Skip to content

Commit 9ed0244

Browse files
evild3adevild3ad
committed
2023-12-09
1 parent 845a2da commit 9ed0244

File tree

1 file changed

+44
-7
lines changed

1 file changed

+44
-7
lines changed

MemProcFS-Analyzer.ps1

Lines changed: 44 additions & 7 deletions
Original file line numberDiff line numberDiff line change
@@ -4,7 +4,7 @@
44
# @copyright: Copyright (c) 2021-2023 Martin Willing. All rights reserved.
55
# @contact: Any feedback or suggestions are always welcome and much appreciated - mwilling@lethal-forensics.com
66
# @url: https://lethal-forensics.com/
7-
# @date: 2023-11-22
7+
# @date: 2023-12-09
88
#
99
#
1010
# ██╗ ███████╗████████╗██╗ ██╗ █████╗ ██╗ ███████╗ ██████╗ ██████╗ ███████╗███╗ ██╗███████╗██╗ ██████╗███████╗
@@ -33,7 +33,7 @@
3333
# Dokany Library Bundle v2.0.6.1000 (2022-10-02)
3434
# https://github.com/dokan-dev/dokany/releases/latest --> DokanSetup.exe
3535
#
36-
# Elasticsearch 8.9.2 (2023-09-06)
36+
# Elasticsearch 8.11.2 (2023-12-07)
3737
# https://www.elastic.co/downloads/elasticsearch
3838
#
3939
# entropy v1.1 (2023-07-28)
@@ -51,13 +51,13 @@
5151
# jq v1.7 (2023-09-06)
5252
# https://github.com/stedolan/jq
5353
#
54-
# Kibana 8.9.2 (2023-09-06)
54+
# Kibana 8.11.2 (2023-12-07)
5555
# https://www.elastic.co/downloads/kibana
5656
#
5757
# lnk_parser v0.2.0 (2022-08-10)
5858
# https://github.com/AbdulRhmanAlfaifi/lnk_parser
5959
#
60-
# MemProcFS v5.8.17 - The Memory Process File System (2023-08-20)
60+
# MemProcFS v5.8.18 - The Memory Process File System (2023-08-20)
6161
# https://github.com/ufrisk/MemProcFS
6262
#
6363
# RECmd v2.0.0.0 (.NET 6)
@@ -72,7 +72,7 @@
7272
# YARA v4.3.2 (2023-06-12)
7373
# https://virustotal.github.io/yara/
7474
#
75-
# Zircolite v2.9.10 (2023-07-15)
75+
# Zircolite v2.10.0 (2023-12-02)
7676
# https://github.com/wagga40/Zircolite
7777
#
7878
#
@@ -1255,7 +1255,8 @@ $Repository = "elastic/elasticsearch"
12551255
$Releases = "https://api.github.com/repos/$Repository/releases"
12561256
[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12
12571257
$Response = (Invoke-WebRequest -Uri $Releases -UseBasicParsing | ConvertFrom-Json)
1258-
$Latest = $Response.tag_name | Where-Object{($_ -notmatch "-rc")} | ForEach-Object{($_ -replace "v","")} | Sort-Object -Descending | Select-Object -First 1
1258+
$Versions = $Response.tag_name | Where-Object{($_ -notmatch "-rc")} | ForEach-Object{($_ -replace "v","")}
1259+
$Latest = ($Versions | ForEach-Object{[System.Version]$_ } | Sort-Object -Descending | Select-Object -First 1).ToString()
12591260
$Item = $Response | Where-Object{($_.tag_name -eq "v$Latest")}
12601261
$Tag = $Item.tag_name
12611262
$Published = $Item.published_at
@@ -1335,7 +1336,8 @@ $Repository = "elastic/kibana"
13351336
$Releases = "https://api.github.com/repos/$Repository/releases"
13361337
[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12
13371338
$Response = (Invoke-WebRequest -Uri $Releases -UseBasicParsing | ConvertFrom-Json)
1338-
$Latest = $Response.tag_name | Where-Object{($_ -notmatch "-rc")} | ForEach-Object{($_ -replace "v","")} | Sort-Object -Descending | Select-Object -First 1
1339+
$Versions = $Response.tag_name | Where-Object{($_ -notmatch "-rc")} | ForEach-Object{($_ -replace "v","")}
1340+
$Latest = ($Versions | ForEach-Object{[System.Version]$_ } | Sort-Object -Descending | Select-Object -First 1).ToString()
13391341
$Item = $Response | Where-Object{($_.tag_name -eq "v$Latest")}
13401342
$Tag = $Item.tag_name
13411343
$Published = $Item.published_at
@@ -6757,6 +6759,41 @@ if (Test-Path "$($MemProcFS)")
67576759
}
67586760
}
67596761

6762+
# Task Scheduler running suspicious command line argument: /s --> Remote Scheduled Task
6763+
$Import = $Tasks | Where-Object { $_.Parameters -match " /s " }
6764+
$Count = ($Import | Measure-Object).Count
6765+
if ($Count -gt 0)
6766+
{
6767+
Write-Host "[Alert] Task Scheduler running suspicious command line argument which indicates a Remote Scheduled Task: /s ($Count)" -ForegroundColor Yellow
6768+
New-Item "$OUTPUT_FOLDER\sys\tasks\Suspicious-Tasks\Parameters\CSV" -ItemType Directory -Force | Out-Null
6769+
$Import | Export-Csv -Path "$OUTPUT_FOLDER\sys\tasks\Suspicious-Tasks\Parameters\CSV\Remote-Scheduled-Task.csv" -NoTypeInformation -Encoding UTF8
6770+
6771+
# XLSX
6772+
if (Get-Module -ListAvailable -Name ImportExcel)
6773+
{
6774+
if (Test-Path "$OUTPUT_FOLDER\sys\tasks\Suspicious-Tasks\Parameters\CSV\Remote-Scheduled-Task.csv")
6775+
{
6776+
if([int](& $xsv count -d "," "$OUTPUT_FOLDER\sys\tasks\Suspicious-Tasks\Parameters\CSV\Remote-Scheduled-Task.csv") -gt 0)
6777+
{
6778+
New-Item "$OUTPUT_FOLDER\sys\tasks\Suspicious-Tasks\Parameters\XLSX" -ItemType Directory -Force | Out-Null
6779+
$Import = Import-Csv "$OUTPUT_FOLDER\sys\tasks\Suspicious-Tasks\Parameters\CSV\Remote-Scheduled-Task.csv" -Delimiter ","
6780+
$Import | Export-Excel -Path "$OUTPUT_FOLDER\sys\tasks\Suspicious-Tasks\Parameters\XLSX\Remote-Scheduled-Task.xlsx" -FreezeTopRow -BoldTopRow -AutoSize -AutoFilter -WorkSheetname "Remote Scheduled Task" -CellStyleSB {
6781+
param($WorkSheet)
6782+
# BackgroundColor and FontColor for specific cells of TopRow
6783+
$BackgroundColor = [System.Drawing.Color]::FromArgb(50,60,220)
6784+
Set-Format -Address $WorkSheet.Cells["A1:K1"] -BackgroundColor $BackgroundColor -FontColor White
6785+
# HorizontalAlignment "Center" of columns A, D-E and H-K
6786+
$WorkSheet.Cells["A:A"].Style.HorizontalAlignment="Center"
6787+
$WorkSheet.Cells["D:E"].Style.HorizontalAlignment="Center"
6788+
$WorkSheet.Cells["H:K"].Style.HorizontalAlignment="Center"
6789+
# ConditionalFormatting
6790+
Add-ConditionalFormatting -Address $WorkSheet.Cells["G:G"] -WorkSheet $WorkSheet -RuleType 'Expression' 'NOT(ISERROR(FIND("/s",$G1)))' -BackgroundColor Red
6791+
}
6792+
}
6793+
}
6794+
}
6795+
}
6796+
67606797
# c) Scheduled tasks with suspicious network connections (False Positives: MEDIUM)
67616798

67626799
# Task Scheduler running suspicious command line argument: IPv4 address

0 commit comments

Comments
 (0)