHIR.ps1 will attempt to 14 | copy the LOG-MD.exe binary to each remote target's ADMIN$ share and then move it 15 | to the folder you specify below. 16 | 17 | Scheduled Task: 18 | --------------- 19 | This module will create a schedule task at the date and time you want it to begin 20 | and then each hour, every day it will run placing the Report files into the 21 | output folder you specify below. 22 | 23 | CLEANUP: 24 | -------- 25 | Use the cleanup module "Get-Log-MD-Pro_z_Cleanup_Tasks_All.ps1" to remove all 26 | the LOG-MD scheduled tasks that you specify in that module. 27 | 28 | MITRE ATT&CK Technique IDs: none 29 | 30 | Adjust the variables to what you want to do with each item: 31 | $Tool_Name Name of the tool that you will use 32 | $ARTHIR_OutputDir Set to a directory you want the results of the modules to be stored for harvesting 33 | $ARTHIR_ReportName What to name the report. Match this to DOWNLOAD 34 | $TaskName Name of the Task 35 | $TaskDescr Description fo the Scheduled Task 36 | $TaskStartTime When you want the task to start ("2018-03-03T14:55:00") 37 | $WriteEventLogEntry Create an event log entry that this module ran 'Yes' or 'No' 38 | $EventSource The name of the source the event will be written to the Application log (default is ARTHIR) 39 | $Event_ID What event ID to use in the log entry 40 | 41 | .NOTES 42 | The following lines are required by ARTHIR.ps1. They are directives that 43 | tell ARTHIR how to treat the output of this script and where to find the 44 | binary that this script depends on. 45 | 46 | BINDEP .\Modules\bin\Log-MD.exe 47 | DOWNLOAD C:\Program Files\LMD\Results\*Report_Task_Created.txt 48 | #> 49 | # You must use the 8.3 directory name for logmdOutputDir for a Schedule Task If you use a folder with a space in it 50 | # 51 | # Edit the following variables to match what names and locations you want to use to store LOG-MD 52 | # 53 | # Tool Name 54 | $Tool_Name = "LOG-MD.exe" 55 | # Where LOG-MD resides 56 | $ARTHIR_Dir = "C:\Progra~1\LMD" 57 | # Where the results/reports will be stored 58 | $ARTHIR_OutputDir = "C:\Progra~1\LMD\Results" 59 | # Name of report that contains task created successfully 60 | $ARTHIR_ReportName = "Report_Task_Created.txt" 61 | # Name of system to add to the report 62 | $SysName = $env:computername 63 | # The name of the scheduled task 64 | $TaskName = "Test_LOG-MD-Running-Processes Hourly" 65 | # Description of the scheduled task 66 | $TaskDescr = "Create a LOG-MD Hourly Check for Running Processes Task" 67 | # The date and time you want the task to start to run each day and hour (e.g 2pm or 14:00:00) 68 | $TaskStartTime = "2019-03-03T14:15:00" 69 | # Name of Tool used 70 | $TaskCommand = "$Tool_Name" 71 | # The Task Action command argument 72 | $TaskArg = "-proc" 73 | # Write a log entry to Application log 74 | $WriteEventLogEntry = "Yes" 75 | $EventSource = "ARTHIR" 76 | $Event_ID = "1337" 77 | # 78 | # Check for report folder existing, or create it 79 | # 80 | if (Test-Path $ARTHIR_OutputDir) { 81 | Write-Output $ARTHIR_OutputDir "already exists" 82 | } else { 83 | new-item $ARTHIR_OutputDir -itemtype directory 84 | } 85 | # 86 | # Remove any existing $Tool_Name Task 87 | # 88 | $schedule = new-object -com("Schedule.Service") 89 | $schedule.connect() 90 | $tasks = $schedule.getfolder("\").gettasks(0) 91 | $tasks | Select-Object Name | Where-Object { $_.Name -eq $TaskName } 92 | # 93 | if ($tasks | Select-Object Name | Where-Object { $_.Name -eq $TaskName }) { 94 | SchTasks.exe /Delete /TN $TaskName /F | out-file -filepath $ARTHIR_OutputDir\$SysName-$ARTHIR_ReportName 95 | } else { 96 | Write-Output $TaskName "$TaskName does not already exist on the system" | out-file -filepath $ARTHIR_OutputDir\$SysName-$ARTHIR_ReportName 97 | } 98 | # 99 | # Create Schedule Task to run Hourly Running Processes 100 | # 101 | # attach the Task Scheduler com object 102 | $service = new-object -ComObject("Schedule.Service") 103 | $service.Connect() 104 | $rootFolder = $service.GetFolder("\") 105 | 106 | $TaskDefinition = $service.NewTask(0) 107 | $TaskDefinition.RegistrationInfo.Description = "$TaskDescr" 108 | $TaskDefinition.Settings.Enabled = $true 109 | $TaskDefinition.Settings.AllowDemandStart = $true 110 | $TaskDefinition.Principal.RunLevel = 1 111 | $TaskDefinition.Settings.ExecutionTimeLimit = 'PT1H' 112 | 113 | $triggers = $TaskDefinition.Triggers 114 | 115 | $trigger = $triggers.Create(2) 116 | $trigger.repetition.Interval = 'PT60M' 117 | $trigger.StartBoundary = $TaskStartTime 118 | $trigger.Enabled = $true 119 | $trigger.ExecutionTimeLimit = 'PT1H' 120 | 121 | $Action = $TaskDefinition.Actions.Create(0) 122 | $action.Path = "$TaskCommand" 123 | $action.Arguments = "$TaskArg" 124 | $action.WorkingDirectory = $ARTHIR_Dir 125 | 126 | $rootFolder.RegisterTaskDefinition("$TaskName",$TaskDefinition,6,"System",$null,5) 127 | # 128 | # Move $Tool_Name to directory 129 | # 130 | Move-Item -Path "$env:SystemRoot\$Tool_Name" -Destination $ARTHIR_Dir -Force 131 | # 132 | # Printout Task completed 133 | # 134 | Schtasks /query /FO TABLE /TN $TaskName | out-file -Append -filepath $ARTHIR_OutputDir\$SysName-$ARTHIR_ReportName 135 | # 136 | # Write log entry 137 | # 138 | If ($WriteEventLogEntry -eq 'No') { 139 | Break 140 | } 141 | elseif ([System.Diagnostics.EventLog]::SourceExists($EventSource) -eq $False) { 142 | New-EventLog -LogName Application -Source $EventSource 143 | Write-EventLog -LogName Application -EntryType Information -EventId $Event_ID -Source $EventSource -Message 'Added Task Running Processes Hourly by Arthir' 144 | } 145 | else { 146 | Write-EventLog -LogName Application -EntryType Information -EventId $Event_ID -Source $EventSource -Message 'Added Task Running Processes Hourly by Arthir' 147 | } -------------------------------------------------------------------------------- /Modules/LOG-MD-Tasks/Get-Log-MD_Task_Large_Keys_Daily.ps1: -------------------------------------------------------------------------------- 1 | <# 2 | .SYNOPSIS 3 | Get-Log-MD_Large_Keys_Daily_Task.ps1 creates a daily task to run LOG-MD Large Registy Keys feature. 4 | - Runs LOG-MD -rs 20 -o $ARTHIR_OutputDir 5 | 6 | Use the following to record the modules applicability to the MITRE ATT&CK Framework 7 | 8 | MITRE ATT&CK Technique IDs: 9 | 10 | This script does depend on IMF Security's LOG-MD.exe, which is not 11 | packaged with ARTHIR. You will have to purchase and download it from LOG-MD.com and 12 | drop it in the .\Modules\bin\ directory. When you run ARTHIR.ps1, if you 13 | add the -Pushbin switch at the command line, ARTHIR.ps1 will attempt to 14 | copy the LOG-MD.exe binary to each remote target's ADMIN$ share and then move it 15 | to the folder you specify below. 16 | 17 | Scheduled Task: 18 | --------------- 19 | This module will create a schedule task at the date and time you want it to begin 20 | and then each hour, every day it will run placing the Report files into the 21 | output folder you specify below. 22 | 23 | CLEANUP: 24 | -------- 25 | Use the cleanup module "Get-Log-MD-Pro_z_Cleanup_Tasks_All.ps1" to remove all 26 | the LOG-MD scheduled tasks that you specify in that module. 27 | 28 | MITRE ATT&CK Technique IDs: none 29 | 30 | Adjust the variables to what you want to do with each item: 31 | $Tool_Name Name of the tool that you will use 32 | $ARTHIR_OutputDir Set to a directory you want the results of the modules to be stored for harvesting 33 | $ARTHIR_ReportName What to name the report. Match this to DOWNLOAD 34 | $TaskName Name of the Task 35 | $TaskDescr Description fo the Scheduled Task 36 | $TaskStartTime When you want the task to start ("2018-03-03T14:55:00") 37 | $WriteEventLogEntry Create an event log entry that this module ran 'Yes' or 'No' 38 | $EventSource The name of the source the event will be written to the Application log (default is ARTHIR) 39 | $Event_ID What event ID to use in the log entry 40 | 41 | .NOTES 42 | The following lines are required by ARTHIR.ps1. They are directives that 43 | tell ARTHIR how to treat the output of this script and where to find the 44 | binary that this script depends on. 45 | 46 | BINDEP .\Modules\bin\Log-MD.exe 47 | DOWNLOAD C:\Program Files\LMD\Results\*Report_Task_Created.txt 48 | #> 49 | # You must use the 8.3 directory name for logmdOutputDir for a Schedule Task If you use a folder with a space in it 50 | # 51 | # Edit the following variables to match what names and locations you want to use to store LOG-MD 52 | # 53 | # Tool Name 54 | $Tool_Name = "LOG-MD.exe" 55 | # Where LOG-MD resides 56 | $ARTHIR_Dir = "C:\Progra~1\LMD" 57 | # Where the results/reports will be stored 58 | $ARTHIR_OutputDir = "C:\Progra~1\LMD\Results" 59 | # Name of report that contains task created successfully 60 | $ARTHIR_ReportName = "Report_Task_Created.txt" 61 | # Name of system to add to the report 62 | $SysName = $env:computername 63 | # The name of the scheduled task 64 | $TaskName = "Test_LOG-MD-Large-Keys" 65 | # Description of the scheduled task 66 | $TaskDescr = "Create a LOG-MD Daily Check for Large Registry Keys Task" 67 | # The date and time you want the task to start to run each day and hour (e.g 2pm or 14:00:00) 68 | $TaskStartTime = "2019-03-03T14:15:00" 69 | # Name of Tool used 70 | $TaskCommand = "$Tool_Name" 71 | # The Task Action command argument 72 | $TaskArg = "-rs $KeySize" 73 | # Size of the key you want to hunt for 74 | $KeySize = 20 75 | # Write a log entry to Application log 76 | $WriteEventLogEntry = "Yes" 77 | $EventSource = "ARTHIR" 78 | $Event_ID = "1337" 79 | # 80 | # Check for report folder existing, or create it 81 | # 82 | if (Test-Path $ARTHIR_OutputDir) { 83 | Write-Output $ARTHIR_OutputDir "already exists" 84 | } else { 85 | new-item $ARTHIR_OutputDir -itemtype directory 86 | } 87 | # 88 | # Remove any existing $Tool_Name Task 89 | # 90 | $schedule = new-object -com("Schedule.Service") 91 | $schedule.connect() 92 | $tasks = $schedule.getfolder("\").gettasks(0) 93 | $tasks | Select-Object Name | Where-Object { $_.Name -eq $TaskName } 94 | # 95 | if ($tasks | Select-Object Name | Where-Object { $_.Name -eq $TaskName }) { 96 | SchTasks.exe /Delete /TN $TaskName /F | out-file -filepath $ARTHIR_OutputDir\$SysName-$ARTHIR_ReportName 97 | } else { 98 | Write-Output $TaskName "$TaskName does not already exist on the system" | out-file -filepath $ARTHIR_OutputDir\$SysName-$ARTHIR_ReportName 99 | } 100 | # 101 | # Create Schedule Task to run Large Registry Keys 102 | # 103 | # attach the Task Scheduler com object 104 | $service = new-object -ComObject("Schedule.Service") 105 | $service.Connect() 106 | $rootFolder = $service.GetFolder("\") 107 | 108 | $TaskDefinition = $service.NewTask(0) 109 | $TaskDefinition.RegistrationInfo.Description = "$TaskDescr" 110 | $TaskDefinition.Settings.Enabled = $true 111 | $TaskDefinition.Settings.AllowDemandStart = $true 112 | $TaskDefinition.Principal.RunLevel = 1 113 | $TaskDefinition.Settings.ExecutionTimeLimit = 'PT1H' 114 | 115 | $triggers = $TaskDefinition.Triggers 116 | 117 | $trigger = $triggers.Create(2) 118 | #$trigger.repetition.Interval = 'PT60M' 119 | $trigger.StartBoundary = $TaskStartTime 120 | $trigger.Enabled = $true 121 | $trigger.ExecutionTimeLimit = 'PT1H' 122 | 123 | $Action = $TaskDefinition.Actions.Create(0) 124 | $action.Path = "$TaskCommand" 125 | $action.Arguments = "$TaskArg" 126 | $action.WorkingDirectory = $ARTHIR_Dir 127 | 128 | $rootFolder.RegisterTaskDefinition("$TaskName",$TaskDefinition,6,"System",$null,5) 129 | # 130 | # Move $Tool_Name to directory 131 | # 132 | Move-Item -Path "$env:SystemRoot\$Tool_Name" -Destination $ARTHIR_Dir -Force 133 | # 134 | # Printout Task completed 135 | # 136 | Schtasks /query /FO TABLE /TN $TaskName | out-file -Append -filepath $ARTHIR_OutputDir\$SysName-$ARTHIR_ReportName 137 | # 138 | # Write log entry 139 | # 140 | If ($WriteEventLogEntry -eq 'No') { 141 | Break 142 | } 143 | elseif ([System.Diagnostics.EventLog]::SourceExists($EventSource) -eq $False) { 144 | New-EventLog -LogName Application -Source $EventSource 145 | Write-EventLog -LogName Application -EntryType Information -EventId $Event_ID -Source $EventSource -Message 'Added Task Large Reg Keys Daily by Arthir' 146 | } 147 | else { 148 | Write-EventLog -LogName Application -EntryType Information -EventId $Event_ID -Source $EventSource -Message 'Added Task Large Reg Keys Daily by Arthir' 149 | } -------------------------------------------------------------------------------- /Modules/Info/Get-PS_Version_Logging_Details.ps1: -------------------------------------------------------------------------------- 1 | <# 2 | .SYNOPSIS 3 | Get-PS_Version_Logging_Details.ps1 returns the following data on PowerShell 4 | * PowerShell version 5 | * PowerShell Logging settings 6 | * .Net Version 7 | 8 | Use the following to record the modules applicability to the MITRE ATT&CK Framework 9 | 10 | MITRE ATT&CK Technique IDs: T1028 (WinRM,) T1064 (Scripting), T1086 (PowerShell), T1140 (Obfuscation) 11 | 12 | Only output will be created for the version lower than specified. Errors will be throw for systems that are compliant 13 | as it will not generate the report, thus throwing an error. 14 | 15 | If you want to remove the reports and directories from remote systems after it has run 16 | use the cleanup module Get-Delete_ARTHIR_Folders.ps1. 17 | 18 | Adjust the variables to what you want to do with each item: 19 | $ARTHIR_OutputDir Set to a directory you want the results of the modules to be stored for harvesting 20 | $ARTHIR_ReportName What to name the report. Match this to DOWNLOAD 21 | $SysName What you want each report to be pre-pended with like "computername" 22 | $MinPSVersion What minimum PowerShell veersion do you want to look for 23 | $WriteEventLogEntry Create an event log entry that this module ran 'Yes' or 'No' 24 | $EventSource The name of the source the event will be written to the Application log (default is ARTHIR) 25 | $Event_ID What event ID to use in the log entry 26 | 27 | DOWNLOAD The name of the report you will copy back to the host or launching system, wildcards are acceptable 28 | 29 | .NOTES 30 | The following DIRECTIVE lines are needed by ARTHIR.ps1 to determine how to handle output 31 | from this script. 32 | 33 | DOWNLOAD C:\Program Files\ARTHIR\Results\*Report_PS_Dot_Net_Versions.txt 34 | 35 | #> 36 | $ARTHIR_OutputDir = "C:\Program Files\ARTHIR\Results" 37 | $ARTHIR_ReportName = "Report_PS_Dot_Net_Versions.txt" 38 | $SysName = $env:computername 39 | $MinPSVersion = 6 40 | $WriteEventLogEntry = "Yes" 41 | $EventSource = "ARTHIR" 42 | $Event_ID = "1337" 43 | # 44 | # Check for minimal PowerShell version 45 | # 46 | If ($PSVersionTable.PSVersion.Major -ge $MinPSVersion) { 47 | Write-Output "System has PS $MinPSVersion or greater" 48 | Break 49 | } 50 | # 51 | # Check for report folder existing, or create it 52 | # 53 | if (Test-Path $ARTHIR_OutputDir) { 54 | Write-Output $ARTHIR_OutputDir "already exists" 55 | } else { 56 | new-item $ARTHIR_OutputDir -itemtype directory 57 | } 58 | # 59 | # Write Header and computername 60 | # 61 | Write-Output "Computer - $SysName" | out-file -filepath $ARTHIR_OutputDir\$SysName-$ARTHIR_ReportName 62 | Write-Output "###############################################################################################" | out-file -Append -filepath $ARTHIR_OutputDir\$SysName-$ARTHIR_ReportName 63 | Write-Output "PowerShell Version" | out-file -Append -filepath $ARTHIR_OutputDir\$SysName-$ARTHIR_ReportName 64 | Write-Output "-----------------------------------------------------------------------------------------------" | out-file -Append -filepath $ARTHIR_OutputDir\$SysName-$ARTHIR_ReportName 65 | # 66 | # Check PowerShell version if minimum version is met 67 | # 68 | $PSVersionTable.PSVersion | out-file -Append -filepath $ARTHIR_OutputDir\$SysName-$ARTHIR_ReportName 69 | # 70 | # Check PS Logging 71 | # 72 | Write-Output "PS Logging should be - ModuleLogging = 1, EnableScriptBlockLogging = 1" | out-file -Append -filepath $ARTHIR_OutputDir\$SysName-$ARTHIR_ReportName 73 | Write-Output "-----------------------------------------------------------------------------------------------" | out-file -Append -filepath $ARTHIR_OutputDir\$SysName-$ARTHIR_ReportName 74 | # 75 | Get-ItemProperty "hklm:SOFTWARE\Policies\Microsoft\Windows\PowerShell\ModuleLogging" -Name "EnableModuleLogging" | format-table -Autosize -Property @{Name="EnableModuleLogging"; Expression = {$_.EnableModuleLogging}; Alignment="left"} | out-file -Append -filepath $ARTHIR_OutputDir\$SysName-$ARTHIR_ReportName 76 | Get-ItemProperty "hklm:SOFTWARE\Policies\Microsoft\Windows\PowerShell\ScriptBlockLogging" -Name "EnableScriptBlockLogging" | format-table -Autosize -Property @{Name="EnableScriptBlockLogging"; Expression = {$_.EnableScriptBlockLogging}; Alignment="left"} | out-file -Append -filepath $ARTHIR_OutputDir\$SysName-$ARTHIR_ReportName 77 | # 78 | Write-Output "ModuleNames should be - ModuleNames = *" | out-file -Append -filepath $ARTHIR_OutputDir\$SysName-$ARTHIR_ReportName 79 | Write-Output "-----------------------------------------------------------------------------------------------" | out-file -Append -filepath $ARTHIR_OutputDir\$SysName-$ARTHIR_ReportName 80 | Get-Item -Path "hklm:SOFTWARE\Policies\Microsoft\Windows\PowerShell\ModuleLogging\ModuleNames" | Select-Object -ExpandProperty Property | out-file -Append -filepath $ARTHIR_OutputDir\$SysName-$ARTHIR_ReportName 81 | # 82 | # Check .Net versions 83 | # 84 | Write-Output "" | out-file -Append -filepath $ARTHIR_OutputDir\$SysName-$ARTHIR_ReportName 85 | Write-Output ".Net Versions - Lists .Net versions installed" | out-file -Append -filepath $ARTHIR_OutputDir\$SysName-$ARTHIR_ReportName 86 | Write-Output "-----------------------------------------------------------------------------------------------" | out-file -Append -filepath $ARTHIR_OutputDir\$SysName-$ARTHIR_ReportName 87 | # 88 | Get-ItemProperty "HKLM:Software\Microsoft\NET Framework Setup\NDP\*" | Select-Object PSChildName, PSPath | format-table -AutoSize -Wrap | out-file -Append -filepath $ARTHIR_OutputDir\$SysName-$ARTHIR_ReportName 89 | # 90 | Write-Output "@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@" | out-file -Append -filepath $ARTHIR_OutputDir\$SysName-$ARTHIR_ReportName 91 | # 92 | # Write log entry 93 | # 94 | If ($WriteEventLogEntry -eq 'No') { 95 | Break 96 | } 97 | elseif ([System.Diagnostics.EventLog]::SourceExists($EventSource) -eq $False) { 98 | New-EventLog -LogName Application -Source $EventSource 99 | Write-EventLog -LogName Application -EntryType Information -EventId $Event_ID -Source $EventSource -Message 'PS and .Net version executed by Arthir' 100 | } 101 | else { 102 | Write-EventLog -LogName Application -EntryType Information -EventId $Event_ID -Source $EventSource -Message 'PS and .Net version executed by Arthir' 103 | } -------------------------------------------------------------------------------- /Documentation/_README_1st_Documentation.txt: -------------------------------------------------------------------------------- 1 | ___ ______ _____ _ _ ___________ 2 | / _ \ | ___ \_ _| | | |_ _| ___ \ 3 | / /_\ \| |_/ / | | | |_| | | | | |_/ / 4 | | _ || / | | | _ | | | | / 5 | | | | || |\ \ | | | | | |_| |_| |\ \ 6 | \_| |_/\_| \_| \_/ \_| |_/\___/\_| \_| 7 | 8 | Running ARTHIR 9 | -------------- 10 | 11 | Edit Modules.conf adjust it to what you want to run. Read each module and what it does should be recorded 12 | in the beginning of the module. 13 | 14 | Keep in mind some modules that take longer than others to run, do them last. modules are ordered by how 15 | long they take in modules.conf. 16 | 17 | Populate the systems you want to run the modules against in the 'Hosts.txt' file. 18 | 19 | Pushing a binary or Zip file, be sure to include the '-Pushbin' parameter or you wil get an error. 20 | 21 | The '-Transcribe' and '-Verbose' options are optional, they just provide the console launch details in a log file. 22 | 23 | Read the "Configuring WinRM Guide.pdf" for more on enabling WinRM 24 | 25 | ########################################################################################################################### 26 | 27 | Launch all modules enabled in modules.conf \Modules 28 | --------------------------------------------------- 29 | 30 | To cache your credentials 31 | ------------------------- 32 | $Credential = Get-Credential 33 | 34 | ------------------------------- 35 | For Domain attached systems: | 36 | ------------------------------- 37 | The following uses Kerberos to authenticate which is the default for domains. 38 | 39 | Run all modules selected in Modules.conf 40 | ---------------------------------------- 41 | 42 | - With a binary or Zip to push 43 | .\ARTHIR.ps1 -TargetList hosts.txt .\Modules -Pushbin -Verbose -Transcribe -Credential $Credential 44 | 45 | - With just scripts, no binary or zip 46 | .\ARTHIR.ps1 -TargetList Hosts.txt .\Modules -Verbose -Transcribe -Credential 47 | 48 | - Specify one target and a username - with a binary or zip to push 49 | .\ARTHIR.ps1 -Target .\Modules -Pushbin -Verbose -Transcribe -Credential 50 | 51 | Launch one module at a time 52 | --------------------------- 53 | 54 | - With a binary or Zip to push 55 | .\ARTHIR.ps1 -Target -ModulePath ".\Modules\LOG-MD\Get_Log-MD_1_Configs.ps1" -Pushbin -Transcribe -Credential $Credential 56 | .\ARTHIR.ps1 -Target -ModulePath ".\Modules\LOG-MD\Get-Log-MD_AutoRuns.ps1" -Pushbin -Transcribe -Credential 57 | 58 | .\ARTHIR.ps1 -Target DEFENDER -ModulePath ".\Modules\LOG-MD\Get-LOG-MD-1_Configs.ps1" -Pushbin -Transcribe -Credential 59 | 60 | ######################################################################################################################################################################## 61 | 62 | ----------------------------------- 63 | For Non-Domain attached systems: | 64 | ----------------------------------- 65 | 66 | Run all modules selected in Modules.conf 67 | ---------------------------------------- 68 | 69 | .\ARTHIR.ps1 -TargetList hosts.txt .\Modules -Verbose -Authentication Negotiate -Transcribe -Credential $Credential 70 | - With a binary or Zip to push 71 | .\ARTHIR.ps1 -TargetList hosts.txt .\Modules -Pushbin -Authentication Negotiate -Verbose -Transcribe -Credential $Credential 72 | 73 | - With just scripts, no binary or zip 74 | .\ARTHIR.ps1 -TargetList Hosts.txt .\Modules -Authentication Negotiate -Verbose -Transcribe -Credential 75 | 76 | - Specify one target and a username - with a binary or zip to push 77 | .\ARTHIR.ps1 -Target .\Modules -Pushbin -Authentication Negotiate -Verbose -Transcribe -Credential 78 | 79 | Launch one module at a time 80 | --------------------------- 81 | 82 | - With a binary or Zip to push 83 | .\ARTHIR.ps1 -Target -ModulePath ".\Modules\LOG-MD\Get_Log-MD_1_Configs.ps1" -Pushbin -Authentication Negotiate -Transcribe -Credential $Credential 84 | .\ARTHIR.ps1 -Target -ModulePath ".\Modules\LOG-MD\Get-Log-MD_AutoRuns.ps1" -Pushbin -Authentication Negotiate -Transcribe -Credential 85 | 86 | .\ARTHIR.ps1 -Target DEFENDER -ModulePath ".\Modules\LOG-MD\Get-LOG-MD-1_Configs.ps1" -Pushbin -Authentication Negotiate -Transcribe -Credential 87 | 88 | ######################################################################################################################################################################## 89 | 90 | TROUBLESHOOTING 91 | --------------- 92 | 93 | ---------------------------- 94 | To open a PS Remoting shell 95 | ---------------------------- 96 | 97 | This will give you console access to the remote system to do whatever you want, but NOT retrieve files, this requires the next option "PS Remoting Session". 98 | 99 | $Credential = Get-Credential 100 | 101 | - Domain 102 | Enter-PSSession -Credential $Credential 103 | Enter-PSSession -Credential 104 | 105 | - Non domain 106 | Enter-PSSession -Authentication Negotiate -Credential $Credential 107 | Enter-PSSession -Authentication Negotiate -Credential 108 | 109 | Do whatever you want and then when done; 110 | - Exit-PSSession 111 | 112 | -------------------------------------- 113 | To open a PS Remoting Session method 2 114 | -------------------------------------- 115 | 116 | This will give you an interactive session that allows you to run commands and retrieve and send files to the target. 117 | 118 | $Credential = Get-Credential 119 | 120 | - Non domain 121 | $MySession = New-PSSession -ComputerName -Authentication Negotiate -Credential $Credential 122 | $MySession = New-PSSession -ComputerName -Authentication Negotiate -Credential 123 | Invoke-Command -Session $MySession {Get-Process} 124 | Invoke-Command -Session $MySession {C:\'Program Files'\LMD\Log-MD-Pro.exe -ar -md -o 'C:\Program Files\LMD\Results'} 125 | Copy-Item -Path "C:\Program Files\LMD\Results\Report_AutoRuns*" -Destination "D:\ARTHIR" -FromSession $MySession 126 | 127 | Do whatever you want and then when done; 128 | - Exit-PSSession 129 | 130 | ######################################################################################################################################################################## -------------------------------------------------------------------------------- /Modules/Sysinternals/Get-Handle64.ps1: -------------------------------------------------------------------------------- 1 | <# 2 | .SYNOPSIS 3 | Get-Handle64.ps1 - Get handles of files. Run Handle64 /? for all 4 | features. Using -i cannot create a CSV. 5 | 6 | Use the following to record the modules applicability to the MITRE ATT&CK Framework 7 | 8 | MITRE ATT&CK Technique IDs: TBD 9 | 10 | Adjust the variables to what you want to do with each item: 11 | $Tool_Name Name of the binary utility used 12 | $ARTHIR_Dir Set to a directory you want the results of the modules to be stored for harvesting 13 | $ARTHIR_OutputDir Set to a directory you want the results of the modules to be stored for harvesting 14 | $ARTHIR_ReportName What to name the report used for error checking. Match this to DOWNLOAD 15 | $RenameReports Yes/No - Rename the reports to include the systemname or what you specify with $SysName variable 16 | $SysName What you want each report to be pre-pended with such as "computername" 17 | $WriteEventLogEntry Create an event log entry that this module ran 'Yes' or 'No' 18 | $EventSource The name of the source the event will be written to the Application log (default is ARTHIR) 19 | $Event_ID What event ID to use in the log entry 20 | 21 | BINDEP The name of the binary/file you want to push to the remote systems 22 | DOWNLOAD The name of the report you will copy back to the host or launching system, wildcards are acceptable 23 | 24 | .NOTES 25 | The BINDEP and DOWNLOAD directives are needed by ARTHIR.ps1 to determine where to find 26 | the binary to be used and how to handle output from this script. 27 | Use the wildcard * to capture the systemname in the report. 28 | - Example: .\Modules\bin\.exe 29 | - Example: C:\Program Files\LMD\Results\*Report_PS_LOG-MD-API-Settings.txt 30 | 31 | BINDEP .\Modules\bin\Handle64.exe 32 | DOWNLOAD C:\Program Files\ARTHIR\*Report_Handle* 33 | #> 34 | $Tool_Name = "Handle64.exe" 35 | $Check_Folder = "c:\users\*.*" 36 | $ARTHIR_Dir = "C:\Program Files\ARTHIR" 37 | $ARTHIR_OutputDir = "C:\Program Files\ARTHIR" 38 | $ARTHIR_ReportName = "Report_Handle.txt" 39 | $RenameReports = "Yes" 40 | $SysName = $env:computername 41 | $WriteEventLogEntry = "Yes" 42 | $EventSource = "ARTHIR" 43 | $Event_ID = "1337" 44 | # 45 | # Remove existing report 46 | # 47 | Remove-Item -path $ARTHIR_OutputDir\$SysName-Report_Handle* -force | Out-Null 48 | Write-Output "Running Handle" | out-file -filepath $ARTHIR_OutputDir\$SysName-Report_Handle_Status.txt 49 | # 50 | # Check for report folder existing, or create it 51 | # 52 | if (Test-Path $ARTHIR_OutputDir) { 53 | Write-Output "$ARTHIR_OutputDir already exists" | out-file -Append -filepath $ARTHIR_OutputDir\$SysName-Report_Handle_Status.txt 54 | } else { 55 | new-item $ARTHIR_OutputDir -itemtype directory | out-file -Append -filepath $ARTHIR_OutputDir\$SysName-Report_Handle_Status.txt 56 | } 57 | # 58 | # Move uploaded tool to the destination directory from \Windows 59 | # 60 | Move-Item -Path "$env:SystemRoot\$Tool_Name" -Destination $ARTHIR_Dir -Force 61 | # 62 | # Check and run Handle 63 | # 64 | if (Test-Path $ARTHIR_Dir\$Tool_Name) { 65 | Set-Location -Path $ARTHIR_Dir 66 | Write-Output "Process, PID, Owner, Type, Perms, Name" | Out-File -FilePath $ARTHIR_OutputDir\Report_Handle.txt 67 | Write-Output "------------------------------------------------------------------------------" | Out-File -Append -FilePath $ARTHIR_OutputDir\Report_Handle.txt 68 | $data = (& .\$Tool_Name /accepteula -a) 69 | #("Process","PId","Owner","Type","Perms","Name") -join $Delimiter 70 | foreach($line in $data) { 71 | $line = $line.Trim() 72 | if ($line -match " pid: ") { 73 | $HandleId = $Type = $Perms = $Name = $null 74 | $pattern = "(?^[-a-zA-Z0-9_.]+) pid: (?\d+) (?.+$)" 75 | if ($line -match $pattern) { 76 | $ProcessName,$ProcId,$Owner = ($matches['ProcessName'],$matches['PId'],$matches['Owner']) 77 | } 78 | } else { 79 | $pattern = "(?^[a-f0-9]+): (?\w+)" 80 | if ($line -match $pattern) { 81 | $HandleId,$Type = ($matches['HandleId'],$matches['Type']) 82 | $Perms = $Name = $null 83 | switch ($Type) { 84 | "File" { 85 | $pattern = "(?^[a-f0-9]+):\s+(?\w+)\s+(?\([-RWD]+\))\s+(?.*)" 86 | if ($line -match $pattern) { 87 | $Perms,$Name = ($matches['Perms'],$matches['Name']) 88 | } 89 | } 90 | default { 91 | $pattern = "(?^[a-f0-9]+):\s+(?\w+)\s+(?.*)" 92 | if ($line -match $pattern) { 93 | $Name = ($matches['Name']) 94 | } 95 | } 96 | } 97 | if ($Name -ne $null) { 98 | $o = "" | Select-Object ProcessName, ProcId, HandleId, Owner, Type, Perms, Name 99 | $o.ProcessName, $o.ProcId, $o.HandleId, $o.Owner, $o.Type, $o.Perms, $o.name = ` 100 | $ProcessName,$ProcId,("0x" + $HandleId),$Owner,$Type,$Perms,$Name 101 | ($o | Format-Table -Wrap -Autosize -HideTableHeaders | Out-String).Trim() | Out-File -Append -FilePath $ARTHIR_OutputDir\Report_Handle.txt 102 | 103 | } 104 | } 105 | } 106 | } 107 | 108 | } else { 109 | Write-Error "$Tool_Name not found in $env:SystemRoot." 110 | Exit 111 | } 112 | # 113 | # Check for output to exist 114 | # 115 | Write-Output "Waiting for Handle report to be created..." | out-file -Append -filepath $ARTHIR_OutputDir\$SysName-Report_Handle_Status.txt 116 | while (!(Test-Path $ARTHIR_OutputDir\$ARTHIR_ReportName)) { Start-Sleep 10 | out-file -Append -filepath $ARTHIR_OutputDir\$SysName-Report_Handle_Status.txt } 117 | # 118 | # Wait 5 seconds to allow closing of files 119 | # 120 | Start-Sleep -s 5 121 | # 122 | # Rename files with $SysName 123 | # 124 | If ($RenameReports -eq 'No') { 125 | Write-Output "Reports not being renamed" | out-file -Append -filepath $ARTHIR_OutputDir\$SysName-Report_Handle_Status.txt 126 | } 127 | else { 128 | Rename-Item $ARTHIR_ReportName -NewName $SysName-$ARTHIR_ReportName | out-file -Append -filepath $ARTHIR_OutputDir\$SysName-Report_Handle_Status.txt 129 | } 130 | # 131 | # Write log entry 132 | # 133 | If ($WriteEventLogEntry -eq 'No') { 134 | Break 135 | } 136 | elseif ([System.Diagnostics.EventLog]::SourceExists($EventSource) -eq $False) { 137 | New-EventLog -LogName Application -Source $EventSource 138 | Write-EventLog -LogName Application -EntryType Information -EventId $Event_ID -Source $EventSource -Message 'Handle executed by Arthir' 139 | } 140 | else { 141 | Write-EventLog -LogName Application -EntryType Information -EventId $Event_ID -Source $EventSource -Message 'Handle executed by Arthir' 142 | } 143 | Write-Output "Running Handle complete" | out-file -Append -filepath $ARTHIR_OutputDir\$SysName-Report_Handle_Status.txt 144 | -------------------------------------------------------------------------------- /Modules/Kansa_Legacy/Net/Get-Netstat.ps1: -------------------------------------------------------------------------------- 1 | <# 2 | .SYNOPSIS 3 | # 4 | # Initially obtained from Kansa, modified for error handling and formatting 5 | # 6 | # Updated for ARTHIR 7 | # 8 | Get-Netstat.ps1 acquires netstat -naob output and reformats on the 9 | target as tsv output. 10 | 11 | MITRE ATT&CK Technique IDs: T1043 (Commonly used ports), T1133 (External Remote Services), T1057 (Process Discovery), 12 | T1219 (Remote Acess Tools), T1018 (Remote System Discovery), T1016 (System Network Configuration Discovery), 13 | T1049 (System Network Connections Discovery) 14 | 15 | CLEANUP: If you want to remove the reports and directories from remote systems after it has run 16 | use the cleanup module Get-Delete_ARTHIR_Folders.ps1. 17 | 18 | Adjust the variables to what you want to do with each item: 19 | $ARTHIR_OutputDir Set to a directory you want the results of the modules to be stored for harvesting 20 | $ARTHIR_ReportName What to name the report used for error checking. Match this to DOWNLOAD 21 | $SysName What you want each report to be pre-pended with such as "computername" 22 | $WriteEventLogEntry Create an event log entry that this module ran 'Yes' or 'No' 23 | $EventSource The name of the source the event will be written to the Application log (default is ARTHIR) 24 | $Event_ID What event ID to use in the log entry 25 | 26 | DOWNLOAD The name of the report you will copy back to the host or launching system, wildcards are acceptable 27 | 28 | .NOTES 29 | The DOWNLOAD directive is needed by ARTHIR.ps1 to determine where how to handle 30 | output from this script. Use the wildcard * to capture the systemname in the report. 31 | - Example: C:\Program Files\LMD\Results\*Report_PS_LOG-MD-API-Settings.txt 32 | 33 | DOWNLOAD C:\Program Files\ARTHIR\Results\*Report_Netstat_Info.txt 34 | #> 35 | $ARTHIR_Dir = "C:\Program Files\ARTHIR" 36 | $ARTHIR_OutputDir = "C:\Program Files\ARTHIR\Results" 37 | $ARTHIR_ReportName = "Report_NetStat_Info.txt" 38 | $SysName = $env:computername 39 | $MinPSVersion = 6 40 | $WriteEventLogEntry = "Yes" 41 | $EventSource = "ARTHIR" 42 | $Event_ID = "1337" 43 | # 44 | # Check for report folder existing, or create it 45 | # 46 | if (Test-Path $ARTHIR_OutputDir) { 47 | Write-Output $ARTHIR_OutputDir "already exists" 48 | } else { 49 | new-item $ARTHIR_OutputDir -itemtype directory 50 | } 51 | # 52 | # Netstat functions 53 | # 54 | function Get-AddrPort { 55 | Param( 56 | [Parameter(Mandatory=$True,Position=0)] 57 | [String]$AddrPort 58 | ) 59 | Write-Verbose "Entering $($MyInvocation.MyCommand)" 60 | Write-Verbose "Processing $AddrPort" 61 | if ($AddrPort -match '[0-9a-f]*:[0-9a-f]*:[0-9a-f%]*\]:[0-9]+') { 62 | $Addr, $Port = $AddrPort -split "]:" 63 | $Addr += "]" 64 | } else { 65 | $Addr, $Port = $AddrPort -split ":" 66 | } 67 | $Addr, $Port 68 | Write-Verbose "Exiting $($MyInvocation.MyCommand)" 69 | } 70 | 71 | $netstat = if (([Security.Principal.WindowsPrincipal] [Security.Principal.WindowsIdentity]::GetCurrent()).IsInRole([Security.Principal.WindowsBuiltInRole] "Administrator")) { 72 | # If run as admin, collect Component and Process names in addition to other data. 73 | $netstatScriptBlock = { & $env:windir\system32\netstat.exe -naob } 74 | foreach($line in $(& $netstatScriptBlock)) { 75 | if ($line.length -gt 1 -and $line -notmatch "Active |Proto ") { 76 | $line = $line.trim() 77 | if ($line.StartsWith("TCP")) { 78 | $Protocol, $LocalAddress, $ForeignAddress, $State, $ConPId = ($line -split '\s{2,}') 79 | $Component = $Process = $False 80 | } elseif ($line.StartsWith("UDP")) { 81 | $State = "STATELESS" 82 | $Protocol, $LocalAddress, $ForeignAddress, $ConPid = ($line -split '\s{2,}') 83 | $Component = $Process = $False 84 | } elseif ($line -match "^\[[-_a-zA-Z0-9.]+\.(exe|com|ps1)\]$") { 85 | $Process = $line 86 | if ($Component -eq $False) { 87 | # No Component given 88 | $Component = $Process 89 | } 90 | } elseif ($line -match "Ownership unavailable") { 91 | $Process = $Component = $line 92 | } else { 93 | # We have the $Component 94 | $Component = $line 95 | } 96 | if ($State -match "TIME_WAIT") { 97 | $Component = "Not provided" 98 | $Process = "Not provided" 99 | } 100 | if ($Component -and $Process) { 101 | $LocalAddress, $LocalPort = Get-AddrPort($LocalAddress) 102 | $ForeignAddress, $ForeignPort = Get-AddrPort($ForeignAddress) 103 | 104 | $o = "" | Select-Object Protocol, LocalAddress, LocalPort, ForeignAddress, ForeignPort, State, ConPId, Component, Process 105 | $o.Protocol, $o.LocalAddress, $o.LocalPort, $o.ForeignAddress, $o.ForeignPort, $o.State, $o.ConPId, $o.Component, $o.Process = ` 106 | $Protocol, $LocalAddress, $LocalPort, $ForeignAddress, $ForeignPort, $State, $ConPid, $Component, $Process 107 | $o 108 | } 109 | } 110 | } 111 | } else { 112 | # If run as non-admin, we can't grab Component and Process name. 113 | $netstatScriptBlock = { & $env:windir\system32\netstat.exe -nao } 114 | ("Protocol","LocalAddress","LocalPort","ForeignAddress","ForeignPort","State","PId") -join "`t" 115 | foreach($line in $(& $netstatScriptBlock)) { 116 | if ($line.length -gt 1 -and $line -notmatch "Active |Proto ") { 117 | $line = $line.trim() 118 | if ($line.StartsWith("TCP")) { 119 | $Protocol, $LocalAddress, $ForeignAddress, $State, $ConPId = ($line -split '\s{2,}') 120 | } elseif ($line.StartsWith("UDP")) { 121 | $State = "STATELESS" 122 | $Protocol, $LocalAddress, $ForeignAddress, $ConPId = ($line -split '\s{2,}') 123 | } 124 | $LocalAddress, $LocalPort = Get-AddrPort($LocalAddress) 125 | $ForeignAddress, $ForeignPort = Get-AddrPort($ForeignAddress) 126 | $o = "" | Select-Object Protocol, LocalAddress, LocalPort, ForeignAddress, ForeignPort, State, PId 127 | $o.Protocol, $o.LocalAddress, $o.LocalPort, $o.ForeignAddress, $o.ForeignPort, $o.State, $o.PId = ` 128 | $Protocol, $LocalAddress, $LocalPort, $ForeignAddress, $ForeignPort, $State, $Pid 129 | $o 130 | } 131 | } 132 | } 133 | # 134 | # Get Netstat info 135 | # 136 | $netstat | Format-Table -Wrap -AutoSize | out-file -filepath $ARTHIR_OutputDir\$SysName-$ARTHIR_ReportName 137 | # 138 | # Write log entry 139 | # 140 | If ($WriteEventLogEntry -eq 'No') { 141 | Break 142 | } 143 | elseif ([System.Diagnostics.EventLog]::SourceExists($EventSource) -eq $False) { 144 | New-EventLog -LogName Application -Source $EventSource 145 | Write-EventLog -LogName Application -EntryType Information -EventId $Event_ID -Source $EventSource -Message 'Netstat info gathered by Arthir' 146 | } 147 | else { 148 | Write-EventLog -LogName Application -EntryType Information -EventId $Event_ID -Source $EventSource -Message 'Netstat info gathered by Arthir' 149 | } -------------------------------------------------------------------------------- /README.md: -------------------------------------------------------------------------------- 1 | # ARTHIR 2 | ATT&CK Remote Threat Hunting Incident Response 3 | 4 | VERSION 5 | ------- 6 | Initial release ver 1.0 - Mar 2019 7 | 8 | BACKGROUND 9 | ---------- 10 | WHAT IS ARTHIR? 11 | 12 | ATT&CK Remote Threat Hunting Incident Response (ARTHIR) is an update to the popular KANSA framework. ARTHIR works differently than KANSA in that you can create output with your ARTHIR module and then the results are pulled back to the launching host. KANSA only pulled console output back which limited its capabilities. KANSA was unable to execute binary utilities and tools such as LOGMD remotely and pull reports back. ARTHIR can run scripts as KANSA does, but also binary utilities and 13 | tools, making ARTHIR much more flexible than KANSA. 14 | 15 | KANSA is a modular incident response framework in Powershell to remotely run various PowerShell commands on a remote system to investigate a suspect system. The KANSA project is no longer maintained by the creator Dave Hull, but is still used and updated by some users. 16 | 17 | ARTHIR was created to provide a solution that can push out, run, and pull back LOG-MD-Pro reports, (or any other tool, script or binary you might like to use) while doing investigations. The ARTHIR project is a free Open Source project on Github and may be found here; 18 | - https://github.com/MalwareArchaeology/ARTHIR 19 | 20 | Templates have been provided for scripts, binary utilities and tools, tasks, and Zip archives so that you 21 | may use it and create your own solutions. 22 | 23 | WHY ARTHIR? 24 | 25 | ARTHIR provides a modular approach that allows users to run existing PowerShell modules included with ARTHIR, create their own, or as in our case push, run, and retrieve LOG-MD-Pro and retrieve the reports. The modular nature of ARTHIR allows you to run a single module (aka PowerShell script), push and run a binary, execute one or many modules using the modules.conf file. For our purposes modifications to the core KANSA script was required and the changes extensive. We have provided modules that allows 26 | you to run all the features of LOG-MD-Pro and retrieve the results. 27 | 28 | Running ARTHIR 29 | -------------- 30 | 31 | Edit Modules.conf adjust it to what you want to run. Read each module and what it does should be recorded 32 | in the beginning of the module. 33 | 34 | Keep in mind some modules that take longer than others to run, do them last. modules are ordered by how 35 | long they take in modules.conf. 36 | 37 | Populate the systems you want to run the modules against in the 'Hosts.txt' file. 38 | 39 | Pushing a binary or Zip file, be sure to include the '-Pushbin' parameter or you wil get an error. 40 | 41 | The '-Transcribe' and '-Verbose' options are optional, they just provide the console launch details in a log file. 42 | 43 | Read the "Configuring WinRM Guide.pdf" for more on enabling WinRM 44 | 45 | ############################################################################################# 46 | 47 | Launch all modules enabled in modules.conf \Modules 48 | --------------------------------------------------- 49 | 50 | To cache your credentials 51 | ------------------------- 52 | $Credential = Get-Credential 53 | 54 | ------------------------------- 55 | For Domain attached systems: | 56 | ------------------------------- 57 | The following uses Kerberos to authenticate which is the default for domains. 58 | 59 | Run all modules selected in Modules.conf 60 | ---------------------------------------- 61 | 62 | - With a binary or Zip to push 63 | .\ARTHIR.ps1 -TargetList hosts.txt .\Modules -Pushbin -Verbose -Transcribe -Credential $Credential 64 | 65 | - With just scripts, no binary or zip 66 | .\ARTHIR.ps1 -TargetList Hosts.txt .\Modules -Verbose -Transcribe -Credential 67 | 68 | - Specify one target and a username - with a binary or zip to push 69 | .\ARTHIR.ps1 -Target .\Modules -Pushbin -Verbose -Transcribe -Credential 70 | 71 | Launch one module at a time 72 | --------------------------- 73 | 74 | - With a binary or Zip to push 75 | .\ARTHIR.ps1 -Target -ModulePath ".\Modules\LOG-MD\Get_Log-MD_1_Configs.ps1" -Pushbin -Transcribe -Credential $Credential 76 | .\ARTHIR.ps1 -Target -ModulePath ".\Modules\LOG-MD\Get-Log-MD_AutoRuns.ps1" -Pushbin -Transcribe -Credential 77 | 78 | .\ARTHIR.ps1 -Target DEFENDER -ModulePath ".\Modules\LOG-MD\Get-LOG-MD-1_Configs.ps1" -Pushbin -Transcribe -Credential 79 | 80 | ############################################################################################# 81 | 82 | ----------------------------------- 83 | For Non-Domain attached systems: | 84 | ----------------------------------- 85 | 86 | Run all modules selected in Modules.conf 87 | ---------------------------------------- 88 | 89 | .\ARTHIR.ps1 -TargetList hosts.txt .\Modules -Verbose -Authentication Negotiate -Transcribe -Credential $Credential 90 | - With a binary or Zip to push 91 | .\ARTHIR.ps1 -TargetList hosts.txt .\Modules -Pushbin -Authentication Negotiate -Verbose -Transcribe -Credential $Credential 92 | 93 | - With just scripts, no binary or zip 94 | .\ARTHIR.ps1 -TargetList Hosts.txt .\Modules -Authentication Negotiate -Verbose -Transcribe -Credential 95 | 96 | - Specify one target and a username - with a binary or zip to push 97 | .\ARTHIR.ps1 -Target .\Modules -Pushbin -Authentication Negotiate -Verbose -Transcribe -Credential 98 | 99 | Launch one module at a time 100 | --------------------------- 101 | 102 | - With a binary or Zip to push 103 | .\ARTHIR.ps1 -Target -ModulePath ".\Modules\LOG-MD\Get_Log-MD_1_Configs.ps1" -Pushbin -Authentication Negotiate -Transcribe -Credential $Credential 104 | .\ARTHIR.ps1 -Target -ModulePath ".\Modules\LOG-MD\Get-Log-MD_AutoRuns.ps1" -Pushbin -Authentication Negotiate -Transcribe -Credential 105 | 106 | .\ARTHIR.ps1 -Target DEFENDER -ModulePath ".\Modules\LOG-MD\Get-LOG-MD-1_Configs.ps1" -Pushbin -Authentication Negotiate -Transcribe -Credential 107 | 108 | ############################################################################################# 109 | 110 | TROUBLESHOOTING 111 | --------------- 112 | 113 | ---------------------------- 114 | To open a PS Remoting shell 115 | ---------------------------- 116 | 117 | This will give you console access to the remote system to do whatever you want, but NOT retrieve files, this requires the next option "PS Remoting Session". 118 | 119 | $Credential = Get-Credential 120 | 121 | - Domain 122 | Enter-PSSession -Credential $Credential 123 | Enter-PSSession -Credential 124 | 125 | - Non domain 126 | Enter-PSSession -Authentication Negotiate -Credential $Credential 127 | Enter-PSSession -Authentication Negotiate -Credential 128 | 129 | Do whatever you want and then when done; 130 | - Exit-PSSession 131 | 132 | -------------------------------------- 133 | To open a PS Remoting Session method 2 134 | -------------------------------------- 135 | 136 | This will give you an interactive session that allows you to run commands and retrieve and send files to the target. 137 | 138 | $Credential = Get-Credential 139 | 140 | - Non domain 141 | $MySession = New-PSSession -ComputerName -Authentication Negotiate -Credential $Credential 142 | $MySession = New-PSSession -ComputerName -Authentication Negotiate -Credential 143 | Invoke-Command -Session $MySession {Get-Process} 144 | Invoke-Command -Session $MySession {C:\'Program Files'\LMD\Log-MD-Pro.exe -ar -md -o 'C:\Program Files\LMD\Results'} 145 | Copy-Item -Path "C:\Program Files\LMD\Results\Report_AutoRuns*" -Destination "D:\ARTHIR" -FromSession $MySession 146 | 147 | Do whatever you want and then when done; 148 | - Exit-PSSession 149 | 150 | ############################################################################################# 151 | --------------------------------------------------------------------------------