├── IncidentResponse.ps1 └── README.md /IncidentResponse.ps1: -------------------------------------------------------------------------------- 1 | <# 2 | Author: Michael Scott 3 | http://www.rwnin.net 4 | https://www.github.com/et0x 5 | scomijo@gmail.com 6 | et0x@rwnin.net 7 | @_et0x 8 | #> 9 | 10 | # From: http://data.iana.org/TLD/tlds-alpha-by-domain.txt -- 12/2/2015 11 | $global:TLDS = @('AAA','AARP','ABB','ABBOTT','ABOGADO','AC','ACADEMY','ACCENTURE','ACCOUNTANT','ACCOUNTANTS','ACO','ACTIVE','ACTOR','AD','ADS','ADULT','AE','AEG','AERO','AF','AFL','AG','AGENCY','AI','AIG','AIRFORCE','AIRTEL','AL','ALLFINANZ','ALSACE','AM','AMICA','AMSTERDAM','ANDROID','AO','APARTMENTS','APP','APPLE','AQ','AQUARELLE','AR','ARAMCO','ARCHI','ARMY','ARPA','ARTE','AS','ASIA','ASSOCIATES','AT','ATTORNEY','AU','AUCTION','AUDI','AUDIO','AUTO','AUTOS','AW','AX','AXA','AZ','AZURE','BA','BAND','BANK','BAR','BARCELONA','BARCLAYCARD','BARCLAYS','BARGAINS','BAUHAUS','BAYERN','BB','BBC','BBVA','BCN','BD','BE','BEATS','BEER','BENTLEY','BERLIN','BEST','BET','BF','BG','BH','BHARTI','BI','BIBLE','BID','BIKE','BING','BINGO','BIO','BIZ','BJ','BLACK','BLACKFRIDAY','BLOOMBERG','BLUE','BM','BMS','BMW','BN','BNL','BNPPARIBAS','BO','BOATS','BOEHRINGER','BOM','BOND','BOO','BOOTS','BOSTIK','BOUTIQUE','BR','BRADESCO','BRIDGESTONE','BROADWAY','BROKER','BROTHER','BRUSSELS','BS','BT','BUDAPEST','BUGATTI','BUILD','BUILDERS','BUSINESS','BUZZ','BV','BW','BY','BZ','BZH','CA','CAB','CAFE','CAL','CAMERA','CAMP','CANCERRESEARCH','CANON','CAPETOWN','CAPITAL','CAR','CARAVAN','CARDS','CARE','CAREER','CAREERS','CARS','CARTIER','CASA','CASH','CASINO','CAT','CATERING','CBA','CBN','CC','CD','CEB','CENTER','CEO','CERN','CF','CFA','CFD','CG','CH','CHANEL','CHANNEL','CHAT','CHEAP','CHLOE','CHRISTMAS','CHROME','CHURCH','CI','CIPRIANI','CISCO','CITIC','CITY','CITYEATS','CK','CL','CLAIMS','CLEANING','CLICK','CLINIC','CLOTHING','CLOUD','CLUB','CLUBMED','CM','CN','CO','COACH','CODES','COFFEE','COLLEGE','COLOGNE','COM','COMMBANK','COMMUNITY','COMPANY','COMPUTER','COMSEC','CONDOS','CONSTRUCTION','CONSULTING','CONTRACTORS','COOKING','COOL','COOP','CORSICA','COUNTRY','COUPONS','COURSES','CR','CREDIT','CREDITCARD','CREDITUNION','CRICKET','CROWN','CRS','CRUISES','CSC','CU','CUISINELLA','CV','CW','CX','CY','CYMRU','CYOU','CZ','DABUR','DAD','DANCE','DATE','DATING','DATSUN','DAY','DCLK','DE','DEALS','DEGREE','DELIVERY','DELL','DELTA','DEMOCRAT','DENTAL','DENTIST','DESI','DESIGN','DEV','DIAMONDS','DIET','DIGITAL','DIRECT','DIRECTORY','DISCOUNT','DJ','DK','DM','DNP','DO','DOCS','DOG','DOHA','DOMAINS','DOOSAN','DOWNLOAD','DRIVE','DURBAN','DVAG','DZ','EARTH','EAT','EC','EDU','EDUCATION','EE','EG','EMAIL','EMERCK','ENERGY','ENGINEER','ENGINEERING','ENTERPRISES','EPSON','EQUIPMENT','ER','ERNI','ES','ESQ','ESTATE','ET','EU','EUROVISION','EUS','EVENTS','EVERBANK','EXCHANGE','EXPERT','EXPOSED','EXPRESS','FAGE','FAIL','FAIRWINDS','FAITH','FAMILY','FAN','FANS','FARM','FASHION','FEEDBACK','FERRERO','FI','FILM','FINAL','FINANCE','FINANCIAL','FIRMDALE','FISH','FISHING','FIT','FITNESS','FJ','FK','FLIGHTS','FLORIST','FLOWERS','FLSMIDTH','FLY','FM','FO','FOO','FOOTBALL','FOREX','FORSALE','FORUM','FOUNDATION','FR','FRL','FROGANS','FUND','FURNITURE','FUTBOL','FYI','GA','GAL','GALLERY','GAME','GARDEN','GB','GBIZ','GD','GDN','GE','GEA','GENT','GENTING','GF','GG','GGEE','GH','GI','GIFT','GIFTS','GIVES','GIVING','GL','GLASS','GLE','GLOBAL','GLOBO','GM','GMAIL','GMO','GMX','GN','GOLD','GOLDPOINT','GOLF','GOO','GOOG','GOOGLE','GOP','GOV','GP','GQ','GR','GRAINGER','GRAPHICS','GRATIS','GREEN','GRIPE','GROUP','GS','GT','GU','GUCCI','GUGE','GUIDE','GUITARS','GURU','GW','GY','HAMBURG','HANGOUT','HAUS','HEALTHCARE','HELP','HERE','HERMES','HIPHOP','HITACHI','HIV','HK','HM','HN','HOCKEY','HOLDINGS','HOLIDAY','HOMEDEPOT','HOMES','HONDA','HORSE','HOST','HOSTING','HOTELES','HOTMAIL','HOUSE','HOW','HR','HSBC','HT','HU','HYUNDAI','IBM','ICBC','ICE','ICU','ID','IE','IFM','IINET','IL','IM','IMMO','IMMOBILIEN','IN','INDUSTRIES','INFINITI','INFO','ING','INK','INSTITUTE','INSURE','INT','INTERNATIONAL','INVESTMENTS','IO','IPIRANGA','IQ','IR','IRISH','IS','IST','ISTANBUL','IT','ITAU','IWC','JAGUAR','JAVA','JCB','JE','JETZT','JEWELRY','JLC','JLL','JM','JO','JOBS','JOBURG','JP','JPRS','JUEGOS','KAUFEN','KDDI','KE','KG','KH','KI','KIA','KIM','KINDER','KITCHEN','KIWI','KM','KN','KOELN','KOMATSU','KP','KR','KRD','KRED','KW','KY','KYOTO','KZ','LA','LACAIXA','LAMBORGHINI','LANCASTER','LAND','LANDROVER','LASALLE','LAT','LATROBE','LAW','LAWYER','LB','LC','LDS','LEASE','LECLERC','LEGAL','LEXUS','LGBT','LI','LIAISON','LIDL','LIFE','LIFESTYLE','LIGHTING','LIMITED','LIMO','LINDE','LINK','LIVE','LIXIL','LK','LOAN','LOANS','LOL','LONDON','LOTTE','LOTTO','LOVE','LR','LS','LT','LTD','LTDA','LU','LUPIN','LUXE','LUXURY','LV','LY','MA','MADRID','MAIF','MAISON','MAN','MANAGEMENT','MANGO','MARKET','MARKETING','MARKETS','MARRIOTT','MBA','MC','MD','ME','MEDIA','MEET','MELBOURNE','MEME','MEMORIAL','MEN','MENU','MEO','MG','MH','MIAMI','MICROSOFT','MIL','MINI','MK','ML','MM','MMA','MN','MO','MOBI','MODA','MOE','MOI','MOM','MONASH','MONEY','MONTBLANC','MORMON','MORTGAGE','MOSCOW','MOTORCYCLES','MOV','MOVIE','MOVISTAR','MP','MQ','MR','MS','MT','MTN','MTPC','MTR','MU','MUSEUM','MUTUELLE','MV','MW','MX','MY','MZ','NA','NADEX','NAGOYA','NAME','NAVY','NC','NE','NEC','NET','NETBANK','NETWORK','NEUSTAR','NEW','NEWS','NEXUS','NF','NG','NGO','NHK','NI','NICO','NINJA','NISSAN','NL','NO','NOKIA','NP','NR','NRA','NRW','NTT','NU','NYC','NZ','OBI','OFFICE','OKINAWA','OM','OMEGA','ONE','ONG','ONL','ONLINE','OOO','ORACLE','ORANGE','ORG','ORGANIC','OSAKA','OTSUKA','OVH','PA','PAGE','PANERAI','PARIS','PARTNERS','PARTS','PARTY','PE','PET','PF','PG','PH','PHARMACY','PHILIPS','PHOTO','PHOTOGRAPHY','PHOTOS','PHYSIO','PIAGET','PICS','PICTET','PICTURES','PING','PINK','PIZZA','PK','PL','PLACE','PLAY','PLAYSTATION','PLUMBING','PLUS','PM','PN','POHL','POKER','PORN','POST','PR','PRAXI','PRESS','PRO','PROD','PRODUCTIONS','PROF','PROPERTIES','PROPERTY','PROTECTION','PS','PT','PUB','PW','PY','QA','QPON','QUEBEC','RACING','RE','REALTOR','REALTY','RECIPES','RED','REDSTONE','REHAB','REISE','REISEN','REIT','REN','RENT','RENTALS','REPAIR','REPORT','REPUBLICAN','REST','RESTAURANT','REVIEW','REVIEWS','RICH','RICOH','RIO','RIP','RO','ROCHER','ROCKS','RODEO','RS','RSVP','RU','RUHR','RUN','RW','RWE','RYUKYU','SA','SAARLAND','SAKURA','SALE','SAMSUNG','SANDVIK','SANDVIKCOROMANT','SANOFI','SAP','SAPO','SARL','SAXO','SB','SBS','SC','SCA','SCB','SCHMIDT','SCHOLARSHIPS','SCHOOL','SCHULE','SCHWARZ','SCIENCE','SCOR','SCOT','SD','SE','SEAT','SECURITY','SEEK','SENER','SERVICES','SEVEN','SEW','SEX','SEXY','SFR','SG','SH','SHIKSHA','SHOES','SHOW','SHRIRAM','SI','SINGLES','SITE','SJ','SK','SKI','SKY','SKYPE','SL','SM','SN','SNCF','SO','SOCCER','SOCIAL','SOFTWARE','SOHU','SOLAR','SOLUTIONS','SONY','SOY','SPACE','SPIEGEL','SPREADBETTING','SR','SRL','ST','STADA','STARHUB','STATOIL','STC','STCGROUP','STOCKHOLM','STUDIO','STUDY','STYLE','SU','SUCKS','SUPPLIES','SUPPLY','SUPPORT','SURF','SURGERY','SUZUKI','SV','SWATCH','SWISS','SX','SY','SYDNEY','SYSTEMS','SZ','TAB','TAIPEI','TATAMOTORS','TATAR','TATTOO','TAX','TAXI','TC','TD','TEAM','TECH','TECHNOLOGY','TEL','TELEFONICA','TEMASEK','TENNIS','TF','TG','TH','THD','THEATER','THEATRE','TICKETS','TIENDA','TIPS','TIRES','TIROL','TJ','TK','TL','TM','TN','TO','TODAY','TOKYO','TOOLS','TOP','TORAY','TOSHIBA','TOURS','TOWN','TOYOTA','TOYS','TR','TRADE','TRADING','TRAINING','TRAVEL','TRUST','TT','TUI','TV','TW','TZ','UA','UBS','UG','UK','UNIVERSITY','UNO','UOL','US','UY','UZ','VA','VACATIONS','VANA','VC','VE','VEGAS','VENTURES','VERISIGN','VERSICHERUNG','VET','VG','VI','VIAJES','VIDEO','VILLAS','VIN','VIP','VIRGIN','VISION','VISTA','VISTAPRINT','VIVA','VLAANDEREN','VN','VODKA','VOTE','VOTING','VOTO','VOYAGE','VU','WALES','WALTER','WANG','WATCH','WEBCAM','WEBSITE','WED','WEDDING','WEIR','WF','WHOSWHO','WIEN','WIKI','WILLIAMHILL','WIN','WINDOWS','WINE','WME','WORK','WORKS','WORLD','WS','WTC','WTF','XBOX','XEROX','XIN','XN--11B4C3D','XN--1QQW23A','XN--30RR7Y','XN--3BST00M','XN--3DS443G','XN--3E0B707E','XN--3PXU8K','XN--42C2D9A','XN--45BRJ9C','XN--45Q11C','XN--4GBRIM','XN--55QW42G','XN--55QX5D','XN--6FRZ82G','XN--6QQ986B3XL','XN--80ADXHKS','XN--80AO21A','XN--80ASEHDB','XN--80ASWG','XN--90A3AC','XN--90AIS','XN--9DBQ2A','XN--9ET52U','XN--B4W605FERD','XN--C1AVG','XN--C2BR7G','XN--CG4BKI','XN--CLCHC0EA0B2G2A9GCD','XN--CZR694B','XN--CZRS0T','XN--CZRU2D','XN--D1ACJ3B','XN--D1ALF','XN--EFVY88H','XN--ESTV75G','XN--FHBEI','XN--FIQ228C5HS','XN--FIQ64B','XN--FIQS8S','XN--FIQZ9S','XN--FJQ720A','XN--FLW351E','XN--FPCRJ9C3D','XN--FZC2C9E2C','XN--GECRJ9C','XN--H2BRJ9C','XN--HXT814E','XN--I1B6B1A6A2E','XN--IMR513N','XN--IO0A7I','XN--J1AEF','XN--J1AMH','XN--J6W193G','XN--KCRX77D1X4A','XN--KPRW13D','XN--KPRY57D','XN--KPUT3I','XN--L1ACC','XN--LGBBAT1AD8J','XN--MGB9AWBF','XN--MGBA3A3EJT','XN--MGBA3A4F16A','XN--MGBAAM7A8H','XN--MGBAB2BD','XN--MGBAYH7GPA','XN--MGBBH1A71E','XN--MGBC0A9AZCG','XN--MGBERP4A5D4AR','XN--MGBPL2FH','XN--MGBTX2B','XN--MGBX4CD0AB','XN--MK1BU44C','XN--MXTQ1M','XN--NGBC5AZD','XN--NODE','XN--NQV7F','XN--NQV7FS00EMA','XN--NYQY26A','XN--O3CW4H','XN--OGBPF8FL','XN--P1ACF','XN--P1AI','XN--PGBS0DH','XN--PSSY2U','XN--Q9JYB4C','XN--QCKA1PMC','XN--QXAM','XN--RHQV96G','XN--S9BRJ9C','XN--SES554G','XN--T60B56A','XN--TCKWE','XN--UNUP4Y','XN--VERMGENSBERATER-CTB','XN--VERMGENSBERATUNG-PWB','XN--VHQUV','XN--VUQ861B','XN--WGBH1C','XN--WGBL6A','XN--XHQ521B','XN--XKC2AL3HYE2A','XN--XKC2DL3A5EE0H','XN--Y9A3AQ','XN--YFRO4I67O','XN--YGBI2AMMX','XN--ZFR164B','XPERIA','XXX','XYZ','YACHTS','YAMAXUN','YANDEX','YE','YODOBASHI','YOGA','YOKOHAMA','YOUTUBE','YT','ZA','ZARA','ZIP','ZM','ZONE','ZUERICH','ZW') 12 | 13 | function Get-AllProcesses 14 | { 15 | Param( 16 | 17 | [string[]]$ComputerName, 18 | 19 | [System.Management.Automation.PSCredential]$Credentials, 20 | 21 | [switch]$Sorted 22 | 23 | ) 24 | 25 | Begin 26 | { 27 | 28 | [System.Collections.ArrayList]$results = @() 29 | 30 | 31 | } Process { 32 | 33 | foreach ($computer in $ComputerName) { 34 | 35 | if ($Credentials) { 36 | 37 | $processes = Get-WmiObject -ComputerName $computer -Credential $Credentials -Class Win32_Process -Namespace 'root\cimv2' -Impersonation 3 38 | 39 | if (-not $processes) 40 | { 41 | 42 | Write-Error "[!] Error: No access to computer '$computer'" 43 | 44 | } 45 | 46 | } else { 47 | 48 | try 49 | { 50 | 51 | $processes = Get-WmiObject -ComputerName $computer -Class Win32_Process -Namespace 'root/cimv2' 52 | 53 | } catch { 54 | 55 | Write-Error "[!] Error: No access to computer '$computer'" 56 | 57 | return 0 58 | 59 | } 60 | 61 | } 62 | 63 | ForEach ($p in $processes) { 64 | 65 | $results.add($p.ExecutablePath) | Out-Null 66 | 67 | } 68 | 69 | } 70 | 71 | } end { 72 | 73 | if ($Sorted) { 74 | 75 | return ($results | Sort-Object) 76 | 77 | } else { 78 | 79 | return $results 80 | 81 | } 82 | 83 | } 84 | 85 | } 86 | 87 | function Get-AllServices 88 | { 89 | Param( 90 | 91 | [string[]]$ComputerName, 92 | 93 | [System.Management.Automation.PSCredential]$Credentials, 94 | 95 | [switch]$Sorted 96 | 97 | ) 98 | 99 | Begin 100 | { 101 | 102 | [System.Collections.ArrayList]$results = @() 103 | 104 | 105 | } Process { 106 | 107 | foreach ($computer in $ComputerName) { 108 | 109 | if ($Credentials) { 110 | 111 | try 112 | { 113 | 114 | $services = Get-WmiObject -ComputerName $computer -Credential $Credentials -Class Win32_Service -Namespace 'root\cimv2' -Impersonation 3 115 | 116 | } catch { 117 | 118 | return 0 119 | 120 | } 121 | 122 | } else { 123 | 124 | try 125 | { 126 | 127 | $services = Get-WmiObject -ComputerName $computer -Class Win32_Service -Namespace 'root/cimv2' 128 | 129 | } catch { 130 | 131 | Write-Error "[!] Error: No access to computer '$computer'" 132 | 133 | return 0 134 | 135 | } 136 | 137 | } 138 | 139 | ForEach ($s in $services) { 140 | 141 | $results.add($s.Name) | Out-Null 142 | 143 | } 144 | 145 | } 146 | 147 | } end { 148 | 149 | if ($Sorted) { 150 | 151 | return ($results | Sort-Object) 152 | 153 | } else { 154 | 155 | return $results 156 | 157 | } 158 | 159 | } 160 | 161 | } 162 | 163 | function Invoke-ProcessHashSweep 164 | { 165 | Param ( 166 | 167 | [string[]]$ComputerNames, 168 | 169 | [switch]$SupplyCreds 170 | 171 | ) 172 | 173 | [System.Collections.Hashtable]$results = @{} 174 | 175 | if ($SupplyCreds) { 176 | 177 | $creds = Get-Credential 178 | 179 | } 180 | 181 | 182 | foreach ($computer in $ComputerNames) 183 | { 184 | 185 | if ($SupplyCreds) { 186 | 187 | $p = Get-AllProcesses -ComputerName $Computer -Credentials $creds 188 | 189 | } else { 190 | 191 | $p = Get-AllProcesses -ComputerName $Computer 192 | 193 | } 194 | 195 | if ($p) 196 | { 197 | 198 | $results[$computer] = Invoke-HashArray -Array $p 199 | 200 | } 201 | 202 | } 203 | 204 | return $results 205 | } 206 | 207 | function Invoke-HashArray 208 | { 209 | 210 | Param( 211 | 212 | [System.Collections.ArrayList]$Array 213 | 214 | ) 215 | 216 | $text = $Array -join "`r`n" 217 | 218 | $hash = [System.BitConverter]::ToString( 219 | 220 | (New-Object System.Security.Cryptography.MD5CryptoServiceProvider).ComputeHash( 221 | 222 | [system.text.encoding]::UTF8.GetBytes($text) 223 | 224 | ) 225 | 226 | ) 227 | 228 | return $hash 229 | 230 | } 231 | 232 | function Invoke-ServiceHashSweep 233 | { 234 | Param ( 235 | 236 | [string[]]$ComputerNames, 237 | 238 | [switch]$SupplyCreds 239 | 240 | ) 241 | 242 | [System.Collections.Hashtable]$results = @{} 243 | 244 | if ($SupplyCreds) { 245 | 246 | $creds = Get-Credential 247 | 248 | } 249 | 250 | 251 | foreach ($computer in $ComputerNames) 252 | { 253 | 254 | if ($SupplyCreds) { 255 | 256 | $s = Get-AllServices -ComputerName $Computer -Credentials $creds 257 | 258 | } else { 259 | 260 | $s = Get-AllServices -ComputerName $Computer 261 | 262 | } 263 | 264 | if ($s) 265 | { 266 | $results[$computer] = Invoke-HashArray -Array $s 267 | } 268 | 269 | } 270 | 271 | return $results 272 | } 273 | 274 | 275 | function Get-Strings 276 | { 277 | 278 | [CmdletBinding()] 279 | 280 | Param( 281 | 282 | [Parameter(Mandatory=$true, ValueFromPipeline=$true)] 283 | 284 | [String]$Data, 285 | 286 | [Int]$Length = 4, 287 | 288 | [Switch]$NetworkItems = $false, 289 | 290 | [Switch]$FileItems = $false, 291 | 292 | [Switch]$RegistryItems = $false, 293 | 294 | [Switch]$EmailItems = $false, 295 | 296 | [Switch]$FunctionItems = $false 297 | 298 | ) 299 | 300 | process { 301 | 302 | [string[]]$results = @() 303 | 304 | if ( $NetworkItems ) 305 | { 306 | 307 | $re_domainItems = '(https?:\/\/)?([\da-z\.-]+)\.([a-z\.]{2,6})([\/\w \.-]*)*\/?' 308 | 309 | $re_ipItems = '((25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\.){3}(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)' 310 | 311 | $domain_matches = $Data | Select-String -Pattern $re_domainItems -AllMatches 312 | 313 | $ip_matches = $Data | Select-String -Pattern $re_ipItems -AllMatches 314 | 315 | 316 | 317 | if ($domain_matches.Matches.Count) { 318 | 319 | $domain_matches.Matches | ForEach-Object { 320 | 321 | if ($_.Value.Length -ge $Length) 322 | { 323 | 324 | if (($_.Value.split('.'))[-1].Replace('/','') -in $TLDS ) 325 | { 326 | 327 | $results += $_.Value 328 | 329 | } 330 | 331 | } 332 | 333 | } 334 | 335 | } 336 | 337 | if ($ip_matches.Matches.Count) { 338 | 339 | $ip_matches.Matches | ForEach-Object { 340 | 341 | if ($_.Value.Length -ge $Length) 342 | { 343 | 344 | $results += $_.Value 345 | 346 | } 347 | 348 | } 349 | 350 | } 351 | 352 | $results = ( $results | Sort-Object -Unique ) 353 | 354 | return $results 355 | 356 | } elseif ( $FileItems ) { 357 | 358 | $re_fileItems = '[ -~]+\.[ -~]+' 359 | 360 | $file_matches = $Data | Select-String -Pattern $re_fileItems -AllMatches 361 | 362 | if ($file_matches.Matches.Count) { 363 | 364 | $file_matches.Matches | ForEach-Object { 365 | 366 | if ($_.Value.Length -ge $Length) 367 | { 368 | 369 | $results += $_.Value 370 | 371 | } 372 | 373 | } 374 | 375 | } 376 | 377 | $results = ( $results | Sort-Object -Unique ) 378 | 379 | return $results 380 | 381 | } elseif ( $RegistryItems ) { 382 | 383 | $re_registryItems = '[ -~]*(HKLM|HKCU|HKCR|HKU|HKCC|HKEY|CurrentControlSet)[ -~]*' 384 | 385 | $registry_matches = $Data | Select-String -Pattern $re_registryItems -AllMatches 386 | 387 | if ($registry_matches.Matches.Count) { 388 | 389 | $registry_matches.Matches | ForEach-Object { 390 | 391 | if ($_.Value.Length -ge $Length) 392 | { 393 | 394 | $results += $_.Value 395 | 396 | } 397 | 398 | } 399 | 400 | } 401 | 402 | $results = ( $results | Sort-Object -Unique ) 403 | 404 | return $results 405 | 406 | } elseif ( $EmailItems ) { 407 | 408 | $re_emailItems = "\w+([-+.']\w+)*@\w+([-.]\w+)*\.\w+([-.]\w+)*" 409 | 410 | $email_matches = $Data | Select-String -Pattern $re_emailItems -AllMatches 411 | 412 | if ($email_matches.Matches.Count) { 413 | 414 | $email_matches.Matches | ForEach-Object { 415 | 416 | if ($_.Value.Length -ge $Length) 417 | { 418 | 419 | $results += $_.Value 420 | 421 | } 422 | 423 | } 424 | 425 | } 426 | 427 | $results = ( $results | Sort-Object -Unique ) 428 | 429 | return $results 430 | 431 | } elseif ( $FunctionItems ) { 432 | 433 | $re_functionItems = '[A-Z]([A-Z0-9]*[a-z][a-z0-9]*[A-Z]|[a-z0-9]*[A-Z][A-Z0-9]*[a-z])[A-Za-z0-9]*' 434 | 435 | $function_matches = $Data | Select-String -Pattern $re_functionItems -AllMatches -CaseSensitive 436 | 437 | if ($function_matches.Matches.Count) { 438 | 439 | $function_matches.Matches | ForEach-Object { 440 | 441 | if ($_.Value.Length -ge $Length) 442 | { 443 | 444 | $results += $_.Value 445 | 446 | } 447 | 448 | } 449 | 450 | } 451 | 452 | $results = ( $results | Sort-Object -Unique ) 453 | 454 | return $results 455 | 456 | } else { 457 | 458 | $re = "[ -~]{$Length,}" 459 | 460 | $string_matches = $Data | Select-String -Pattern $re -AllMatches 461 | 462 | if ($string_matches.Matches.Count) { 463 | 464 | $string_matches.Matches | ForEach-Object { 465 | 466 | if ($_.Value.Length -ge $Length) 467 | { 468 | 469 | $results += $_.Value 470 | 471 | } 472 | 473 | } 474 | 475 | } 476 | 477 | } 478 | 479 | return $results 480 | 481 | } end { 482 | 483 | } 484 | 485 | } 486 | 487 | function Invoke-HashString 488 | { 489 | Param( 490 | 491 | [CmdletBinding()] 492 | 493 | [Parameter(Mandatory=$true)] 494 | 495 | [String]$Data 496 | 497 | ) 498 | 499 | $md5 = New-Object -TypeName System.Security.Cryptography.MD5CryptoServiceProvider 500 | 501 | $enc = New-Object -TypeName System.Text.UTF8Encoding 502 | 503 | $hash = [System.BitConverter]::ToString($md5.ComputeHash($enc.GetBytes($Data))) 504 | 505 | return $hash 506 | } 507 | 508 | 509 | function Get-WMIEventSubscriptions 510 | { 511 | 512 | Param( 513 | 514 | [ValidateSet('All','Filter','Consumer','BindingPath')] 515 | 516 | [String]$Type, 517 | 518 | [Parameter(Mandatory=$true)] 519 | 520 | [String[]]$ComputerNames, 521 | 522 | [Switch]$Credentialed, 523 | 524 | [System.Management.Automation.PSCredential]$ProvideCreds = $null, 525 | 526 | [Switch]$ShowDefinitions = $false 527 | 528 | ) 529 | 530 | if ($Credentialed) 531 | { 532 | 533 | $creds = Get-Credential 534 | 535 | } elseif ($ProvideCreds) { 536 | 537 | $creds = $ProvideCreds 538 | 539 | } 540 | 541 | [System.Collections.Hashtable]$results = @{} 542 | 543 | Switch ($Type) 544 | { 545 | 'All' { 546 | 547 | foreach ($computer in $ComputerNames) 548 | { 549 | 550 | if ($Credentialed -or $ProvideCreds) 551 | { 552 | 553 | $Binding = Get-WmiObject -ComputerName $computer -Namespace 'root/subscription' -Class __FilterToConsumerBinding -Credential $creds 554 | 555 | } else { 556 | 557 | $Binding = Get-WmiObject -ComputerName $computer -Namespace 'root/subscription' -Class __FilterToConsumerBinding 558 | 559 | } 560 | 561 | if ($Binding) 562 | { 563 | 564 | $results[$computer] = @($Binding.__Path, $Binding.Filter, $Binding.Consumer) 565 | 566 | Remove-Variable Binding -Force 567 | 568 | } 569 | 570 | } 571 | 572 | return $results 573 | 574 | } 575 | 576 | 'BindingPath' { 577 | 578 | foreach ($computer in $ComputerNames) 579 | { 580 | 581 | if ($Credentialed -or $ProvideCreds) 582 | { 583 | 584 | $Binding = Get-WmiObject -ComputerName $computer -Namespace 'root/subscription' -Class __FilterToConsumerBinding -Credential $creds 585 | 586 | } else { 587 | 588 | $Binding = Get-WmiObject -ComputerName $computer -Namespace 'root/subscription' -Class __FilterToConsumerBinding 589 | 590 | } 591 | 592 | if ($Binding) 593 | { 594 | 595 | $results[$computer] = @($Binding.__Path) 596 | 597 | Remove-Variable Binding -Force 598 | 599 | } 600 | 601 | } 602 | 603 | return $results 604 | 605 | } 606 | 607 | 'Filter' { 608 | 609 | foreach ($computer in $ComputerNames) 610 | { 611 | 612 | if ($Credentialed -or $ProvideCreds) 613 | { 614 | 615 | $Binding = Get-WmiObject -ComputerName $computer -Namespace 'root/subscription' -Class __FilterToConsumerBinding -Credential $creds 616 | 617 | } else { 618 | 619 | $Binding = Get-WmiObject -ComputerName $computer -Namespace 'root/subscription' -Class __FilterToConsumerBinding 620 | 621 | } 622 | 623 | if ($Binding) 624 | { 625 | 626 | $results[$computer] = @($Binding.Filter) 627 | 628 | Remove-Variable Binding -Force 629 | 630 | } 631 | 632 | } 633 | 634 | return $results 635 | 636 | } 637 | 638 | 'Consumer' { 639 | 640 | foreach ($computer in $ComputerNames) 641 | { 642 | 643 | if ($Credentialed -or $ProvideCreds) 644 | { 645 | 646 | $Binding = Get-WmiObject -ComputerName $computer -Namespace 'root/subscription' -Class __FilterToConsumerBinding -Credential $creds 647 | 648 | } else { 649 | 650 | $Binding = Get-WmiObject -ComputerName $computer -Namespace 'root/subscription' -Class __FilterToConsumerBinding 651 | 652 | } 653 | 654 | if ($Binding) 655 | { 656 | 657 | $results[$computer] = @($Binding.Consumer) 658 | 659 | Remove-Variable Binding -Force 660 | 661 | } 662 | 663 | } 664 | 665 | return $results 666 | 667 | } 668 | 669 | } 670 | 671 | } 672 | 673 | function Invoke-ClarifyEventSubscription 674 | { 675 | 676 | Param( 677 | 678 | [CmdletBinding()] 679 | 680 | [Parameter(Mandatory=$true)] 681 | 682 | [String]$ComputerName, 683 | 684 | [Parameter(Mandatory=$true)] 685 | 686 | [String]$BindingPath, 687 | 688 | [Switch]$Credentialed, 689 | 690 | [System.Management.Automation.PSCredential]$ProvideCreds = $null 691 | 692 | ) 693 | 694 | $ConsumerProperties = @{ 695 | 696 | 'CommandLineEventConsumer' = @('Name','CommandLineTemplate','ExecutablePath','WorkingDirectory'); 697 | 698 | 'NTEventLogEventConsumer' = @('Name','EventID','EventType','Category'); 699 | 700 | 'ActiveScriptEventConsumer'= @('Name','ScriptingEngine','ScriptFileName','ScriptText'); 701 | 702 | 'LogFileEventConsumer' = @('Name','Filename','Text'); 703 | 704 | 'SMTPEventConsumer' = @('Name','FromLine','ToLine','ReplyToLine','CcLine','BccLine','Subject','Message','SMTPServer') 705 | 706 | } 707 | 708 | if ($BindingPath -match '__FilterToConsumerBinding\.Consumer=".+\.') 709 | { 710 | 711 | $consumerType = $Matches[0].split('"')[1].split('.')[0] 712 | 713 | Remove-Variable Matches -Force 714 | 715 | } else { 716 | 717 | return 0 718 | 719 | } 720 | 721 | if ($Credentialed) 722 | { 723 | 724 | $creds = Get-Credential 725 | 726 | } elseif ($ProvideCreds) { 727 | 728 | $creds = $ProvideCreds 729 | 730 | } 731 | 732 | if ($BindingPath -match "$consumerType.Name=\\`".+\\`"") 733 | { 734 | 735 | $consumerName = $Matches[0].split('"')[1] -replace '.$' 736 | 737 | Remove-Variable Matches -Force 738 | 739 | } else { 740 | 741 | return 0 742 | 743 | } 744 | 745 | if ($BindingPath -match '__EventFilter\.Name=\\".+\\"') 746 | { 747 | 748 | $filterName = $Matches[0].split('"')[-2] -replace '.$' 749 | 750 | Remove-Variable Matches -Force 751 | 752 | } else { 753 | 754 | return 0 755 | 756 | } 757 | 758 | if ($credentialed -or $ProvideCreds) 759 | { 760 | 761 | $consumerResults = Get-WmiObject -Credential $creds -ComputerName $ComputerName -Namespace 'root/subscription' -Query "Select * from $consumerType where Name=`"$consumerName`"" | Select-Object -Property $ConsumerProperties[$consumerType] 762 | 763 | $filterResults = Get-WmiObject -Credential $creds -ComputerName $ComputerName -Namespace 'root/subscription' -Query "Select * from __EventFilter where Name=`"$filterName`"" | Select-Object -Property @('Name','Query') 764 | 765 | } else { 766 | 767 | $consumerResults = Get-WmiObject -ComputerName $ComputerName -Namespace 'root/subscription' -Query "Select * from $consumerType where Name=`"$consumerName`"" | Select-Object -Property $ConsumerProperties[$consumerType] 768 | 769 | $filterResults = Get-WmiObject -ComputerName $ComputerName -Namespace 'root/subscription' -Query "Select * from __EventFilter where Name=`"$filterName`"" | Select-Object -Property @('Name','Query') 770 | 771 | } 772 | 773 | if ($consumerResults -and $filterResults) 774 | { 775 | 776 | return @($consumerResults, $filterResults) 777 | 778 | } else { 779 | 780 | return 0 781 | 782 | } 783 | 784 | } 785 | 786 | function Invoke-EnumerateAllWMIEventSubscriptions 787 | { 788 | 789 | [CmdletBinding()] 790 | 791 | Param( 792 | 793 | [Parameter(Mandatory=$true)] 794 | 795 | [String[]]$ComputerNames, 796 | 797 | [Switch]$Credentialed, 798 | 799 | [System.Management.Automation.PSCredential]$ProvideCreds = $null 800 | 801 | ) 802 | 803 | if ($Credentialed) 804 | { 805 | 806 | $creds = Get-Credential 807 | 808 | } elseif ($ProvideCreds) { 809 | 810 | $creds = $ProvideCreds 811 | 812 | } 813 | 814 | foreach ($computer in $ComputerNames) 815 | { 816 | if ($Credentialed -or $ProvideCreds) 817 | { 818 | 819 | $__Path = Get-WMIEventSubscriptions -ComputerNames $Computer -Type BindingPath -ProvideCreds $creds 820 | 821 | } else { 822 | 823 | $__Path = Get-WMIEventSubscriptions -ComputerNames $Computer -Type BindingPath 824 | 825 | } 826 | 827 | if ($__Path) 828 | { 829 | 830 | foreach ($binding in $__Path) 831 | { 832 | 833 | foreach ($values in $binding.values) 834 | { 835 | foreach ($val in $values) 836 | { 837 | 838 | Write-Output "[+] HOST: $computer" 839 | 840 | if ($Credentialed -or $ProvideCreds) 841 | { 842 | 843 | Invoke-ClarifyEventSubscription -ComputerName $computer -BindingPath $val -ProvideCreds $creds | Format-List 844 | 845 | } else { 846 | 847 | Invoke-ClarifyEventSubscription -ComputerName $computer -BindingPath $val | Format-List 848 | 849 | } 850 | } 851 | 852 | } 853 | 854 | } 855 | 856 | } 857 | 858 | } 859 | 860 | } 861 | 862 | function Invoke-WMIHashSweep 863 | { 864 | 865 | Param( 866 | 867 | [CmdletBinding()] 868 | 869 | [Parameter(Mandatory=$true)] 870 | 871 | [String[]]$ComputerNames, 872 | 873 | [Switch]$Credentialed 874 | 875 | ) 876 | if ($Credentialed) 877 | 878 | { 879 | 880 | $creds = Get-Credential 881 | 882 | } 883 | 884 | [System.Collections.Hashtable]$results = @{} 885 | 886 | foreach ($computer in $ComputerNames) 887 | { 888 | 889 | if ($Credentialed) 890 | { 891 | $str = '' 892 | 893 | $bindingPath = Get-WMIEventSubscriptions -Type BindingPath -ComputerNames $computer -ProvideCreds $creds 894 | 895 | $bindingPath.Values | % { $str += $_ } 896 | 897 | $hash = Invoke-HashString -Data $str 898 | 899 | $results[$computer] = $hash 900 | 901 | } else { 902 | 903 | $str = '' 904 | 905 | $bindingPath = (Get-WMIEventSubscriptions -Type BindingPath -ComputerNames $computer).values -join '' 906 | 907 | $bindingPath.Values | % { $str += $_ } 908 | 909 | $hash = Invoke-HashString -Data $str 910 | 911 | $results[$computer] = $hash 912 | 913 | } 914 | 915 | } 916 | 917 | return $results 918 | 919 | } 920 | 921 | function Get-ActiveHosts 922 | { 923 | 924 | Param( 925 | 926 | [CmdletBinding()] 927 | 928 | [String]$Subnet, 929 | 930 | [Int]$Start, 931 | 932 | [Int]$End 933 | 934 | ) 935 | 936 | for ($i = $Start; $i -le $End; $i++) 937 | { 938 | 939 | $CurrentHost = "$Subnet.$i" 940 | 941 | $ping = Test-Connection -ComputerName $CurrentHost -Count 1 -AsJob 942 | 943 | } 944 | 945 | Start-Sleep 5 946 | 947 | $totalLive = 0 948 | 949 | foreach ($job in Get-Job) 950 | { 951 | 952 | if ($job.jobstateinfo.state -ne 'Running') 953 | { 954 | 955 | $ping = Receive-Job -Job $job 956 | 957 | if ($ping.StatusCode -eq 0) 958 | { 959 | 960 | Write-Output $ping.ProtocolAddress 961 | 962 | $totalLive++ 963 | 964 | } 965 | 966 | } 967 | 968 | } 969 | 970 | Write-Warning "Total Live Hosts: $totalLive" 971 | 972 | } 973 | 974 | function Get-RemoteProcessCount 975 | { 976 | 977 | Param( 978 | 979 | [CMDletBinding()] 980 | 981 | [String[]]$ComputerNames, 982 | 983 | [Switch]$Credentialed 984 | 985 | ) 986 | 987 | $errorpref = $ErrorActionPreference 988 | 989 | $ErrorActionPreference = 'SilentlyContinue' 990 | 991 | [System.Collections.Hashtable]$results = @{} 992 | 993 | [System.Collections.Hashtable]$counts = @{} 994 | 995 | if ($Credentialed) 996 | { 997 | 998 | $creds = Get-Credential 999 | 1000 | } 1001 | 1002 | foreach ($computer in $ComputerNames) 1003 | { 1004 | 1005 | if ((Test-Connection -Count 1 -ComputerName $computer).StatusCode -eq 0) 1006 | { 1007 | 1008 | if ($Credentialed) 1009 | { 1010 | 1011 | $d = Get-WmiObject -Namespace 'root/cimv2' -Class 'Win32_Process' -ComputerName $computer -Credential $creds 1012 | } else { 1013 | 1014 | $d = Get-WmiObject -Namespace 'root/cimv2' -Class 'Win32_Process' -ComputerName $computer 1015 | 1016 | } 1017 | 1018 | foreach ($proc in $d) 1019 | { 1020 | 1021 | $p = $proc.ExecutablePath 1022 | 1023 | if (-not $results[$p]) 1024 | { 1025 | 1026 | $results[$p] = @() 1027 | 1028 | $counts[$p] = 0 1029 | 1030 | } 1031 | 1032 | $results[$p] += $computer 1033 | 1034 | $counts[$p]++ 1035 | 1036 | } 1037 | 1038 | } 1039 | 1040 | } 1041 | 1042 | foreach ($i in $counts.GetEnumerator() | Sort-Object Value -Descending) 1043 | { 1044 | 1045 | Write-Output "[+] Count: $($i.value), Executable: $($i.key)" 1046 | 1047 | $results[$i.key] -join ', ' 1048 | 1049 | Write-Output "`n" 1050 | 1051 | } 1052 | 1053 | 1054 | $ErrorActionPreference = $errorpref 1055 | 1056 | 1057 | } 1058 | 1059 | function Get-RemoteServiceCount 1060 | { 1061 | 1062 | Param( 1063 | 1064 | [CMDletBinding()] 1065 | 1066 | [String[]]$ComputerNames, 1067 | 1068 | [Switch]$Credentialed 1069 | 1070 | ) 1071 | 1072 | $errorpref = $ErrorActionPreference 1073 | 1074 | $ErrorActionPreference = 'SilentlyContinue' 1075 | 1076 | [System.Collections.Hashtable]$results = @{} 1077 | 1078 | [System.Collections.Hashtable]$counts = @{} 1079 | 1080 | if ($Credentialed) { 1081 | 1082 | $creds = Get-Credential 1083 | 1084 | } 1085 | 1086 | foreach ($computer in $ComputerNames) 1087 | { 1088 | 1089 | if ((Test-Connection -Count 1 -ComputerName $computer).StatusCode -eq 0) 1090 | { 1091 | 1092 | if ($Credentialed) 1093 | { 1094 | 1095 | $d = Get-WmiObject -Namespace 'root/cimv2' -Class 'Win32_Service' -ComputerName $computer -Credential $creds 1096 | 1097 | } else { 1098 | 1099 | $d = Get-WmiObject -Namespace 'root/cimv2' -Class 'Win32_Service' -ComputerName $computer 1100 | 1101 | } 1102 | 1103 | foreach ($serv in $d) 1104 | { 1105 | 1106 | $s = $serv.Name 1107 | 1108 | if (-not $results[$s]) 1109 | { 1110 | 1111 | $results[$s] = @() 1112 | 1113 | $counts[$s] = 0 1114 | 1115 | } 1116 | 1117 | $results[$s] += $computer 1118 | 1119 | $counts[$s]++ 1120 | 1121 | } 1122 | 1123 | } 1124 | 1125 | } 1126 | 1127 | foreach ($i in $counts.GetEnumerator() | Sort-Object Value -Descending) 1128 | { 1129 | 1130 | Write-Output "[+] Count: $($i.value), Service Name: $($i.key)" 1131 | 1132 | $results[$i.key] -join ', ' 1133 | 1134 | Write-Output "`n" 1135 | 1136 | } 1137 | 1138 | $ErrorActionPreference = $errorpref 1139 | 1140 | } 1141 | 1142 | function Get-HashSum 1143 | { 1144 | Param( 1145 | 1146 | [CmdletBinding()] 1147 | 1148 | [String[]]$Filenames, 1149 | 1150 | [ValidateSet('MD5','SHA1','SHA256')] 1151 | 1152 | [String[]]$Algorithm = 'MD5' 1153 | 1154 | ) 1155 | 1156 | [System.Collections.Hashtable]$results = @{} 1157 | 1158 | foreach ($file in $Filenames) 1159 | { 1160 | 1161 | if (-not (Test-Path $file -PathType Leaf)) 1162 | { 1163 | 1164 | Write-Warning "File Doesn't Exist: $file" 1165 | 1166 | continue 1167 | 1168 | } 1169 | 1170 | $hasher = [Security.Cryptography.HashAlgorithm]::Create($Algorithm) 1171 | 1172 | $s = ([System.IO.StreamReader]$file).BaseStream 1173 | 1174 | $hash = [System.BitConverter]::ToString($hasher.ComputeHash($s)) 1175 | 1176 | $results[$file] = $hash.replace('-','') 1177 | 1178 | Remove-Variable @('hasher','s','hash') 1179 | 1180 | } 1181 | 1182 | return $results | Format-List 1183 | 1184 | } 1185 | 1186 | function Get-PSExecs 1187 | { 1188 | 1189 | Param( 1190 | 1191 | [CMDletBinding()] 1192 | 1193 | [String[]]$ComputerNames, 1194 | 1195 | [Switch]$Credentialed 1196 | 1197 | ) 1198 | 1199 | $errorpref = $ErrorActionPreference 1200 | 1201 | $ErrorActionPreference = 'SilentlyContinue' 1202 | 1203 | $cultureInfo = New-Object System.Globalization.CultureInfo('en-US') 1204 | 1205 | [System.Collections.HashTable]$results = @{} 1206 | 1207 | if ($Credentialed) 1208 | { 1209 | 1210 | $creds = Get-Credential 1211 | 1212 | } 1213 | 1214 | foreach ($computer in $ComputerNames) 1215 | { 1216 | 1217 | if ((Test-Connection -Count 1 -ComputerName $computer).StatusCode -eq 0) 1218 | { 1219 | Write-Output "[*] Checking Host: $computer" 1220 | 1221 | if ($Credentialed) 1222 | { 1223 | 1224 | $d = Get-WmiObject -Namespace 'root/cimv2' -Query 'Select * from Win32_NtLogEvent where EventCode=7045' -ComputerName $computer -Credential $creds 1225 | 1226 | } else { 1227 | 1228 | $d = Get-WmiObject -Namespace 'root/cimv2' -Query 'Select * from Win32_NtLogEvent where EventCode=7045' -ComputerName $computer 1229 | 1230 | } 1231 | 1232 | foreach ($serviceInstall in $d) 1233 | { 1234 | 1235 | $t = ([DateTime]::ParseExact($serviceInstall.TimeGenerated.split('.')[0],'yyyyMMddHHmmss',$cultureInfo)) 1236 | 1237 | [string]$query = "Select * from Win32_NTLogEvent WHERE (TimeGenerated >= '$($t.AddSeconds(-2).ToString('yyyyMMdd HH:mm:ss'))' and TimeGenerated <= '$($t.AddSeconds(2).ToString('yyyyMMdd HH:mm:ss'))') and EventIdentifier=4624" 1238 | 1239 | if ($Credentialed) 1240 | { 1241 | 1242 | $logins = Get-WmiObject -Namespace 'root/cimv2' -Query $query -ComputerName $computer -Credential $creds 1243 | 1244 | } else { 1245 | 1246 | $logins = Get-WmiObject -Namespace 'root/cimv2' -Query $query -ComputerName $computer 1247 | 1248 | } 1249 | 1250 | foreach ($login in $logins) 1251 | { 1252 | Write-output "[!] Possible PSExec Found, Host: $computer, Time: $t" 1253 | $msg = $login.message.split([System.Environment]::NewLine) 1254 | $fields = @('workstation name:', 1255 | 'source network address:', 1256 | 'source port:', 1257 | 'account name:', 1258 | 'account domain:', 1259 | 'logon type:') 1260 | 1261 | foreach ($m in $msg.trim().tolower()) 1262 | { 1263 | $fields | ForEach-Object { if ($m -match $_) { write-output " $m" } } 1264 | } 1265 | } 1266 | 1267 | 1268 | } 1269 | 1270 | Write-Output '' 1271 | 1272 | } 1273 | 1274 | } 1275 | 1276 | $ErrorActionPreference = $errorpref 1277 | 1278 | 1279 | } 1280 | 1281 | function Get-TZOffset 1282 | { 1283 | Param( 1284 | [string]$ComputerName, 1285 | [System.Management.Automation.PSCredential]$Credentials 1286 | ) 1287 | 1288 | $result = 0 1289 | 1290 | if ($Credentials -ne $null) 1291 | { 1292 | $result = (Get-WmiObject -ComputerName $ComputerName -Class 'Win32_TimeZone' -Credential $Credentials).bias 1293 | } else { 1294 | $result = (Get-WmiObject -ComputerName $ComputerName -Class 'Win32_TimeZone').bias 1295 | } 1296 | 1297 | return $result 1298 | } 1299 | 1300 | function Get-ServiceInfo 1301 | { 1302 | Param( 1303 | [string[]]$ComputerNames, 1304 | [string[]]$ServiceNames, 1305 | [switch]$Credentialed 1306 | ) 1307 | 1308 | if ($Credentialed) 1309 | { 1310 | 1311 | $creds = Get-Credential 1312 | 1313 | } 1314 | 1315 | $ServiceQuery = $ServiceNames -join "%' or Name LIKE '%" 1316 | $ServiceQuery = "Select * From Win32_Service WHERE (Name LIKE '%$ServiceQuery%')" 1317 | 1318 | foreach ($computer in $ComputerNames) 1319 | { 1320 | 1321 | if ((Test-Connection -Count 1 -ComputerName $computer).StatusCode -eq 0) 1322 | { 1323 | 1324 | if ($Credentialed) 1325 | { 1326 | 1327 | $d = Get-WmiObject -Namespace 'root/cimv2' -Query $ServiceQuery -ComputerName $computer -Credential $creds 1328 | 1329 | } else { 1330 | 1331 | $d = Get-WmiObject -Namespace 'root/cimv2' -Query $ServiceQuery -ComputerName $computer 1332 | 1333 | } 1334 | 1335 | Write-Output "[+] Host: $computer" 1336 | foreach ($svc in $d) 1337 | { 1338 | Write-Output " Service Name: $($svc.Name)" 1339 | Write-Output " Executable Path: $($svc.PathName)" 1340 | Write-Output " Status: $($svc.State)" 1341 | Write-Output '' 1342 | } 1343 | } 1344 | } 1345 | } 1346 | 1347 | function Get-ProcessInfo 1348 | { 1349 | Param( 1350 | [string[]]$ComputerNames, 1351 | [string[]]$ProcessNames, 1352 | [switch]$Credentialed 1353 | ) 1354 | 1355 | if ($Credentialed) 1356 | { 1357 | 1358 | $creds = Get-Credential 1359 | 1360 | } 1361 | 1362 | $cultureInfo = New-Object System.Globalization.CultureInfo('en-US') 1363 | $ProcessQuery = $ProcessNames -join "%' or ExecutablePath LIKE '%" 1364 | $ProcessQuery = "Select * From Win32_Process WHERE (ExecutablePath LIKE '%$ProcessQuery%')" 1365 | 1366 | foreach ($computer in $ComputerNames) 1367 | { 1368 | 1369 | if ((Test-Connection -Count 1 -ComputerName $computer).StatusCode -eq 0) 1370 | { 1371 | 1372 | if ($Credentialed) 1373 | { 1374 | 1375 | $d = Get-WmiObject -Namespace 'root/cimv2' -Query $ProcessQuery -ComputerName $computer -Credential $creds 1376 | 1377 | } else { 1378 | 1379 | $d = Get-WmiObject -Namespace 'root/cimv2' -Query $ProcessQuery -ComputerName $computer 1380 | 1381 | } 1382 | 1383 | Write-Output "[+] Host: $computer" 1384 | foreach ($proc in $d) 1385 | { 1386 | $dt = [DateTime]::ParseExact($proc.CreationDate.split('.')[0],'yyyyMMddHHmmss',$cultureInfo) 1387 | Write-Output " Process Name: $($proc.Name)" 1388 | Write-Output " Parent PID: $($proc.ParentProcessId)" 1389 | Write-Output " Process ID: $($proc.ProcessId)" 1390 | Write-Output " Executable Path: $($proc.ExecutablePath)" 1391 | Write-Output " Commandline: $($proc.CommandLine)" 1392 | Write-Output " Creation Time: $($dt)" 1393 | Write-Output " User: $($proc.GetOwner().User)" 1394 | Write-Output '' 1395 | } 1396 | } 1397 | } 1398 | } 1399 | 1400 | function Get-ProcessInfoByPIDs 1401 | { 1402 | Param( 1403 | [string[]]$ComputerName, 1404 | [string[]]$ProcessPIDs, 1405 | [switch]$Credentialed 1406 | ) 1407 | 1408 | if ($Credentialed) 1409 | { 1410 | 1411 | $creds = Get-Credential 1412 | 1413 | } 1414 | 1415 | $cultureInfo = New-Object System.Globalization.CultureInfo('en-US') 1416 | $ProcessQuery = $ProcessPIDs -join ' or ProcessId=' 1417 | $ProcessQuery = "Select * From Win32_Process WHERE (ProcessId=$ProcessQuery)" 1418 | 1419 | 1420 | if ((Test-Connection -Count 1 -ComputerName $ComputerName).StatusCode -eq 0) 1421 | { 1422 | 1423 | if ($Credentialed) 1424 | { 1425 | 1426 | $d = Get-WmiObject -Namespace 'root/cimv2' -Query $ProcessQuery -ComputerName $ComputerName -Credential $creds 1427 | 1428 | } else { 1429 | 1430 | $d = Get-WmiObject -Namespace 'root/cimv2' -Query $ProcessQuery -ComputerName $ComputerName 1431 | 1432 | } 1433 | 1434 | Write-Output "[+] Host: $ComputerName" 1435 | foreach ($proc in $d) 1436 | { 1437 | $dt = [DateTime]::ParseExact($proc.CreationDate.split('.')[0],'yyyyMMddHHmmss',$cultureInfo) 1438 | $dt = $dt.ToUniversalTime() 1439 | Write-Output " Process Name: $($proc.Name)" 1440 | Write-Output " Parent PID: $($proc.ParentProcessId)" 1441 | Write-Output " Process ID: $($proc.ProcessId)" 1442 | Write-Output " Executable Path: $($proc.ExecutablePath)" 1443 | Write-Output " Commandline: $($proc.CommandLine)" 1444 | Write-Output " Creation Time: $($dt)" 1445 | Write-Output " User: $($proc.GetOwner().User)" 1446 | Write-Output '' 1447 | } 1448 | } 1449 | 1450 | } 1451 | 1452 | function Invoke-DecodeBase64 1453 | { 1454 | Param( 1455 | [string]$Base64String 1456 | ) 1457 | [System.Text.Encoding]::Default.GetString([System.Convert]::FromBase64String($Base64String)) 1458 | } 1459 | 1460 | function Invoke-DecodeGZippedBase64 1461 | { 1462 | Param( 1463 | [string]$Base64String 1464 | ) 1465 | $data = New-Object System.IO.MemoryStream(,[Convert]::FromBase64String($Base64String)) 1466 | $data = (New-Object IO.StreamReader(New-Object System.IO.Compression.GZipStream($data, [System.IO.Compression.CompressionMode]::Decompress))).ReadToEnd() 1467 | 1468 | return $data 1469 | } 1470 | 1471 | function Get-RemoteDriverCount 1472 | { 1473 | 1474 | Param( 1475 | 1476 | [CMDletBinding()] 1477 | 1478 | [String[]]$ComputerNames, 1479 | 1480 | [Switch]$Credentialed 1481 | 1482 | ) 1483 | 1484 | $errorpref = $ErrorActionPreference 1485 | 1486 | $ErrorActionPreference = 'SilentlyContinue' 1487 | 1488 | [System.Collections.Hashtable]$results = @{} 1489 | 1490 | [System.Collections.Hashtable]$counts = @{} 1491 | 1492 | if ($Credentialed) { 1493 | 1494 | $creds = Get-Credential 1495 | 1496 | } 1497 | 1498 | foreach ($computer in $ComputerNames) 1499 | { 1500 | 1501 | if ((Test-Connection -Count 1 -ComputerName $computer).StatusCode -eq 0) 1502 | { 1503 | 1504 | if ($Credentialed) 1505 | { 1506 | 1507 | $d = Get-WmiObject -Namespace 'root/cimv2' -Class 'Win32_PnPSignedDriver' -ComputerName $computer -Credential $creds 1508 | 1509 | } else { 1510 | 1511 | $d = Get-WmiObject -Namespace 'root/cimv2' -Class 'Win32_PnPSignedDriver' -ComputerName $computer 1512 | 1513 | } 1514 | 1515 | foreach ($serv in $d) 1516 | { 1517 | 1518 | $s = $serv.DeviceName 1519 | 1520 | if (-not $results[$s]) 1521 | { 1522 | 1523 | $results[$s] = @() 1524 | 1525 | $counts[$s] = 0 1526 | 1527 | } 1528 | 1529 | $results[$s] += $computer 1530 | 1531 | $counts[$s]++ 1532 | 1533 | } 1534 | 1535 | } 1536 | 1537 | } 1538 | 1539 | foreach ($i in $counts.GetEnumerator() | Sort-Object Value -Descending) 1540 | { 1541 | 1542 | Write-Output "[+] Count: $($i.value), Service Name: $($i.key)" 1543 | 1544 | $results[$i.key] -join ', ' 1545 | 1546 | Write-Output "`n" 1547 | 1548 | } 1549 | 1550 | $ErrorActionPreference = $errorpref 1551 | 1552 | } 1553 | 1554 | function Invoke-PowershellSweep 1555 | { 1556 | Param( 1557 | [string[]]$ComputerNames, 1558 | [switch]$Credentialed 1559 | ) 1560 | 1561 | $cultureInfo = New-Object System.Globalization.CultureInfo('en-US') 1562 | $query = "Select * from Win32_Process where (ExecutablePath like '%powershell%' and CommandLine like '%exec%') and CommandLine like '%bypass%'" 1563 | 1564 | if ($Credentialed) { 1565 | 1566 | $creds = Get-Credential 1567 | 1568 | } 1569 | 1570 | foreach ($computer in $ComputerNames) 1571 | { 1572 | 1573 | if ((Test-Connection -Count 1 -ComputerName $computer).StatusCode -eq 0) 1574 | { 1575 | 1576 | if ($Credentialed) 1577 | { 1578 | 1579 | $d = Get-WmiObject -Query $query -ComputerName $computer -Credential $creds 1580 | 1581 | } else { 1582 | 1583 | $d = Get-WmiObject -Query $query -ComputerName $computer 1584 | 1585 | } 1586 | 1587 | if ($d.length -ne 0) 1588 | { 1589 | Write-Output "[+] Host: $computer" 1590 | foreach ($proc in $d) 1591 | { 1592 | $dt = [DateTime]::ParseExact($proc.CreationDate.split('.')[0],'yyyyMMddHHmmss',$cultureInfo) 1593 | $dt = $dt.ToUniversalTime() 1594 | Write-Output " Process Name: $($proc.Name)" 1595 | Write-Output " Parent PID: $($proc.ParentProcessId)" 1596 | Write-Output " Process ID: $($proc.ProcessId)" 1597 | Write-Output " Executable Path: $($proc.PathName)" 1598 | Write-Output " Commandline: $($proc.CommandLine)" 1599 | Write-Output " Creation Time: $($dt)" 1600 | Write-Output '' 1601 | } 1602 | } else { 1603 | Write-Output "[-] No Findings for Host: $computer" 1604 | } 1605 | } 1606 | } 1607 | } 1608 | 1609 | function Get-RemoteAVState 1610 | { 1611 | 1612 | Param( 1613 | 1614 | [CMDletBinding()] 1615 | 1616 | [String[]]$ComputerNames, 1617 | 1618 | [Switch]$Credentialed 1619 | 1620 | ) 1621 | 1622 | $errorpref = $ErrorActionPreference 1623 | 1624 | $ErrorActionPreference = 'SilentlyContinue' 1625 | 1626 | [System.Collections.Hashtable]$results = @{} 1627 | 1628 | [System.Collections.Hashtable]$counts = @{} 1629 | 1630 | if ($Credentialed) { 1631 | 1632 | $creds = Get-Credential 1633 | 1634 | } 1635 | 1636 | foreach ($computer in $ComputerNames) 1637 | { 1638 | 1639 | if ((Test-Connection -Count 1 -ComputerName $computer).StatusCode -eq 0) 1640 | { 1641 | 1642 | if ($Credentialed) 1643 | { 1644 | 1645 | $d = Get-WmiObject -Namespace 'root/securitycenter2' -query 'Select * from AntiVirusProduct' -ComputerName $computer -Credential $creds 1646 | 1647 | } else { 1648 | 1649 | $d = Get-WmiObject -Namespace 'root/securitycenter2' -query 'Select * from AntiVirusProduct' -ComputerName $computer 1650 | 1651 | } 1652 | 1653 | foreach ($serv in $d) 1654 | { 1655 | 1656 | $s = $serv.productState 1657 | 1658 | if (-not $results[$s]) 1659 | { 1660 | 1661 | $results[$s] = @() 1662 | 1663 | $counts[$s] = 0 1664 | 1665 | } 1666 | 1667 | $results[$s] += $computer 1668 | 1669 | $counts[$s]++ 1670 | 1671 | } 1672 | 1673 | } 1674 | 1675 | } 1676 | 1677 | foreach ($i in $counts.GetEnumerator() | Sort-Object Value -Descending) 1678 | { 1679 | 1680 | Write-Output "[+] Count: $($i.value), AV State: $($i.key)" 1681 | 1682 | $results[$i.key] -join ', ' 1683 | 1684 | Write-Output "`n" 1685 | 1686 | } 1687 | 1688 | $ErrorActionPreference = $errorpref 1689 | 1690 | } 1691 | 1692 | 1693 | function Get-RemoteAtJobs 1694 | { 1695 | 1696 | Param( 1697 | 1698 | [CMDletBinding()] 1699 | 1700 | [String[]]$ComputerNames, 1701 | 1702 | [Switch]$Credentialed 1703 | 1704 | ) 1705 | 1706 | $errorpref = $ErrorActionPreference 1707 | 1708 | $ErrorActionPreference = 'SilentlyContinue' 1709 | 1710 | [System.Collections.Hashtable]$results = @{} 1711 | 1712 | [System.Collections.Hashtable]$counts = @{} 1713 | 1714 | if ($Credentialed) { 1715 | 1716 | $creds = Get-Credential 1717 | 1718 | } 1719 | 1720 | foreach ($computer in $ComputerNames) 1721 | { 1722 | 1723 | if ((Test-Connection -Count 1 -ComputerName $computer).StatusCode -eq 0) 1724 | { 1725 | 1726 | if ($Credentialed) 1727 | { 1728 | 1729 | $d = Get-WmiObject -Namespace 'root/cimv2' -query 'Select * from Win32_ScheduledJob' -ComputerName $computer -Credential $creds 1730 | 1731 | } else { 1732 | 1733 | $d = Get-WmiObject -Namespace 'root/cimv2' -query 'Select * from Win32_ScheduledJob' -ComputerName $computer 1734 | 1735 | } 1736 | 1737 | foreach ($serv in $d) 1738 | { 1739 | 1740 | $s = $serv.Name 1741 | 1742 | if (-not $results[$s]) 1743 | { 1744 | 1745 | $results[$s] = @() 1746 | 1747 | $counts[$s] = 0 1748 | 1749 | } 1750 | 1751 | $results[$s] += $computer 1752 | 1753 | $counts[$s]++ 1754 | 1755 | } 1756 | 1757 | } 1758 | 1759 | } 1760 | 1761 | foreach ($i in $counts.GetEnumerator() | Sort-Object Value -Descending) 1762 | { 1763 | 1764 | Write-Output "[+] Count: $($i.value), At Job Name: $($i.key)" 1765 | 1766 | $results[$i.key] -join ', ' 1767 | 1768 | Write-Output "`n" 1769 | 1770 | } 1771 | 1772 | $ErrorActionPreference = $errorpref 1773 | 1774 | } 1775 | 1776 | 1777 | function Get-RemoteShares 1778 | { 1779 | 1780 | Param( 1781 | 1782 | [CMDletBinding()] 1783 | 1784 | [String[]]$ComputerNames, 1785 | 1786 | [Switch]$Credentialed 1787 | 1788 | ) 1789 | 1790 | $errorpref = $ErrorActionPreference 1791 | 1792 | $ErrorActionPreference = 'SilentlyContinue' 1793 | 1794 | [System.Collections.Hashtable]$results = @{} 1795 | 1796 | [System.Collections.Hashtable]$counts = @{} 1797 | 1798 | if ($Credentialed) { 1799 | 1800 | $creds = Get-Credential 1801 | 1802 | } 1803 | 1804 | foreach ($computer in $ComputerNames) 1805 | { 1806 | 1807 | if ((Test-Connection -Count 1 -ComputerName $computer).StatusCode -eq 0) 1808 | { 1809 | 1810 | if ($Credentialed) 1811 | { 1812 | 1813 | $d = Get-WmiObject -Namespace 'root/cimv2' -query 'Select * from Win32_Share' -ComputerName $computer -Credential $creds 1814 | 1815 | } else { 1816 | 1817 | $d = Get-WmiObject -Namespace 'root/cimv2' -query 'Select * from Win32_Share' -ComputerName $computer 1818 | 1819 | } 1820 | 1821 | foreach ($serv in $d) 1822 | { 1823 | 1824 | $s = $serv.Path 1825 | 1826 | if (-not $results[$s]) 1827 | { 1828 | 1829 | $results[$s] = @() 1830 | 1831 | $counts[$s] = 0 1832 | 1833 | } 1834 | 1835 | $results[$s] += $computer 1836 | 1837 | $counts[$s]++ 1838 | 1839 | } 1840 | 1841 | } 1842 | 1843 | } 1844 | 1845 | foreach ($i in $counts.GetEnumerator() | Sort-Object Value -Descending) 1846 | { 1847 | 1848 | Write-Output "[+] Count: $($i.value), Shares: $($i.key)" 1849 | 1850 | $results[$i.key] -join ', ' 1851 | 1852 | Write-Output "`n" 1853 | 1854 | } 1855 | 1856 | $ErrorActionPreference = $errorpref 1857 | 1858 | } 1859 | 1860 | function Get-RemoteUsers 1861 | { 1862 | 1863 | Param( 1864 | 1865 | [CMDletBinding()] 1866 | 1867 | [String[]]$ComputerNames, 1868 | 1869 | [Switch]$Credentialed 1870 | 1871 | ) 1872 | 1873 | $errorpref = $ErrorActionPreference 1874 | 1875 | $ErrorActionPreference = 'SilentlyContinue' 1876 | 1877 | [System.Collections.Hashtable]$results = @{} 1878 | 1879 | [System.Collections.Hashtable]$counts = @{} 1880 | 1881 | if ($Credentialed) { 1882 | 1883 | $creds = Get-Credential 1884 | 1885 | } 1886 | 1887 | foreach ($computer in $ComputerNames) 1888 | { 1889 | 1890 | if ((Test-Connection -Count 1 -ComputerName $computer).StatusCode -eq 0) 1891 | { 1892 | 1893 | if ($Credentialed) 1894 | { 1895 | 1896 | $d = Get-WmiObject -Namespace 'root/cimv2' -query 'Select * from Win32_UserAccount' -ComputerName $computer -Credential $creds 1897 | 1898 | } else { 1899 | 1900 | $d = Get-WmiObject -Namespace 'root/cimv2' -query 'Select * from Win32_UserAccount' -ComputerName $computer 1901 | 1902 | } 1903 | 1904 | foreach ($serv in $d) 1905 | { 1906 | 1907 | $s = $serv.Name 1908 | 1909 | if (-not $results[$s]) 1910 | { 1911 | 1912 | $results[$s] = @() 1913 | 1914 | $counts[$s] = 0 1915 | 1916 | } 1917 | 1918 | $results[$s] += $computer 1919 | 1920 | $counts[$s]++ 1921 | 1922 | } 1923 | 1924 | } 1925 | 1926 | } 1927 | 1928 | foreach ($i in $counts.GetEnumerator() | Sort-Object Value -Descending) 1929 | { 1930 | 1931 | Write-Output "[+] Count: $($i.value), User: $($i.key)" 1932 | 1933 | $results[$i.key] -join ', ' 1934 | 1935 | Write-Output "`n" 1936 | 1937 | } 1938 | 1939 | $ErrorActionPreference = $errorpref 1940 | 1941 | } 1942 | 1943 | function Get-RemoteStartupCommand 1944 | { 1945 | 1946 | Param( 1947 | 1948 | [CMDletBinding()] 1949 | 1950 | [String[]]$ComputerNames, 1951 | 1952 | [Switch]$Credentialed 1953 | 1954 | ) 1955 | 1956 | $errorpref = $ErrorActionPreference 1957 | 1958 | $ErrorActionPreference = 'SilentlyContinue' 1959 | 1960 | [System.Collections.Hashtable]$results = @{} 1961 | 1962 | [System.Collections.Hashtable]$counts = @{} 1963 | 1964 | if ($Credentialed) { 1965 | 1966 | $creds = Get-Credential 1967 | 1968 | } 1969 | 1970 | foreach ($computer in $ComputerNames) 1971 | { 1972 | 1973 | if ((Test-Connection -Count 1 -ComputerName $computer).StatusCode -eq 0) 1974 | { 1975 | 1976 | if ($Credentialed) 1977 | { 1978 | 1979 | $d = Get-WmiObject -Namespace 'root/cimv2' -query 'Select * from Win32_StartupCommand' -ComputerName $computer -Credential $creds 1980 | 1981 | } else { 1982 | 1983 | $d = Get-WmiObject -Namespace 'root/cimv2' -query 'Select * from Win32_StartupCommand' -ComputerName $computer 1984 | 1985 | } 1986 | 1987 | foreach ($serv in $d) 1988 | { 1989 | 1990 | $s = $serv.Command 1991 | 1992 | if (-not $results[$s]) 1993 | { 1994 | 1995 | $results[$s] = @() 1996 | 1997 | $counts[$s] = 0 1998 | 1999 | } 2000 | 2001 | $results[$s] += $computer 2002 | 2003 | $counts[$s]++ 2004 | 2005 | } 2006 | 2007 | } 2008 | 2009 | } 2010 | 2011 | foreach ($i in $counts.GetEnumerator() | Sort-Object Value -Descending) 2012 | { 2013 | 2014 | Write-Output "[+] Count: $($i.value), Startup Command: $($i.key)" 2015 | 2016 | $results[$i.key] -join ', ' 2017 | 2018 | Write-Output "`n" 2019 | 2020 | } 2021 | 2022 | $ErrorActionPreference = $errorpref 2023 | 2024 | } 2025 | 2026 | 2027 | function Get-RemoteHostNames 2028 | { 2029 | 2030 | Param( 2031 | 2032 | [CMDletBinding()] 2033 | 2034 | [String[]]$ComputerNames, 2035 | 2036 | [Switch]$Credentialed 2037 | 2038 | ) 2039 | 2040 | $errorpref = $ErrorActionPreference 2041 | 2042 | $ErrorActionPreference = 'SilentlyContinue' 2043 | 2044 | [System.Collections.Hashtable]$results = @{} 2045 | 2046 | [System.Collections.Hashtable]$counts = @{} 2047 | 2048 | if ($Credentialed) { 2049 | 2050 | $creds = Get-Credential 2051 | 2052 | } 2053 | 2054 | foreach ($computer in $ComputerNames) 2055 | { 2056 | 2057 | if ((Test-Connection -Count 1 -ComputerName $computer).StatusCode -eq 0) 2058 | { 2059 | 2060 | if ($Credentialed) 2061 | { 2062 | 2063 | $d = Get-WmiObject -Namespace 'root/cimv2' -query 'Select * from Win32_ComputerSystem' -ComputerName $computer -Credential $creds 2064 | 2065 | } else { 2066 | 2067 | $d = Get-WmiObject -Namespace 'root/cimv2' -query 'Select * from Win32_ComputerSystem' -ComputerName $computer 2068 | 2069 | } 2070 | 2071 | foreach ($serv in $d) 2072 | { 2073 | 2074 | $s = $serv.Name 2075 | 2076 | Write-Output "[+] IP: $computer, Hostname: $s" 2077 | 2078 | } 2079 | 2080 | } 2081 | 2082 | } 2083 | 2084 | $ErrorActionPreference = $errorpref 2085 | 2086 | } 2087 | 2088 | 2089 | function Get-RemoteRegistryPersistence 2090 | { 2091 | 2092 | Param( 2093 | 2094 | [CMDletBinding()] 2095 | 2096 | [String[]]$ComputerNames, 2097 | 2098 | [Switch]$Credentialed 2099 | 2100 | ) 2101 | 2102 | $errorpref = $ErrorActionPreference 2103 | 2104 | $ErrorActionPreference = 'SilentlyContinue' 2105 | 2106 | [System.Collections.Hashtable]$results = @{} 2107 | 2108 | [System.Collections.Hashtable]$counts = @{} 2109 | 2110 | [System.Collections.Hashtable]$urls = @{} 2111 | 2112 | $HKLM = [UInt32]2147483650 2113 | $HKCU = [UInt32]2147483649 2114 | $RunKey = 'SOFTWARE\Microsoft\Windows\CurrentVersion\Run' 2115 | 2116 | if ($Credentialed) { 2117 | 2118 | $creds = Get-Credential 2119 | 2120 | } 2121 | 2122 | foreach ($computer in $ComputerNames) 2123 | { 2124 | 2125 | if ((Test-Connection -Count 1 -ComputerName $computer).StatusCode -eq 0) 2126 | { 2127 | 2128 | if ($Credentialed) 2129 | { 2130 | $res = Invoke-WmiMethod -Namespace root/default -Class StdRegProv -Name EnumValues -ArgumentList @($HKLM, $RunKey) -ComputerName $computer -Credential $creds 2131 | foreach ($instance in $res) 2132 | { 2133 | foreach ($key in $instance.sNames) 2134 | { 2135 | $val = Invoke-WmiMethod -Namespace root/default -Class StdRegProv -Name GetStringValue -ArgumentList @($HKLM, $RunKey, $key) -ComputerName $computer -Credential $creds 2136 | 2137 | if ([string]::IsNullOrEmpty($urls[$computer])) 2138 | { 2139 | $urls[$computer] = $val.sValue 2140 | } else { 2141 | $urls[$computer] += ",$($val.sValue)" 2142 | } 2143 | } 2144 | } 2145 | 2146 | } else { 2147 | 2148 | $res = Invoke-WmiMethod -Namespace root/default -Class StdRegProv -Name EnumValues -ArgumentList @($HKLM, $RunKey) -ComputerName $computer 2149 | foreach ($instance in $res) 2150 | { 2151 | foreach ($key in $instance.sNames) 2152 | { 2153 | $val = Invoke-WmiMethod -Namespace root/default -Class StdRegProv -Name GetStringValue -ArgumentList @($HKLM, $RunKey, $key) -ComputerName $computer 2154 | 2155 | if ([string]::IsNullOrEmpty($urls[$computer])) 2156 | { 2157 | $urls[$computer] = $val.sValue 2158 | } else { 2159 | $urls[$computer] += ",$($val.sValue)" 2160 | } 2161 | } 2162 | } 2163 | 2164 | } 2165 | } 2166 | } 2167 | 2168 | foreach ($computer in $urls.GetEnumerator()) 2169 | { 2170 | $computername = $computer.key 2171 | $urlsVisited = $urls[$computername].split(',') 2172 | foreach ($url in $urlsVisited) 2173 | { 2174 | if (-not ($results.ContainsKey($url))) 2175 | { 2176 | $results[$url] = $computername 2177 | } else { 2178 | $results[$url] += ", $computername" 2179 | } 2180 | } 2181 | } 2182 | 2183 | foreach ($dataPair in $results.GetEnumerator()) 2184 | { 2185 | $counts[$dataPair.Key] = $dataPair.value.split(',').length 2186 | } 2187 | 2188 | foreach ($dataPair in $counts.GetEnumerator() | Sort-Object Value -Descending) 2189 | { 2190 | $url = $dataPair.key 2191 | $computers = $results[$url] 2192 | $instanceCount = $computers.length 2193 | Write-Output "[+] Count: $($dataPair.value), Persistence: '$url'" 2194 | Write-Output " $computers" 2195 | Write-Output '' 2196 | } 2197 | 2198 | $ErrorActionPreference = $errorpref 2199 | 2200 | } 2201 | 2202 | function Get-RemoteTypedURLs 2203 | { 2204 | 2205 | Param( 2206 | 2207 | [CMDletBinding()] 2208 | 2209 | [String[]]$ComputerNames, 2210 | 2211 | [Switch]$Credentialed 2212 | 2213 | ) 2214 | 2215 | $errorpref = $ErrorActionPreference 2216 | 2217 | $ErrorActionPreference = 'SilentlyContinue' 2218 | 2219 | [System.Collections.Hashtable]$results = @{} 2220 | 2221 | [System.Collections.Hashtable]$counts = @{} 2222 | 2223 | [System.Collections.Hashtable]$urls = @{} 2224 | 2225 | $HKLM = [UInt32] 2147483650 2226 | $HKCU = [UInt32] 2147483649 2227 | $UrlsKey = 'Software\Microsoft\Internet Explorer\TypedURLs' 2228 | 2229 | if ($Credentialed) { 2230 | 2231 | $creds = Get-Credential 2232 | 2233 | } 2234 | 2235 | foreach ($computer in $ComputerNames) 2236 | { 2237 | 2238 | if ((Test-Connection -Count 1 -ComputerName $computer).StatusCode -eq 0) 2239 | { 2240 | 2241 | if ($Credentialed) 2242 | { 2243 | $res = Invoke-WmiMethod -Namespace root/default -Class StdRegProv -Name EnumValues -ArgumentList @($HKCU, $UrlsKey) -ComputerName $computer -Credential $creds 2244 | foreach ($instance in $res) 2245 | { 2246 | foreach ($key in $instance.sNames) 2247 | { 2248 | $val = Invoke-WmiMethod -Namespace root/default -Class StdRegProv -Name GetStringValue -ArgumentList @($HKCU, $UrlsKey, $key) -ComputerName $computer -Credential $creds 2249 | 2250 | if ([string]::IsNullOrEmpty($urls[$computer])) 2251 | { 2252 | $urls[$computer] = $val.sValue 2253 | } else { 2254 | $urls[$computer] += ",$($val.sValue)" 2255 | } 2256 | } 2257 | } 2258 | 2259 | } else { 2260 | 2261 | $res = Invoke-WmiMethod -Namespace root/default -Class StdRegProv -Name EnumValues -ArgumentList @($HKCU, $UrlsKey) -ComputerName $computer 2262 | foreach ($instance in $res) 2263 | { 2264 | foreach ($key in $instance.sNames) 2265 | { 2266 | $val = Invoke-WmiMethod -Namespace root/default -Class StdRegProv -Name GetStringValue -ArgumentList @($HKCU, $UrlsKey, $key) -ComputerName $computer 2267 | 2268 | if ([string]::IsNullOrEmpty($urls[$computer])) 2269 | { 2270 | $urls[$computer] = $val.sValue 2271 | } else { 2272 | $urls[$computer] += ",$($val.sValue)" 2273 | } 2274 | } 2275 | } 2276 | 2277 | } 2278 | } 2279 | } 2280 | 2281 | foreach ($computer in $urls.GetEnumerator()) 2282 | { 2283 | $computername = $computer.key 2284 | $urlsVisited = $urls[$computername].split(',') 2285 | foreach ($url in $urlsVisited) 2286 | { 2287 | if (-not ($results.ContainsKey($url))) 2288 | { 2289 | $results[$url] = $computername 2290 | } else { 2291 | $results[$url] += ", $computername" 2292 | } 2293 | } 2294 | } 2295 | 2296 | foreach ($dataPair in $results.GetEnumerator()) 2297 | { 2298 | $counts[$dataPair.Key] = $dataPair.value.split(',').length 2299 | } 2300 | 2301 | foreach ($dataPair in $counts.GetEnumerator() | Sort-Object Value -Descending) 2302 | { 2303 | $url = $dataPair.key 2304 | $computers = $results[$url] 2305 | $instanceCount = $computers.length 2306 | Write-Output "[+] Count: $($dataPair.value), URL: '$url'" 2307 | Write-Output " $computers" 2308 | Write-Output '' 2309 | } 2310 | 2311 | $ErrorActionPreference = $errorpref 2312 | 2313 | } 2314 | 2315 | function Get-RemoteMappedDrives 2316 | { 2317 | 2318 | Param( 2319 | 2320 | [CMDletBinding()] 2321 | 2322 | [String[]]$ComputerNames, 2323 | 2324 | [Switch]$Credentialed 2325 | 2326 | ) 2327 | 2328 | $errorpref = $ErrorActionPreference 2329 | 2330 | $ErrorActionPreference = 'SilentlyContinue' 2331 | 2332 | [System.Collections.Hashtable]$results = @{} 2333 | 2334 | [System.Collections.Hashtable]$counts = @{} 2335 | 2336 | [System.Collections.Hashtable]$urls = @{} 2337 | 2338 | $HKLM = [UInt32] 2147483650 2339 | $HKCU = [UInt32] 2147483649 2340 | $UrlsKey = 'software\Microsoft\Windows\CurrentVersion\explorer\Map Network Drive' 2341 | 2342 | if ($Credentialed) { 2343 | 2344 | $creds = Get-Credential 2345 | 2346 | } 2347 | 2348 | foreach ($computer in $ComputerNames) 2349 | { 2350 | 2351 | if ((Test-Connection -Count 1 -ComputerName $computer).StatusCode -eq 0) 2352 | { 2353 | 2354 | if ($Credentialed) 2355 | { 2356 | $res = Invoke-WmiMethod -Namespace root/default -Class StdRegProv -Name EnumValues -ArgumentList @($HKCU, $UrlsKey) -ComputerName $computer -Credential $creds 2357 | foreach ($instance in $res) 2358 | { 2359 | foreach ($key in $instance.sNames) 2360 | { 2361 | $val = Invoke-WmiMethod -Namespace root/default -Class StdRegProv -Name GetStringValue -ArgumentList @($HKCU, $UrlsKey, $key) -ComputerName $computer -Credential $creds 2362 | 2363 | if ([string]::IsNullOrEmpty($urls[$computer])) 2364 | { 2365 | $urls[$computer] = $val.sValue 2366 | } else { 2367 | $urls[$computer] += ",$($val.sValue)" 2368 | } 2369 | } 2370 | } 2371 | 2372 | } else { 2373 | 2374 | $res = Invoke-WmiMethod -Namespace root/default -Class StdRegProv -Name EnumValues -ArgumentList @($HKCU, $UrlsKey) -ComputerName $computer 2375 | foreach ($instance in $res) 2376 | { 2377 | foreach ($key in $instance.sNames) 2378 | { 2379 | $val = Invoke-WmiMethod -Namespace root/default -Class StdRegProv -Name GetStringValue -ArgumentList @($HKCU, $UrlsKey, $key) -ComputerName $computer 2380 | 2381 | if ([string]::IsNullOrEmpty($urls[$computer])) 2382 | { 2383 | $urls[$computer] = $val.sValue 2384 | } else { 2385 | $urls[$computer] += ",$($val.sValue)" 2386 | } 2387 | } 2388 | } 2389 | 2390 | } 2391 | } 2392 | } 2393 | 2394 | foreach ($computer in $urls.GetEnumerator()) 2395 | { 2396 | $computername = $computer.key 2397 | $urlsVisited = $urls[$computername].split(',') 2398 | foreach ($url in $urlsVisited) 2399 | { 2400 | if (-not ($results.ContainsKey($url))) 2401 | { 2402 | $results[$url] = $computername 2403 | } else { 2404 | $results[$url] += ", $computername" 2405 | } 2406 | } 2407 | } 2408 | 2409 | foreach ($dataPair in $results.GetEnumerator()) 2410 | { 2411 | $counts[$dataPair.Key] = $dataPair.value.split(',').length 2412 | } 2413 | 2414 | foreach ($dataPair in $counts.GetEnumerator() | Sort-Object Value -Descending) 2415 | { 2416 | $url = $dataPair.key 2417 | $computers = $results[$url] 2418 | $instanceCount = $computers.length 2419 | Write-Output "[+] Count: $($dataPair.value), Mapped Drive: '$url'" 2420 | Write-Output " $computers" 2421 | Write-Output '' 2422 | } 2423 | 2424 | $ErrorActionPreference = $errorpref 2425 | 2426 | } 2427 | 2428 | 2429 | 2430 | function Set-RegistryScriptValue 2431 | { 2432 | [CmdletBinding()] 2433 | Param( 2434 | [String]$ComputerName, 2435 | [String]$Value, 2436 | [System.Management.Automation.PSCredential]$Creds = $null, 2437 | 2438 | [ValidateSet('IN', 'OUT')] 2439 | [Parameter(Mandatory=$true)] 2440 | [String]$Type = 'IN' 2441 | ) 2442 | 2443 | $HKCU = [UInt32] 2147483649 2444 | $ScriptKey = 'SOFTWARE\Microsoft\Windows\CurrentVersion\IRScripts' 2445 | $ValueNameIn = 'SCRIPT_IN' 2446 | $ValueNameOut = 'SCRIPT_OUT' 2447 | $Value = ConvertTo-Base64 -Data $Value 2448 | 2449 | if (-not ($Creds -eq $null)) 2450 | { 2451 | $created = (Invoke-WmiMethod -Namespace root/default -Class StdRegProv -Name CreateKey -ArgumentList @($HKCU, $ScriptKey) -Credential $Creds -ComputerName $ComputerName).ReturnValue 2452 | 2453 | if ($created -eq 0) 2454 | { 2455 | switch ($Type.ToLower()) 2456 | { 2457 | 'in' { $set = Invoke-WmiMethod -Namespace root/default -Class StdRegProv -Name SetExpandedStringValue -ArgumentList @($HKCU, $ScriptKey, $Value, $ValueNameIn) -Credential $Creds -ComputerName $ComputerName } 2458 | 'out' { $set = Invoke-WmiMethod -Namespace root/default -Class StdRegProv -Name SetExpandedStringValue -ArgumentList @($HKCU, $ScriptKey, $Value, $ValueNameOut) -Credential $Creds -ComputerName $ComputerName } 2459 | } 2460 | } 2461 | } 2462 | 2463 | switch ($set.ReturnValue) 2464 | { 2465 | 0 { $true } 2466 | default { $false } 2467 | } 2468 | 2469 | } 2470 | 2471 | function Get-RegistryScriptValue 2472 | { 2473 | [CmdletBinding()] 2474 | Param( 2475 | [String]$ComputerName, 2476 | [System.Management.Automation.PSCredential]$Creds = $null, 2477 | 2478 | [ValidateSet('IN', 'OUT')] 2479 | [Parameter(Mandatory=$true)] 2480 | [String]$Type = 'IN' 2481 | ) 2482 | 2483 | $HKCU = [UInt32] 2147483649 2484 | $ScriptKey = 'SOFTWARE\Microsoft\Windows\CurrentVersion\IRScripts' 2485 | $ValueNameIn = 'SCRIPT_IN' 2486 | $ValueNameOut = 'SCRIPT_OUT' 2487 | 2488 | if (-not ($Creds -eq $null)) 2489 | { 2490 | switch ($Type.ToLower()) 2491 | { 2492 | 'in' { $ScriptDefinition = Invoke-WmiMethod -Namespace root/default -Class StdRegProv -Name GetExpandedStringValue -ArgumentList @($HKCU, $ScriptKey, $ValueNameIn) -ComputerName $ComputerName -Credential $Creds } 2493 | 'out' { $ScriptDefinition = Invoke-WmiMethod -Namespace root/default -Class StdRegProv -Name GetExpandedStringValue -ArgumentList @($HKCU, $ScriptKey, $ValueNameOut) -ComputerName $ComputerName -Credential $Creds } 2494 | } 2495 | $results = ConvertFrom-Base64 -Data ($ScriptDefinition.sValue) 2496 | $results 2497 | } 2498 | } 2499 | 2500 | function ConvertTo-Base64 2501 | { 2502 | [CmdletBinding()] 2503 | Param( 2504 | [Parameter(Mandatory=$true)] 2505 | [String]$Data 2506 | ) 2507 | [System.Convert]::ToBase64String([System.Text.Encoding]::Unicode.GetBytes($Data)) 2508 | } 2509 | 2510 | function ConvertFrom-Base64 2511 | { 2512 | [CmdletBinding()] 2513 | Param( 2514 | [Parameter(Mandatory=$true)] 2515 | [String]$Data 2516 | ) 2517 | [System.Text.Encoding]::Unicode.GetString([Convert]::FromBase64String($Data)) 2518 | } 2519 | 2520 | function Invoke-RemoteFileSearch 2521 | { 2522 | [Cmdletbinding()] 2523 | Param( 2524 | [Parameter(Mandatory=$true)] 2525 | [String[]]$ComputerNames, 2526 | 2527 | [Parameter(Mandatory=$true)] 2528 | [String]$FileName, 2529 | 2530 | [switch]$Credentialed = $false 2531 | ) 2532 | 2533 | $name = $FileName.split('.')[0] 2534 | $ext = $FileName.split('.')[1] 2535 | 2536 | if ($Credentialed) 2537 | { 2538 | $creds = Get-Credential 2539 | } 2540 | 2541 | foreach ($computer in $ComputerNames) 2542 | { 2543 | 2544 | if ((Test-Connection -Count 1 -ComputerName $computer).StatusCode -eq 0) 2545 | { 2546 | 2547 | if ($Credentialed) 2548 | { 2549 | 2550 | $files = Get-WmiObject -Query "Select * from CIM_DataFile where (FileName='$name' and Extension='$ext')" -ComputerName $computer -Credential $creds 2551 | 2552 | } else { 2553 | 2554 | $files = Get-WmiObject -Query "Select * from CIM_DataFile where (FileName='$name' and Extension='$ext')" -ComputerName $computer 2555 | 2556 | } 2557 | } 2558 | Write-Output "[+] Host: $computer" 2559 | foreach ($file in $files) 2560 | { 2561 | Write-Output " $($file.Name)" 2562 | } 2563 | } 2564 | } 2565 | 2566 | function Invoke-ExecuteRegistryScript 2567 | { 2568 | Param( 2569 | [String]$ComputerName, 2570 | [System.Management.Automation.PSCredential]$Creds = $null 2571 | ) 2572 | 2573 | if ($Creds -ne $null) 2574 | { 2575 | $executionScript = @" 2576 | `$ 2577 | `$HKCU = [UInt32] 2147483649 2578 | `$ScriptKey = 'SOFTWARE\Microsoft\Windows\CurrentVersion\IRScripts' 2579 | `$ValueNameIn = 'SCRIPT_IN' 2580 | `$ScriptDefinition = (Invoke-WmiMethod -Namespace root/default -Class StdRegProv -Name GetExpandedStringValue -ArgumentList @(`$HKCU, `$ScriptKey, `$ValueNameIn)).sValue 2581 | `$ScriptText = [System.Text.Encoding]::Unicode.GetString([System.Convert]::FromBase64String(`$ScriptDefinition)) 2582 | `$ScriptText > 'C:\users\dev\desktop\output.txt' 2583 | Invoke-Expression (`$ScriptText) 2584 | "@ 2585 | $encodedScript = ConvertTo-Base64 -Data $executionScript 2586 | $command = "powershell.exe -NOPr -Windo HIDDEN -eNCo '$encodedScript'" 2587 | $results = Invoke-WmiMethod -Namespace root/cimv2 -Class Win32_Process -Name Create -ArgumentList @("powershell.exe -NOPr -Windo HIDDEN -eNCo $encodedScript") -ComputerName $ComputerName -Credential $Creds 2588 | } 2589 | 2590 | switch ($results.ReturnValue) 2591 | { 2592 | 0 { $true } 2593 | default { $false } 2594 | } 2595 | } 2596 | 2597 | function Invoke-RemoteEventSearch 2598 | { 2599 | [CmdletBinding()] 2600 | Param( 2601 | [Parameter(Mandatory=$true)] 2602 | [string[]]$ComputerNames, 2603 | 2604 | [Parameter(Mandatory=$true)] 2605 | [int[]]$EventIDs, 2606 | 2607 | [Parameter(Mandatory=$true)] 2608 | [string]$LogFile, 2609 | 2610 | [switch]$Credentialed=$false, 2611 | 2612 | [string]$MessageFilter 2613 | ) 2614 | [System.Collections.ArrayList]$parameters = @() 2615 | foreach ($ec in $EventIDs.GetEnumerator()) 2616 | { 2617 | $parameters.Add("EventCode=$ec") | Out-Null 2618 | } 2619 | $q = 'Select * from Win32_NTLogEvent where' 2620 | $c = "($($parameters -join ' or ')" 2621 | $l = "(Logfile='$LogFile' and $c)" 2622 | 2623 | if ($MessageFilter) 2624 | { 2625 | $finalQuery = "$q $l and Message like '%$MessageFilter%')" 2626 | } else { 2627 | $finalQuery = "$q $l)" 2628 | } 2629 | Write-Warning "Query: $finalQuery" 2630 | if ($Credentialed) 2631 | { 2632 | $creds = Get-Credential 2633 | } 2634 | 2635 | foreach ($computer in $ComputerNames) 2636 | { 2637 | 2638 | if ((Test-Connection -Count 1 -ComputerName $computer).StatusCode -eq 0) 2639 | { 2640 | 2641 | if ($Credentialed) 2642 | { 2643 | 2644 | $events = Get-WmiObject -Namespace 'root/cimv2' -Query $finalQuery -ComputerName $computer -Credential $creds 2645 | 2646 | } else { 2647 | 2648 | $events = Get-WmiObject -Namespace 'root/cimv2' -Query $finalQuery -ComputerName $computer 2649 | 2650 | } 2651 | } 2652 | $events 2653 | } 2654 | } 2655 | 2656 | function Get-PrefetchFiles 2657 | { 2658 | [CmdletBinding()] 2659 | Param( 2660 | [Parameter(Mandatory=$true)] 2661 | [string[]]$ComputerNames, 2662 | [switch]$Credentialed=$false 2663 | ) 2664 | 2665 | $query = "SELECT * FROM CIM_DataFile WHERE Extension='pf' AND Path='\\windows\\prefetch\\'" 2666 | $results = New-Object System.Collections.ArrayList 2667 | 2668 | if ($Credentialed){ 2669 | $creds = Get-Credential 2670 | } 2671 | 2672 | foreach ($computer in $ComputerNames) 2673 | { 2674 | 2675 | if ((Test-Connection $computer -Count 1).StatusCode -eq 0) { 2676 | 2677 | switch ($Credentialed) 2678 | { 2679 | $true { 2680 | Get-WmiObject -Namespace 'root/cimv2' -Query $query -Credential $creds | % { 2681 | $prefetchObject = New-Object psobject 2682 | $pfFile = $_ 2683 | $prefetchObject | Select-Object @{N='Name';E={ 2684 | [IO.Path]::GetFileName($pfFile.Name) 2685 | }}, 2686 | @{N='Computer';E={$computer}} | % { 2687 | $results.Add($_) | Out-Null 2688 | } 2689 | } 2690 | } 2691 | 2692 | default { 2693 | Get-WmiObject -Namespace 'root/cimv2' -Query $query | % { 2694 | $prefetchObject = New-Object psobject 2695 | $pfFile = $_ 2696 | $prefetchObject | Select-Object @{N='Name';E={ 2697 | [IO.Path]::GetFileName($pfFile.Name) 2698 | }}, 2699 | @{N='Computer';E={$computer}} | % { 2700 | $results.Add($_) | Out-Null 2701 | } 2702 | } 2703 | } 2704 | } 2705 | } 2706 | } 2707 | 2708 | $results | Group-Object Name | Sort-Object Count -Descending 2709 | } 2710 | 2711 | 2712 | -------------------------------------------------------------------------------- /README.md: -------------------------------------------------------------------------------- 1 | # Incident-Response 2 | 3 | ### Get Names of All Services / Processes: 4 | #### (you can explicitly supply credentials with -Credentials) 5 | ```powershell 6 | Get-AllProcesses -Computername @("192.168.1.1","DC1") 7 | Get-AllServices -Computername @("192.168.1.1","DC1") 8 | ``` 9 | 10 | ### Get Strings, optionally filter down to interesting items: 11 | ```powershell 12 | Get-Content -Raw -Path c:\evil.exe | Get-Strings -Length 5 -NetworkItems 13 | Get-Content -Raw -Path c:\evil.exe | Get-Strings -Length 5 -FileItems 14 | Get-Content -Raw -Path c:\evil.exe | Get-Strings -Length 5 -RegistryItems 15 | Get-Content -Raw -Path c:\evil.exe | Get-Strings -Length 5 -EmailItems 16 | Get-Content -Raw -Path c:\evil.exe | Get-Strings -Length 5 -FunctionItems 17 | Get-Content -Raw -Path c:\evil.exe | Get-Strings 18 | 19 | PS C:\users\et0x\desktop> Get-ChildItem -Recurse -path 'C:\users\et0x\Downloads\Prac MW Analysis\Practical Malware Analysis Labs\BinaryCollection\*' | Get-Content -raw | Get-Strings -RegistryItems 20 | HKEY_CLASSES_ROOT 21 | HKEY_CURRENT_CONFIG 22 | HKEY_CURRENT_USER 23 | HKEY_LOCAL_MACHINE 24 | HKEY_USERS 25 | SYSTEM\CurrentControlSet\Services\ 26 | SYSTEM\CurrentControlSet\Services\%s\Parameters\ 27 | SYSTEM\CurrentControlSet\Control\DeviceClasses 28 | SYSTEM\CurrentControlSet\Services\ 29 | HKEY_CLASSES_ROOT 30 | HKEY_CURRENT_CONFIG 31 | HKEY_CURRENT_USER 32 | HKEY_LOCAL_MACHINE 33 | HKEY_USERS 34 | SYSTEM\CurrentControlSet\Services\ 35 | SYSTEM\CurrentControlSet\Services\%s\Parameters\ 36 | ``` 37 | ### Differential Analysis of Running Processes via Hashing: 38 | #### (optionally supply creds) 39 | ```powershell 40 | Invoke-ProcessHashSweep -ComputerNames @("192.168.1.1","DC1") -SupplyCreds 41 | ``` 42 | 43 | ### Differential Analysis of Installed Services via Hashing: 44 | #### (optionally supply creds) 45 | ```powershell 46 | PS C:\users\et0x\desktop> Invoke-ServiceHashSweep -ComputerNames @("192.168.197.162","192.168.197.163","IE10Win7") -SupplyCreds 47 | 48 | Name Value 49 | ---- ----- 50 | 192.168.197.162 2D-AE-B9-6C-D5-AB-0B-63-F2-2E-F9-F9-2E-DF-69-EC 51 | 192.168.197.163 2D-AE-B9-6C-D5-AB-0B-63-F2-2E-F9-F9-2E-DF-69-EC 52 | IE10Win7 D4-1D-8C-D9-8F-00-B2-04-E9-80-09-98-EC-F8-42-7E 53 | ``` 54 | 55 | ### Get WMI Filters, Consumers, Binding Paths, or All From Remote Machines 56 | ```powershell 57 | PS C:\users\et0x> Get-WMIEventSubscriptions -Type All -ComputerNames @("192.168.197.153","IE10Win7") -Credentialed 58 | 59 | Name Value 60 | ---- ----- 61 | 192.168.197.153 {\\IE10WIN72\ROOT\subscription:__FilterToConsumerBinding.Consumer="CommandLineEventConsumer.Name=\"DCI200\"",Filter="__EventFilter.Name=\"DCI200\"" \\IE10WI... 62 | IE10Win7 {\\IE10WIN7\ROOT\subscription:__FilterToConsumerBinding.Consumer="NTEventLogEventConsumer.Name=\"SCM Event Log Consumer\"",Filter="__EventFilter.Name=\"SCM ... 63 | 64 | PS C:\users\et0x> Get-WMIEventSubscriptions -Type Filter -ComputerNames @("192.168.197.153","IE10Win7") -Credentialed 65 | 66 | Name Value 67 | ---- ----- 68 | 192.168.197.153 {__EventFilter.Name="DCI200", __EventFilter.Name="SCM Event Log Filter"} 69 | IE10Win7 {__EventFilter.Name="SCM Event Log Filter"} 70 | 71 | 72 | PS C:\users\et0x> Get-WMIEventSubscriptions -Type Consumer -ComputerNames @("192.168.197.153","IE10Win7") -Credentialed 73 | Name Value 74 | ---- ----- 75 | 192.168.197.153 {CommandLineEventConsumer.Name="DCI200", NTEventLogEventConsumer.Name="SCM Event Log Consumer"} 76 | IE10Win7 {NTEventLogEventConsumer.Name="SCM Event Log Consumer"} 77 | ``` 78 | 79 | 80 | ###Get All Info From WMI Event Subscriptions on a list of Remote Machines 81 | ```powershell 82 | PS C:\users\et0x> Invoke-EnumerateAllWMIEventSubscriptions -ComputerNames @("192.168.197.153","IE10Win7") -Credentialed 83 | 84 | [+] HOST: 192.168.197.153 85 | 86 | Name : DCI200 87 | CommandLineTemplate : c:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe -NonI -W hidden -enc JAB3AHMAaABlAGwAbAAgAD0AIABuAGUAdwAtAG8AYgBqAGUAYwB0ACAALQBjAG8AbQBvAGIAagBlAGMAdAAgAFcAc 88 | wBjAHIAaQBwAHQALgBzAGgAZQBsAGwAOwAkAHcAcwBoAGUAbABsAC4AUABvAHAAdQBwACgAIgBXAGUAIABoAGEAdgBlACAAYQAgAFcATQBJACAAYgBpAG4AZABpAG4AZwAgAC4ALgAuACIALAAgADAALAAgACIARABDAEkAM 89 | gAwADAAIgAsACAAMAB4ADAAKQA= 90 | ExecutablePath : 91 | WorkingDirectory : 92 | 93 | Name : DCI200 94 | Query : SELECT * FROM __InstanceModificationEvent WITHIN 60 WHERE TargetInstance ISA "Win32_PerfFormattedData_PerfOS_System" AND TargetInstance.SystemUpTime >= 240 AND 95 | TargetInstance.SystemUpTime < 325 96 | 97 | [+] HOST: 192.168.197.153 98 | 99 | Name : SCM Event Log Consumer 100 | EventID : 0 101 | EventType : 1 102 | Category : 0 103 | 104 | Name : SCM Event Log Filter 105 | Query : select * from MSFT_SCMEventLogEvent 106 | 107 | [+] HOST: IE10Win7 108 | 109 | Name : SCM Event Log Consumer 110 | EventID : 0 111 | EventType : 1 112 | Category : 0 113 | 114 | Name : SCM Event Log Filter 115 | Query : select * from MSFT_SCMEventLogEvent 116 | ``` 117 | 118 | ###Differential Analysis of WMI Event Subscription Hashes 119 | ```powershell 120 | PS C:\users\et0x> Invoke-WMIHashSweep -ComputerNames @("192.168.197.153","IE10Win7") -Credentialed 121 | 122 | Name Value 123 | ---- ----- 124 | 192.168.197.153 73-45-82-E1-5C-A9-66-65-CC-0D-A2-4E-69-E1-D7-6B 125 | IE10Win7 3A-57-5A-26-91-14-61-CA-3A-A3-65-B4-17-1B-C7-7C 126 | ``` 127 | 128 | ###Get all processes running on a list of hosts, return the sorted number of occurrences (most occurrences to least) 129 | ```powershell 130 | # the following do the same thing: 131 | PS C:\WINDOWS\system32> Get-RemoteProcessCount -ComputerNames @("192.168.197.153","192.168.197.160") -Credentialed 132 | PS C:\WINDOWS\system32> Get-RemoteProcessCount -ComputerNames (Get-Content .\hosts.txt) -Credentialed 133 | 134 | [+] Count: 22, Executable: C:\Windows\system32\svchost.exe 135 | 192.168.197.153, 192.168.197.153, 192.168.197.153, 192.168.197.153, 192.168.197.153, 192.168.197.153, 192.168.197.153, 192.168.197.153, 192.168.197.153, 192.168.197.153, 192.168.197.153, 192.168.197.160, 192.168.197.160, 192.168.197.160, 192.168.197.160, 192 136 | .168.197.160, 192.168.197.160, 192.168.197.160, 192.168.197.160, 192.168.197.160, 192.168.197.160, 192.168.197.160 137 | 138 | 139 | [+] Count: 10, Executable: C:\Windows\system32\vmicsvc.exe 140 | 192.168.197.153, 192.168.197.153, 192.168.197.153, 192.168.197.153, 192.168.197.153, 192.168.197.160, 192.168.197.160, 192.168.197.160, 192.168.197.160, 192.168.197.160 141 | 142 | ... 143 | 144 | [+] Count: 1, Executable: C:\Users\et0x\AppData\Local\Temp\gh0st.exe 145 | 192.168.197.160 146 | ``` 147 | 148 | ###Get all services installed on a list of hosts, return the sorted number of occurrences (most occurrences to least) 149 | ```powershell 150 | # the following do the same thing: 151 | PS C:\WINDOWS\system32> Get-RemoteServiceCount -ComputerNames @("192.168.197.153","192.168.197.160") -Credentialed 152 | PS C:\WINDOWS\system32> Get-RemoteServiceCount -ComputerNames (Get-Content .\hosts.txt) -Credentialed 153 | 154 | [+] Count: 2, Service Name: wcncsvc 155 | 192.168.197.153, 192.168.197.160 156 | 157 | 158 | [+] Count: 2, Service Name: UI0Detect 159 | 192.168.197.153, 192.168.197.160 160 | 161 | 162 | [+] Count: 2, Service Name: NetTcpPortSharing 163 | 192.168.197.153, 192.168.197.160 164 | 165 | ... 166 | 167 | [+] Count: 1, Service Name: MalService 168 | 192.168.197.153 169 | ``` 170 | 171 | ###Multi-threaded (quick!) active host ping-sweep 172 | ```powershell 173 | PS C:\WINDOWS\system32> Get-ActiveHosts -Subnet 192.168.197 -Start 1 -End 254 174 | 192.168.197.1 175 | 192.168.197.153 176 | 192.168.197.160 177 | WARNING: Total Live Hosts: 3 178 | 179 | PS C:\WINDOWS\system32> Get-ActiveHosts -Subnet 192.168.197 -Start 1 -End 254 > hosts.txt 180 | WARNING: Total Live Hosts: 3 181 | ``` 182 | 183 | ###Get the Hash (MD5/SHA1/SHA256) of a single, or many files from a list (I realize in PS 4.0 There is a cmdlet for this, but I always work off 2.0) 184 | ```powershell 185 | PS C:\WINDOWS\system32> Get-HashSum (Get-Content .\files.txt) -Algorithm MD5 186 | 187 | 188 | Name : c:\windows\syswow64\calc.exe 189 | Value : 71CC09E8F88BEC2186AA6AEE4B2CDAEB 190 | 191 | Name : c:\windows\syswow64\notepad.exe 192 | Value : 51805698809B88CEB8193C975C4CE5AC 193 | 194 | PS C:\WINDOWS\system32> Get-HashSum @("c:\windows\syswow64\calc.exe","c:\windows\syswow64\notepad.exe") -Algorithm SHA1 195 | 196 | 197 | Name : c:\windows\syswow64\calc.exe 198 | Value : 9ABB92D19683E7611DCAFD3CF767360EFA32E296 199 | 200 | Name : c:\windows\syswow64\notepad.exe 201 | Value : 8CFB904FE7B1B7DE5DC1B11233A5A5D1403EC6A1 202 | 203 | PS C:\WINDOWS\system32> Get-HashSum @("c:\windows\syswow64\calc.exe","c:\windows\syswow64\notepad.exe") -Algorithm SHA256 204 | 205 | 206 | Name : c:\windows\syswow64\calc.exe 207 | Value : 6EB5251FC9850F23FAB98CE71349879E8E9C8C284736F9545958257FC739ECF3 208 | 209 | Name : c:\windows\syswow64\notepad.exe 210 | Value : B66B398769FEB6554D213EC79592B84DEB81CC37C303FC5778EC92D71AF14471 211 | ``` 212 | ###Get all PSEXECs that occurred on a system or systems (for multiple systems use -ComputerNames (Get-Content .\ips.txt) ) 213 | ####Note that certain tools (such as nessus) may cause false positives as it uses remote service installations for its tasks, therefore you may need to do some filtering. 214 | ```powershell 215 | PS C:\WINDOWS\system32> Get-PSExecs -ComputerNames "10.0.1.28" -Credentialed 216 | [+] Possible PSExec Found, Logon Type: 3 217 | Host: 10.0.1.28 218 | Time: 03/22/2016 12:47:08 219 | Source Hostname: pkOai0oPopcVDio5 220 | Source IP: 10.0.1.1 221 | Source Account: - 222 | Source Domain: - 223 | 224 | Target Account: test 225 | Target Domain: dev-PC 226 | ``` 227 | 228 | ###More to come! 229 | --------------------------------------------------------------------------------