├── Invoke-ProcessScan.ps1
└── README.md


/README.md:
--------------------------------------------------------------------------------
 1 | Disclaimer
 2 | ==========
 3 | As always, do not use anything for malicious intent.
 4 | 
 5 | Code written by Vincent Yiu of ActiveBreach by MDSec Consulting Ltd (www.mdsec.co.uk)
 6 | 
 7 | Credits
 8 | =======
 9 | Credit to EQGRP for the list
10 | 
11 | Feel free to submit PR or improvements. You can even take the code and invent your own things, just give a small link back to this repo.
12 | 
13 | Description
14 | ===========
15 | 
16 | This script uses a list from the Equation Group leak from the shadow brokers to provide context to executeables that are running on a system.
17 | 
18 | Usage
19 | =====
20 | 
21 | List all processes but do not save:
22 | 
23 | ```
24 | List all processes, do not save.
25 | 
26 | PS C:\> Invoke-ProcessScan -SecurityOnly $False
27 | [*] Starting AV Scan
28 | 
29 | ProcessName               Description                                               
30 | -----------               -----------                                               
31 | cmdagent.exe              !!! Comodo Firewall Pro !!!                               
32 | system.exe                !!! LanAgent Monitoring !!!                               
33 | csrss.exe                 Client-Server Runtime Server Subsystem                    
34 | csrss.exe                 Client-Server Runtime Server Subsystem                    
35 | rundll32.exe              Control Panel Helper                                      
36 | RegSrvc.exe               Intel Communications Service                              
37 | evteng.exe                Intel EvtEng Module                                       
38 | lsass.exe                 Local Security Authority Server Subsystem                 
39 | PresentationFontCache.exe Microsoft .NET Framework                                  
40 | conhost.exe               Microsoft Console Windows Host                            
41 | conhost.exe               Microsoft Console Windows Host                            
42 | dllhost.exe               Microsoft DCOM DLL Host Process                           
43 | spoolsv.exe               Microsoft Printer Spooler Service                         
44 | searchindexer.exe         Microsoft search indexer                                  
45 | svchost.exe               Microsoft Service Host Process (Check path in processdeep)
46 | svchost.exe               Microsoft Service Host Process (Check path in processdeep)
47 | svchost.exe               Microsoft Service Host Process (Check path in processdeep)
48 | svchost.exe               Microsoft Service Host Process (Check path in processdeep)
49 | svchost.exe               Microsoft Service Host Process (Check path in processdeep)
50 | svchost.exe               Microsoft Service Host Process (Check path in processdeep)
51 | svchost.exe               Microsoft Service Host Process (Check path in processdeep)
52 | svchost.exe               Microsoft Service Host Process (Check path in processdeep)
53 | svchost.exe               Microsoft Service Host Process (Check path in processdeep)
54 | svchost.exe               Microsoft Service Host Process (Check path in processdeep)
55 | svchost.exe               Microsoft Service Host Process (Check path in processdeep)
56 | svchost.exe               Microsoft Service Host Process (Check path in processdeep)
57 | svchost.exe               Microsoft Service Host Process (Check path in processdeep)
58 | svchost.exe               Microsoft Service Host Process (Check path in processdeep)
59 | svchost.exe               Microsoft Service Host Process (Check path in processdeep)
60 | svchost.exe               Microsoft Service Host Process (Check path in processdeep)
61 | sqlwriter.exe             Microsoft SQL Server                                      
62 | tabtip.exe                Microsoft Tablet PC Module                                
63 | winlogon.exe              Microsoft Windows Logon Process                           
64 | wmiprvse.exe              Microsoft Windows Management Instrumentation              
65 | wmiprvse.exe              Microsoft Windows Management Instrumentation              
66 | unsecapp.exe              Microsoft Windows Management Instrumentation              
67 | unsecapp.exe              Microsoft Windows Management Instrumentation              
68 | smss.exe                  Session Manager Subsystem                                 
69 | wininit.exe               Vista background service launcher                         
70 | dwm.exe                   Vista Desktop Window Manager                              
71 | vmnetdhcp.exe             VMnet DHCP service                                        
72 | vmware-authd.exe          VMWare Authentication Module                              
73 | vmnat.exe                 VMware NAT Service                                        
74 | WUDFHost.exe              Windows Driver Foundation                                 
75 | WUDFHost.exe              Windows Driver Foundation                                 
76 | explorer.exe              Windows Explorer Shell                                    
77 | services.exe              Windows Service Controller                                
78 | wlanext.exe               Windows Wireless LAN Framework                            
79 | 
80 | [*] Module Complete
81 | ```
82 | 
83 | List only security related processes and save them to a file
84 | 
85 | ```
86 | PS C:\> Invoke-ProcessScan -Path security.csv
87 | [*] Starting AV Scan
88 | 
89 | ProcessName  Description                
90 | -----------  -----------                
91 | cmdagent.exe !!! Comodo Firewall Pro !!!
92 | system.exe   !!! LanAgent Monitoring !!!
93 | 
94 | [*] Data exported to security.csv
95 | [*] Module Complete
96 | ```


--------------------------------------------------------------------------------