├── .gitignore ├── Ping-scan.ps1 ├── Firewall-Rules-Dump.ps1 ├── Logging ├── Enable-Firewall-Logging.ps1 ├── List-All-Services-Any-State.ps1 ├── Enable-Log-auditing-all.ps1 ├── Enable-DHCP-serverLogging.ps1 ├── User-Account-Change.ps1 ├── New-Service-Installed.ps1 ├── Failed-and-Logon-attempts.ps1 ├── User-Account-Changes.ps1 ├── Increase-Log-size.ps1 ├── Query-the-Registry.ps1 └── Useful-list-audit-log.ps1 ├── GPO ├── Disable-CMD-prompt.ps1 ├── Disable-IPv6.ps1 ├── Restrict-Anonymous-Access.ps1 ├── Disable-Remote-Desktop.ps1 ├── Enable-UAC.ps1 ├── Disable-Admin-CredsCache(RDP).ps1 ├── Disable-anon-enum-SAM-accounts.ps1 ├── Disable-admin-shares.ps1 ├── Disable-Creation-of-Hashes(NoLMHash).ps1 ├── Disallow-running-EXE-file.ps1 └── Disable-Keyboard-Accessibility.ps1 ├── Reverse-Lookup.ps1 ├── Analysis ├── Pull-Policy-and-Patch-Information.ps1 ├── Pull-User-Information.ps1 ├── Pull-System-Information.ps1 ├── Pull-Services-Information.ps1 ├── Pull-Network-Information.ps1 └── Pull-ALL-Information.ps1 └── BlueChecker.ps1 /.gitignore: -------------------------------------------------------------------------------- 1 | .DS_Store 2 | .DS_Store? 3 | ._* 4 | .Spotlight-V100 5 | .Trashes 6 | ehthumbs.db 7 | Thumbs.db 8 | -------------------------------------------------------------------------------- /Ping-scan.ps1: -------------------------------------------------------------------------------- 1 | (1..254) | % {$ip="192.168.1.$_"; Write-output "$IP $(test-connection -computername "$ip" -quiet -count 1)"} -------------------------------------------------------------------------------- /Firewall-Rules-Dump.ps1: -------------------------------------------------------------------------------- 1 | # Dump all Firewall rules on txt file 2 | 3 | netsh advfirewall firewall show rule name=all > Firewall-rules.txt -------------------------------------------------------------------------------- /Logging/Enable-Firewall-Logging.ps1: -------------------------------------------------------------------------------- 1 | # enable firewall logging 2 | 3 | netsh firewall set logging droppedpackets connections = enable -------------------------------------------------------------------------------- /GPO/Disable-CMD-prompt.ps1: -------------------------------------------------------------------------------- 1 | # Disable CMD prompt 2 | 3 | reg add HKCU\Software\Policies\Microsoft\Windows\System /v DisableCMD /t REG_DWORD /d 1 /f -------------------------------------------------------------------------------- /Logging/List-All-Services-Any-State.ps1: -------------------------------------------------------------------------------- 1 | # Query all services in any state 2 | 3 | sc.exe query state= all >> All_Services_Any_State.txt 4 | -------------------------------------------------------------------------------- /Reverse-Lookup.ps1: -------------------------------------------------------------------------------- 1 | (1..254) | % {$ip="192.168.1.$_"; Write-output "$IP $( Resolve-DnsName $ip -ErrorAction Ignore |select -exp NameHost ) "} 2 | -------------------------------------------------------------------------------- /GPO/Disable-IPv6.ps1: -------------------------------------------------------------------------------- 1 | # Disable IPv6 2 | 3 | reg add HKLM\SYSTEM\CurrentControlSet\services\TCPIP6\Parameters /v DisabledComponents /t REG_DWORD /d 255 /f -------------------------------------------------------------------------------- /GPO/Restrict-Anonymous-Access.ps1: -------------------------------------------------------------------------------- 1 | # Restrict Anonymous Access 2 | 3 | reg add HKLM\SYSTEM\CurrentControlSet\Control\Lsa /v restrictanonymous /t REG_DWORD /d 1 /f -------------------------------------------------------------------------------- /GPO/Disable-Remote-Desktop.ps1: -------------------------------------------------------------------------------- 1 | # Disable Remote Desktop 2 | 3 | reg add "HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server" /f /v fDenyTSConnections /t REG_DWORD /d 1 -------------------------------------------------------------------------------- /Logging/Enable-Log-auditing-all.ps1: -------------------------------------------------------------------------------- 1 | # Set Log Auditing on for Success and/or Failure on all Categories: 2 | 3 | auditpol /set /category:* /success:enable /failure:enable -------------------------------------------------------------------------------- /GPO/Enable-UAC.ps1: -------------------------------------------------------------------------------- 1 | # Enable User Access Control permission (UAC): 2 | 3 | reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 1 /f -------------------------------------------------------------------------------- /GPO/Disable-Admin-CredsCache(RDP).ps1: -------------------------------------------------------------------------------- 1 | # Disable admin credential cache (while using RDP) 2 | 3 | reg add HKLM\System\CurrentControlSet\Control\Lsa /v DisableRestrictedAdmin /t REG_DWORD /d 0 /f -------------------------------------------------------------------------------- /GPO/Disable-anon-enum-SAM-accounts.ps1: -------------------------------------------------------------------------------- 1 | # Disable anonymous enumeration of SAM accounts and shares 2 | 3 | reg add HKLM\SYSTEM\CurrentControlSet\Control\Lsa /v restrictanonymoussam /t REG_DWORD /d 1 /f -------------------------------------------------------------------------------- /Logging/Enable-DHCP-serverLogging.ps1: -------------------------------------------------------------------------------- 1 | # Enable DHCP server logging (VALUE: 1) 2 | 3 | Set-ItemProperty -Path 'HKLM:\SYSTEM\CurrentControlSet\Services\DhcpServer\Parameters' -Name ActivityLogFlag -Value 0 -------------------------------------------------------------------------------- /Logging/User-Account-Change.ps1: -------------------------------------------------------------------------------- 1 | # User Account Change (EventID: 4738) 2 | # Read first 10 events (/c:10) 3 | 4 | WevtUtil qe Security /q:"*[System[(EventID=4738)]]" /c:10 /rd:true /f:text >> User_Account_Change.log -------------------------------------------------------------------------------- /Logging/New-Service-Installed.ps1: -------------------------------------------------------------------------------- 1 | # New Service Installed (EventID: 7045) 2 | # Read first 10 events (/c:10) 3 | 4 | WevtUtil qe Security /q:"*[System[(EventIDn=7045)]]" /c:10 /rd:true /f:text >> New_Service_Installed.log -------------------------------------------------------------------------------- /Analysis/Pull-Policy-and-Patch-Information.ps1: -------------------------------------------------------------------------------- 1 | # POLICY, PATCH AND SETTINGS INFORMATION 2 | 3 | Start-Transcript "c:\$env:COMPUTERNAME-Policy-Patch-Settings-Information.log" 4 | gpresult /r ; gpresult /z ; gpresult /H report.html /F ; wmic qfe -------------------------------------------------------------------------------- /Logging/Failed-and-Logon-attempts.ps1: -------------------------------------------------------------------------------- 1 | # Success and Failed Logons attempts (#4625) 2 | # Read first 10 events (/c:10) 3 | 4 | WevtUtil qe Security /q:"*[System[(EventID=4624 or EventID=4625)]]" /c:10 /rd:true /f:text >> Event_Logons.log 5 | -------------------------------------------------------------------------------- /Logging/User-Account-Changes.ps1: -------------------------------------------------------------------------------- 1 | # New Service Installed (EventID: 7045) 2 | # Read first 10 events (/c:10) 3 | 4 | WevtUtil qe Security /q:"*[System[(EventID=4725 or EventID=4722 or EventID=4723 or EventID=4724 or EventID=4726 or EventID=4767)]]" /c:10 /rd:true /f:text >> User_Account_Changes.log 5 | 6 | -------------------------------------------------------------------------------- /GPO/Disable-admin-shares.ps1: -------------------------------------------------------------------------------- 1 | # Disable administrative shares (SERVERS and WORKSTATIONS) 2 | 3 | # WORKSTATIONS 4 | reg add HKLM\SYSTEM\CurrentControlSet\Services\LanmanServer\Parameters /f /v AutoShareWks /t REG_DWORD /d 0 5 | # SERVERS 6 | reg add HKLM\SYSTEM\CurrentControlSet\Services\LanmanServer\Parameters /f /v AutoShareServer /t REG_DWORD /d 0 -------------------------------------------------------------------------------- /Analysis/Pull-User-Information.ps1: -------------------------------------------------------------------------------- 1 | # Pull User Information 2 | 3 | Start-Transcript "c:\$env:COMPUTERNAME-User-Information.log" 4 | 5 | whoami ; net users ; net localgroup administrators ; net group administrators ; wmic rdtoggle list ; wmic useraccount list ; wmic group list ; wmic netlogin get name, lastlogon, badpasswordcount ; wmic netclient list brief ; doskey /history 6 | -------------------------------------------------------------------------------- /Logging/Increase-Log-size.ps1: -------------------------------------------------------------------------------- 1 | # Increase log size for auditing 2 | 3 | reg add HKLM\Software\Policies\Microsoft\Windows\Eventlog\Application /v MaxSize /t REG_DWORD /d 0x19000 4 | reg add HKLM\Software\Policies\Microsoft\Windows\Eventlog\Security /v MaxSize /t REG_DWORD /d 0x64000 5 | reg add HKLM\Software\Policies\Microsoft\Windows\EventLog\System /v MaxSize /t REG_DWORD /d 0x19000 -------------------------------------------------------------------------------- /GPO/Disable-Creation-of-Hashes(NoLMHash).ps1: -------------------------------------------------------------------------------- 1 | # Remove Creation of Hashes 2 | # Requires password reset and reboot to purge old hashes! 3 | # This action prevents 'Pass The Hash Attack' --> More info: https://docs.microsoft.com/en-us/troubleshoot/windows-server/windows-security/prevent-windows-store-lm-hash-password 4 | 5 | reg add HKLM\SYSTEM\CurrentControlSet\Control\Lsa /f /v NoLMHash /t REG_DWORD /d 1 -------------------------------------------------------------------------------- /Analysis/Pull-System-Information.ps1: -------------------------------------------------------------------------------- 1 | # System Information 2 | 3 | Start-Transcript "c:\$env:COMPUTERNAME-System-Information.log" 4 | 5 | $date = Get-Date 6 | $date ; hostname ; systeminfo ; systeminfo | findstr /B /C:"OS Name" /C:"OS Version" ; wmic csproduct get name ; wmic bios get serialnumber ; wmic computersystem list brief 7 | 8 | 9 | # sysinternals - psinfo 10 | # psinfo -accepteula -s -h -d -------------------------------------------------------------------------------- /GPO/Disallow-running-EXE-file.ps1: -------------------------------------------------------------------------------- 1 | # Disallow running a .exe file 2 | 3 | reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v DisallowRun /t REG_DWORD /d "00000001" /f 4 | $filename = Read-Host -Prompt 'Enter the .exe file name to Disallow running [e.g.: badfile.exe]' 5 | reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun" /v $filename /t REG_SZ /d $filename /f -------------------------------------------------------------------------------- /Analysis/Pull-Services-Information.ps1: -------------------------------------------------------------------------------- 1 | # Service Information 2 | 3 | Start-Transcript "c:\$env:COMPUTERNAME-Service-Information.log" 4 | 5 | Get-Service | Where-Object { $_.Status -eq "running" } ; tasklist ; tasklist /SVC ; tasklist /SVC /fi "imagename eq svchost.exe" ; schtasks ; net start ; wmic service list brief | findstr "Running" ; wmic service list config ; wmic process list brief ; wmic process list status ; wmic process list memory ; wmic job list brief -------------------------------------------------------------------------------- /GPO/Disable-Keyboard-Accessibility.ps1: -------------------------------------------------------------------------------- 1 | # Disable On-screen Keyboard, sticky keys, Toggle Keys, Filter Keys 2 | 3 | reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Authentication\LogonUI /f /v ShowTabletKeyboard /t REG_DWORD /d 0 4 | reg add "HKCU\Control Panel\Accessibility\StickyKeys" /v Flags /t REG_SZ /d 506 /f 5 | reg add "HKCU\ControlPanel\Accessibility\ToggleKeys" /v Flags /t REG_SZ Id 58 /f 6 | reg add "HKCU\Control Panel\Accessibility\Keyboard Response" /v Flags /t REG_SZ /d 122 /f 7 | 8 | -------------------------------------------------------------------------------- /Analysis/Pull-Network-Information.ps1: -------------------------------------------------------------------------------- 1 | # Network information 2 | 3 | Start-Transcript "c:\$env:COMPUTERNAME-Network-Information.log" 4 | 5 | netstat -e ; netstat -naob ; netstat -nr ; netstat -vb ; nbtstat -s ; route print ; arp -a ; ipconfig /displaydns ; netsh winhttp show proxy ; ipconfig /allcompartments /all ; netsh wlan show interfaces ; netsh wlan show all ; type %SYSTEMROOT%\system32\drivers\etc\hosts ; wmic nicconfig get descriptions,IPaddress,MACaddress ; wmic netuse get name,username,connectiontype,localname -------------------------------------------------------------------------------- /Logging/Query-the-Registry.ps1: -------------------------------------------------------------------------------- 1 | # Utility to query the changes on the registry 2 | 3 | # Changes to AppInit_Dlls 4 | reg query "HKLM\Software\Microsoft\Windows NT\CurrentVersion\Windows" /v AppInit_Dlls >> AppInit_Dlls.txt 5 | # Changes to Services Keys 6 | reg query "HKLM\System\CurrentControlSet\Services" >> Services_Keys.txt 7 | # Changes to Machine Run Key 8 | reg query "HKLM\Software\Microsoft\Windows\CurrentVersion\Run” >> Machine_Run_Key.txt 9 | # Changes to Machine RunOnce Key 10 | reg query "HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnce” Machine_RunOnce_Key.txt 11 | # Changes to User Run Key 12 | reg query "HKCU\Software\Microsoft\Windows\CurrentVersion\Run” User_RunKey.txt 13 | # Changes to User RunOnce Key 14 | reg query "HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnce” User_RunOnce_Key.txt -------------------------------------------------------------------------------- /Analysis/Pull-ALL-Information.ps1: -------------------------------------------------------------------------------- 1 | # Information collected and exported in separated files on C:\ drive 2 | # 3 | # Categories: 4 | # - User 5 | # - System 6 | # - Network 7 | # - Services 8 | # - Policy 9 | # - Patch and Settings information 10 | # exported into single files for these categories 11 | 12 | Start-Transcript "c:\$env:COMPUTERNAME-User-Information.log" 13 | whoami ; net users ; net localgroup administrators ; net group administrators ; wmic rdtoggle list ; wmic useraccount list ; wmic group list ; wmic netlogin get name, lastlogon, badpasswordcount ; wmic netclient list brief ; doskey /history 14 | Stop-Transcript 15 | Start-Transcript "c:\$env:COMPUTERNAME-System-Information.log" 16 | $date = Get-Date 17 | $date ; hostname ; systeminfo ; systeminfo | findstr /B /C:"OS Name" /C:"OS Version" ; wmic csproduct get name ; wmic bios get serialnumber ; wmic computersystem list brief 18 | Stop-Transcript 19 | Start-Transcript "c:\$env:COMPUTERNAME-Network-Information.log" 20 | netstat -e ; netstat -naob ; netstat -nr ; netstat -vb ; nbtstat -s ; route print ; arp -a ; ipconfig /displaydns ; netsh winhttp show proxy ; ipconfig /allcompartments /all ; netsh wlan show interfaces ; netsh wlan show all ; type %SYSTEMROOT%\system32\drivers\etc\hosts ; wmic nicconfig get descriptions,IPaddress,MACaddress ; wmic netuse get name,username,connectiontype,localname 21 | Stop-Transcript 22 | Start-Transcript "c:\$env:COMPUTERNAME-Service-Information.log" 23 | Get-Service | Where-Object { $_.Status -eq "running" } ; tasklist ; tasklist /SVC ; tasklist /SVC /fi "imagename eq svchost.exe" ; schtasks ; net start ; wmic service list brief | findstr "Running" ; wmic service list config ; wmic process list brief ; wmic process list status ; wmic process list memory ; wmic job list brief 24 | Stop-Transcript 25 | Start-Transcript "c:\$env:COMPUTERNAME-Policy-Patch-Settings-Information.log" 26 | gpresult /r ; gpresult /z ; gpresult /H report.html /F ; wmic qfe 27 | Stop-Transcript 28 | -------------------------------------------------------------------------------- /Logging/Useful-list-audit-log.ps1: -------------------------------------------------------------------------------- 1 | # Account Logon - Last 30 days: 2 | Get-Eventlog Security 4768,4771,4772,4769,4770,4649,4778,4779,4800,4801,4802,4803,5378,5632,5633 -after ((get-date).addDays(-30)) 3 | 4 | # Account - Logon/Logoff: 5 | Get-Eventlog Security 4625,4634,4647,4624,4625,4648,4675,6272,6273,6274,6275,6276,6277,6278,6279,6280,4649,4778,4779,4800,4801,4802,4803,5378,5632,5633,4964 -after ((get­-date).addDays(-30)) 6 | 7 | # Account Management - Audit Application Group Management: 8 | Get-Eventlog Security 4783,4784,4785,4786,4787,4788,4789,4790,4741,4742,4743,4744,4745,4746,4747,4748,4749,4750,4751,4752,4753,4759,4760,4761,4762,4782,4793,4727,4728,4729,4730,4731,4732,4733,4734,4735,4737,4754,4755,4756,4757,4758,4764,4720,4722,4723,4724,4725,4726,4738,4740,4765,4766,4767,4780,4781,4794,5376,5377 -after ((get­-date).addDays(-1)) 9 | 10 | # Domain Service Access - Audit Directory Service Access: 11 | Get-EventLog Security 4662,5136,5137,5138,5139,5141 -after ((get­-date).addDays(-1)) 12 | 13 | # Detailed Tracking - Audit DPAPI Activity, Process Termination, RPC Events: 14 | Get-EventLog Security 4692,4693,4694,4695,4689,5712 -after ((get­-date).addDays(-1)) 15 | 16 | # Object Access - Audit File Share, File System, SAM, Registry, Certifications: 17 | Get-EventLog Security 4671,4691,4698,4699,4700,4701,4702,5148,5149,5888,5889,5890,4657,5039,4659,4660,4661,4663,4656,4658,4690,4874,4875,4880,4881,4882,4884,4885,4888,4890,4891,4892,4895,4896,4898,5145,5140,5142,5143,5144,5168,5140,5142,5143,5144,5168,5140,5142,5143,5144,5168,4664,4985,5152,5153,5031,5140,5150,5151,5154,5155,5156,5157,5158,5159 -after ((get-date).addDays(-1)) 18 | 19 | # Policy Change - Audit Policy Change, Microsoft Protection Service, Windows Filtering Platform: 20 | Get-EventLog Security 4715,4719,4817,4902,4904,4905,4906,4907,4908,4912,4713,4716,4717,4718,4739,4864,4865,4866,4867,4704,4705,4706,4707,4714,4944,4945,4946,4947,4948,4949,4950,4951,4952,4953,4954,4956,4957,4958,5046,5047,5048,5449,5450,4670 -after ((get-date).addDays(-1)) 21 | 22 | # Privilege Use - Audit Non-Sensitive/Sensitive Privilege Use: 23 | Get-EventLog Security 4672,4673,4674 -after ((get-date),addDays(-1)) 24 | 25 | # System - Audit Security State Change, Security System Extension, System Integrity, System Events: 26 | PS C:\> Get-Eventlog Security 5024,5025,5027,5028,5029,5030,5032,5033,5034,5035,5037,5058,5059,6400,6401,6402,6403,6404,6405,6406,6407,4608,4609,4616,4621,4610,4611,4614,4622,4697,4612,4615,4618,4816,5038,5056,5057,5060,5061,5062,6281 -after ((get-date).addDays(-1)) -------------------------------------------------------------------------------- /BlueChecker.ps1: -------------------------------------------------------------------------------- 1 | # Check out the latest verion of BlueChecker 2 | # https://github.com/securethelogs/Bluechecker/blob/master/BlueChecker.ps1 3 | # Creator: Securethelogs.com | @Securethelogs 4 | 5 | $logo = @(' 6 | 7 | 8 | ____ __ ________ __ 9 | / __ )/ /_ _____ / ____/ /_ ___ _____/ /_____ _____ 10 | / __ / / / / / _ \/ / / __ \/ _ \/ ___/ //_/ _ \/ ___/ 11 | / /_/ / / /_/ / __/ /___/ / / / __/ /__/ ,< / __/ / 12 | /_____/_/\__,_/\___/\____/_/ /_/\___/\___/_/|_|\___/_/ 13 | 14 | Creator: Securethelogs.com | @Securethelogs 15 | 16 | 17 | ') 18 | 19 | $logo 20 | 21 | 22 | $computername = hostname 23 | $version = $PSVersionTable.PSVersion.Major 24 | 25 | $v2check = Get-WindowsOptionalFeature -Online -FeatureName MicrosoftWindowsPowerShellV2Root -ErrorAction SilentlyContinue 26 | if ($v2check.state -ne "Enabled" -and $v2check.state -ne "disabled"){$v2check = Get-WindowsFeature PowerShell-V2} 27 | 28 | $winrmstatus = (Get-Service WinRm).status 29 | 30 | $status = @() 31 | 32 | $Status += "Hostname: " + $computername 33 | $Status += "PSVersion: " + $version 34 | $Status += "PowerShell V2 Status: " + $v2check.state 35 | $Status += "WinRM Service: " + $winrmstatus 36 | 37 | Write-Output "" 38 | $status 39 | Write-Output "" 40 | 41 | 42 | # Check History 43 | 44 | $CheckPSReadLine = Test-Path -Path "C:\Program Files\WindowsPowerShell\Modules\PSReadline" 45 | 46 | if ($CheckPSReadLine -eq "True") { 47 | $downgradedcheck = @((Select-String -Pattern '-version 2','-v 2' -Path "$env:APPDATA\Microsoft\Windows\PowerShell\PSReadLine\ConsoleHost_history.txt").Line) 48 | 49 | } 50 | 51 | if ($downgradedcheck -ne $null){$dwngrdhistory = $true}else{$dwngrdhistory = $false} 52 | if ($dwngrdhistory -eq $false){$downgradedcheck = "No Evidence Found"} 53 | 54 | 55 | Write-Output "Checking auditing levels...." 56 | 57 | 58 | # Check auditing 59 | 60 | 61 | $modkey = "" 62 | $modscript = "" 63 | 64 | $CheckIfModule = Get-ItemProperty -Path HKLM:\SOFTWARE\Policies\Microsoft\Windows\PowerShell\ModuleLogging -erroraction SilentlyContinue 65 | $CheckIfScript = Get-ItemProperty -Path HKLM:\SOFTWARE\Policies\Microsoft\Windows\PowerShell\ScriptBlockLogging -erroraction SilentlyContinue 66 | $CheckIfCmd = Get-ItemProperty -Path HKLM:\Software\Microsoft\Windows\CurrentVersion\Policies\System\Audit -erroraction SilentlyContinue 67 | 68 | 69 | 70 | # ------------- Module Logging -------------------- 71 | 72 | if ($CheckIfModule -eq $null) { 73 | 74 | $CheckIfModuleWoW = Get-ItemProperty -Path HKLM:\SOFTWARE\Wow6432Node\Policies\Microsoft\Windows\PowerShell\ModuleLogging -erroraction SilentlyContinue 75 | 76 | if ($CheckIfModuleWoW -eq $null){$modkey = $false}else{$modkey = "2"} 77 | 78 | }else{$modkey = "1"} 79 | 80 | 81 | if ($modkey -eq "1") {$EML = (Get-ItemProperty -Path HKLM:\SOFTWARE\Policies\Microsoft\Windows\PowerShell\ModuleLogging).EnableModuleLogging} 82 | 83 | if ($modkey -eq "2") {$EML = (Get-ItemProperty -Path HKLM:\SOFTWARE\Wow6432Node\Policies\Microsoft\Windows\PowerShell\ModuleLogging).EnableModuleLogging} 84 | 85 | 86 | if ($modkey -eq $false) {$moduleresults = "

Module Logging: EnableModuleLogging : Disabled

"} else{ 87 | 88 | $moduleresults = "

Module Logging: EnableModuleLogging : Enabled

" 89 | 90 | } 91 | 92 | 93 | 94 | 95 | # ------------ BlockScripting ------------ 96 | 97 | 98 | if ($CheckIfScript -eq $null) {$CheckIfScriptWoW = Get-ItemProperty -Path HKLM:\SOFTWARE\Wow6432Node\Policies\Microsoft\Windows\PowerShell\ScriptBlockLogging -erroraction SilentlyContinue 99 | 100 | if ($CheckIfScriptWoW -eq $null){$modscript = $false}else{$modscript = "2"} 101 | 102 | }else {$modscript = "1"} 103 | 104 | 105 | if ($modscript -eq "1"){$EBS = (Get-ItemProperty -Path HKLM:\SOFTWARE\Policies\Microsoft\Windows\PowerShell\ScriptBlockLogging).EnableScriptBlockLogging} 106 | 107 | if ($modscript -eq "2"){$EBS = (Get-ItemProperty -Path HKLM:\SOFTWARE\Wow6432Node\Policies\Microsoft\Windows\PowerShell\ScriptBlockLogging).EnableScriptBlockLogging} 108 | 109 | 110 | if ($modscript -eq $false){$EBS = "

ScriptBlockLogging: Disabled

"}else{ 111 | 112 | $EBS = "

ScriptBlockLogging: EnableScriptBlockLogging is: Enabled

" 113 | 114 | } 115 | 116 | 117 | # -------------- Get ProcessCreationIncludeCmdLine_Enabled Result and Return ----------------------- 118 | 119 | if ($CheckIfCmd -eq $null) {$PCIC = "

ProcessCreationLogging: Disabled

"}else{ 120 | 121 | $PCIC = (Get-ItemProperty -Path HKLM:\Software\Microsoft\Windows\CurrentVersion\Policies\System\Audit).ProcessCreationIncludeCmdLine_Enabled 122 | 123 | $PCIC = "

ProcessCreationLogging: ProcessCreationIncludeCmdLine is set to: " + $PCIC + "

" 124 | 125 | } 126 | 127 | 128 | 129 | Write-Output "Checking for common exploits and keywords...." 130 | 131 | 132 | # ------------ Check History For Common Exploit Scripts ------------------------ 133 | 134 | 135 | if ($CheckPSReadLine -eq "True"){$Checkforkeywords = @(Select-String -Pattern 'nishang','powersploit','mimikatz','mimidogz','mimiyakz','-nop','(New-Object Net.WebClient).DownloadString','–ExecutionPolicy Bypass' -Path "$env:APPDATA\Microsoft\Windows\PowerShell\PSReadLine\ConsoleHost_history.txt")} 136 | 137 | if ($Checkforkeywords -eq $null){$Checkforkeywords = "No suspicious keywords found"} 138 | 139 | 140 | 141 | 142 | Write-Output "Checking firewall rules for Powershell...." 143 | 144 | 145 | 146 | 147 | # ---------------------------- Check For Firewall --------------------------- 148 | 149 | ###################improve 150 | $psfirewall = @(Get-NetFirewallApplicationFilter -Program "*powershell.exe" | Get-NetFirewallRule | Select-Object DisplayName, Enabled, Profiles, Direction, Action) 151 | 152 | 153 | if ($psfirewall -eq $null){$psfirewall = "No firewall rules found"} 154 | 155 | 156 | 157 | 158 | 159 | 160 | Write-Output "Checking for events........." 161 | 162 | 163 | 164 | 165 | 166 | # ------------------ Check Events Logs --------------------- 167 | 168 | # Module Logging EventID 4103 169 | #Script Block EventID 4105 and 4106 170 | 171 | 172 | 173 | $4103 = Get-WinEvent -LogName 'Microsoft-Windows-Powershell/Operational'| Where-Object {$_.ID -eq 4103} | Select-Object -First 1 174 | $410456 = Get-WinEvent -LogName 'Microsoft-Windows-Powershell/Operational'| Where-Object {$_.ID -eq 4104 -or $_.ID -eq 4105 -or $_.ID -eq 4106} | Select-Object -First 1 175 | 176 | if ($4103 -ne $null){$4103 = "Module logging events found (EventID: 4103)"}else{$4103 = "Module logging events not found (EventID: 4103)"} 177 | if ($410456 -ne $null){$410456 = "ScriptBlock logging events found (EventID: 4104, 4105, 4106)"}else{$410456 = "ScriptBlock Logging events not found (EventID: 4104, 4105, 4106)"} 178 | 179 | $eventfind = @() 180 | $eventfind += $4103 181 | $eventfind += $410456 182 | 183 | 184 | 185 | Write-Output "creating the report...." 186 | 187 | 188 | 189 | # HTML 190 | 191 | $report = "C:\temp\" 192 | 193 | Remove-Item -Path "C:\temp\report.html" -Force 194 | New-Item -Path $report -Name "report.html" 195 | 196 | $report = "C:\temp\report.html" 197 | 198 | $htmlstart = @(' 199 | 200 | 201 | 202 | 203 | PSWatcher Report 204 | 205 | 206 | 231 | 232 | 233 | 234 |
235 |

BlueChecker Report

236 | 237 |
238 | 239 |
240 |

Your Results

241 |

Checking Client Status:

242 | 243 | 244 |

245 | 246 | 247 | ') 248 | 249 | 250 | 251 | Add-Content -Path $report -Value $htmlstart 252 | 253 | 254 | foreach ($l in $status){$l = "
"+ $l 255 | Add-Content -Path $report -Value $l} 256 | 257 | $header = @(' 258 | 259 |

260 |

Checking For Downgrade:

261 | 262 | ') 263 | 264 | Add-Content -Path $report -Value $header 265 | 266 | if ($dwngrdhistory -eq $true){ 267 | 268 | Add-Content -Path $report -Value "

Evidence Found:

" 269 | 270 | foreach ($l in $downgradedcheck){$l = "
"+ $l 271 | Add-Content -Path $report -Value $l} 272 | 273 | }else{Add-Content -Path $report -Value $downgradedcheck} 274 | 275 | 276 | 277 | 278 | 279 | 280 | 281 | $header = @(' 282 | 283 |

284 |

Checking Auditing Settings :

285 | 286 | ') 287 | 288 | Add-Content -Path $report -Value $header 289 | 290 | Add-Content -Path $report -Value $moduleresults 291 | 292 | Add-Content -path $report -Value $EBS 293 | 294 | Add-Content -path $report -Value $PCIC 295 | 296 | 297 | 298 | 299 | 300 | 301 | 302 | 303 | $header = @(' 304 | 305 |
306 |

Checking history for suspicious commands :

307 | 308 | ') 309 | 310 | Add-Content -Path $report -Value $header 311 | 312 | 313 | foreach ($l in $Checkforkeywords){$l = "
"+ $l 314 | Add-Content -Path $report -Value $l} 315 | 316 | 317 | 318 | 319 | 320 | $header = @(' 321 | 322 |

323 |

Checking Firewall Rules :

324 | 325 | ') 326 | 327 | Add-Content -Path $report -Value $header 328 | 329 | 330 | foreach ($l in $psfirewall){$l = "
"+ $l 331 | Add-Content -Path $report -Value $l} 332 | 333 | 334 | 335 | 336 | 337 | 338 | 339 | $header = @(' 340 | 341 |

342 |

Checking Events :

343 | 344 | ') 345 | 346 | Add-Content -Path $report -Value $header 347 | 348 | 349 | foreach ($l in $eventfind){$l = "
"+ $l 350 | Add-Content -Path $report -Value $l} 351 | 352 | 353 | 354 | 355 | 356 | 357 | 358 | 359 | 360 | 361 | 362 | 363 | 364 | $htmlend = @(' 365 |

366 | 367 |

For more information, visit: Securethelogs.com

368 | 369 |
370 | 371 | 372 | 373 | 374 | 375 | ') 376 | 377 | Add-Content -Path $report -Value $htmlend 378 | 379 | Invoke-Item $report 380 | --------------------------------------------------------------------------------