VoidSec/DPRK-Breach-Checker.ps1

## DPRK-Breach-Checker.ps1
# Updated on 29/01/2021
# IOCs from Google TAG https://blog.google/threat-analysis-group/new-campaign-targeting-security-researchers/
# IOCs from Microsoft MSTIC https://www.microsoft.com/security/blog/2021/01/28/zinc-attacks-against-security-researchers/

# Checks the registry, if not compromised each test will return "ERROR: The system was unable to find the specified registry key or value."
reg query "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\KernelConfig"
reg query "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\DriverConfig"
reg query "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\SSL Update"

# Checks the following paths, if not compromised each test will return false
Test-Path $env:SystemRoot\System32\Nwsapagent.sys
Test-Path $env:SystemRoot\System32\helpsvc.sys
Test-Path $env:SystemRoot\System32\Irmon.sys
Test-Path $env:SystemRoot\System32\LogonHours.sys
Test-Path $env:SystemRoot\System32\Ntmssvc.sys
Test-Path $env:SystemRoot\System32\NWCWorkstation.sys
Test-Path $env:SystemRoot\System32\PCAudit.sys
Test-Path $env:SystemRoot\System32\uploadmgr.sys
Test-Path $env:SystemDrive\ProgramData\USOShared\uso.bin
Test-Path $env:SystemDrive\ProgramData\VMware\vmnat-update.bin
Test-Path $env:SystemDrive\ProgramData\VirtualBox\update.bin
#----
Test-Path $env:SystemDrive\MSCache\msomui.dat
Test-Path $env:SystemDrive\MSCache\local.cpl
Test-Path $env:SystemDrive\ProgramData\ntuser.db
Test-Path $env:SystemDrive\ProgramData\ntuser.ini
Test-Path $env:SystemDrive\ProgramData\taskhost.exe
Test-Path $env:SystemDrive\ProgramData\Adobe\get.exe
Test-Path $env:SystemDrive\ProgramData\Adobe\ARM\AdobeUpdate.exe
Test-Path $env:SystemDrive\ProgramData\Mozilla\update.bin
Test-Path $env:SystemDrive\ProgramData\NVIDIA\graphicscheck.exe
Test-Path $env:SystemDrive\ProgramData\NVIDIA\NVIDIA.bin
Test-Path $env:SystemDrive\ProgramData\Oracle\java.db
Test-Path $env:SystemDrive\ProgramData\Oracle\java.cpl
Test-Path $env:SystemDrive\ProgramData\USOShared\Search.bin
Test-Path $env:SystemDrive\Windows\netsvc.exe
Test-Path $env:SystemRoot\system32\kjchost.dll
Test-Path $env:SystemRoot\System32\traextapi.dll
Test-Path $env:SystemRoot\System32\healthextapi.dll
Test-Path $env:SystemRoot\System32\detaextapi.dll
Test-Path $env:SystemRoot\Temp\ads.tmp
Test-Path $env:SystemRoot\Temp\CA_Root.pfx
Test-Path $env:SystemDrive\Recovery\recover.bin
Test-Path $env:SystemDrive\Recovery\re.bin

# thx to https://twitter.com/richinseattle/status/1354296177743679489
Test-Path $env:SystemRoot\System32\bcdbootinfo.tlp

# Checks unsigned IOCs sys files, if not compromised it won't display any output
# thx to https://twitter.com/gN3mes1s/status/1354047780738772994
Get-ChildItem $env:SystemRoot\System32\*.sys | %{Get-AuthenticodeSignature $_} | Where-Object {$_.status -ne "Valid"}

# Checks for .bin, .db, .dat, and .cpl files in following folders, if not compromised it won't display any output
Get-ChildItem $env:SystemDrive\ProgramData\USOShared\*.bin
Get-ChildItem $env:SystemDrive\ProgramData\USOShared\*.db
Get-ChildItem $env:SystemDrive\ProgramData\USOShared\*.dat
Get-ChildItem $env:SystemDrive\ProgramData\USOShared\*.cpl
Get-ChildItem $env:SystemDrive\ProgramData\Adobe\*.bin
Get-ChildItem $env:SystemDrive\ProgramData\Adobe\*.db
Get-ChildItem $env:SystemDrive\ProgramData\Adobe\*.dat
Get-ChildItem $env:SystemDrive\ProgramData\Adobe\*.cpl
Get-ChildItem $env:SystemDrive\ProgramData\Mozilla\*.bin
Get-ChildItem $env:SystemDrive\ProgramData\Mozilla\*.db
Get-ChildItem $env:SystemDrive\ProgramData\Mozilla\*.dat
Get-ChildItem $env:SystemDrive\ProgramData\Mozilla\*.cpl
Get-ChildItem $env:SystemDrive\ProgramData\NVIDIA\*.bin
Get-ChildItem $env:SystemDrive\ProgramData\NVIDIA\*.db
Get-ChildItem $env:SystemDrive\ProgramData\NVIDIA\*.dat
Get-ChildItem $env:SystemDrive\ProgramData\NVIDIA\*.cpl
Get-ChildItem $env:SystemDrive\ProgramData\Oracle\*.bin
Get-ChildItem $env:SystemDrive\ProgramData\Oracle\*.db
Get-ChildItem $env:SystemDrive\ProgramData\Oracle\*.dat
Get-ChildItem $env:SystemDrive\ProgramData\Oracle\*.cpl
Get-ChildItem $env:SystemDrive\ProgramData\VirtualBox\*.bin
Get-ChildItem $env:SystemDrive\ProgramData\VirtualBox\*.db
Get-ChildItem $env:SystemDrive\ProgramData\VirtualBox\*.dat
Get-ChildItem $env:SystemDrive\ProgramData\VirtualBox\*.cpl
	# Updated on 29/01/2021
	# IOCs from Google TAG https://blog.google/threat-analysis-group/new-campaign-targeting-security-researchers/
	# IOCs from Microsoft MSTIC https://www.microsoft.com/security/blog/2021/01/28/zinc-attacks-against-security-researchers/

	# Checks the registry, if not compromised each test will return "ERROR: The system was unable to find the specified registry key or value."
	reg query "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\KernelConfig"
	reg query "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\DriverConfig"
	reg query "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\SSL Update"

	# Checks the following paths, if not compromised each test will return false
	Test-Path $env:SystemRoot\System32\Nwsapagent.sys
	Test-Path $env:SystemRoot\System32\helpsvc.sys
	Test-Path $env:SystemRoot\System32\Irmon.sys
	Test-Path $env:SystemRoot\System32\LogonHours.sys
	Test-Path $env:SystemRoot\System32\Ntmssvc.sys
	Test-Path $env:SystemRoot\System32\NWCWorkstation.sys
	Test-Path $env:SystemRoot\System32\PCAudit.sys
	Test-Path $env:SystemRoot\System32\uploadmgr.sys
	Test-Path $env:SystemDrive\ProgramData\USOShared\uso.bin
	Test-Path $env:SystemDrive\ProgramData\VMware\vmnat-update.bin
	Test-Path $env:SystemDrive\ProgramData\VirtualBox\update.bin
	#----
	Test-Path $env:SystemDrive\MSCache\msomui.dat
	Test-Path $env:SystemDrive\MSCache\local.cpl
	Test-Path $env:SystemDrive\ProgramData\ntuser.db
	Test-Path $env:SystemDrive\ProgramData\ntuser.ini
	Test-Path $env:SystemDrive\ProgramData\taskhost.exe
	Test-Path $env:SystemDrive\ProgramData\Adobe\get.exe
	Test-Path $env:SystemDrive\ProgramData\Adobe\ARM\AdobeUpdate.exe
	Test-Path $env:SystemDrive\ProgramData\Mozilla\update.bin
	Test-Path $env:SystemDrive\ProgramData\NVIDIA\graphicscheck.exe
	Test-Path $env:SystemDrive\ProgramData\NVIDIA\NVIDIA.bin
	Test-Path $env:SystemDrive\ProgramData\Oracle\java.db
	Test-Path $env:SystemDrive\ProgramData\Oracle\java.cpl
	Test-Path $env:SystemDrive\ProgramData\USOShared\Search.bin
	Test-Path $env:SystemDrive\Windows\netsvc.exe
	Test-Path $env:SystemRoot\system32\kjchost.dll
	Test-Path $env:SystemRoot\System32\traextapi.dll
	Test-Path $env:SystemRoot\System32\healthextapi.dll
	Test-Path $env:SystemRoot\System32\detaextapi.dll
	Test-Path $env:SystemRoot\Temp\ads.tmp
	Test-Path $env:SystemRoot\Temp\CA_Root.pfx
	Test-Path $env:SystemDrive\Recovery\recover.bin
	Test-Path $env:SystemDrive\Recovery\re.bin

	# thx to https://twitter.com/richinseattle/status/1354296177743679489
	Test-Path $env:SystemRoot\System32\bcdbootinfo.tlp

	# Checks unsigned IOCs sys files, if not compromised it won't display any output
	# thx to https://twitter.com/gN3mes1s/status/1354047780738772994
	Get-ChildItem $env:SystemRoot\System32\*.sys \| %{Get-AuthenticodeSignature $_} \| Where-Object {$_.status -ne "Valid"}

	# Checks for .bin, .db, .dat, and .cpl files in following folders, if not compromised it won't display any output
	Get-ChildItem $env:SystemDrive\ProgramData\USOShared\*.bin
	Get-ChildItem $env:SystemDrive\ProgramData\USOShared\*.db
	Get-ChildItem $env:SystemDrive\ProgramData\USOShared\*.dat
	Get-ChildItem $env:SystemDrive\ProgramData\USOShared\*.cpl
	Get-ChildItem $env:SystemDrive\ProgramData\Adobe\*.bin
	Get-ChildItem $env:SystemDrive\ProgramData\Adobe\*.db
	Get-ChildItem $env:SystemDrive\ProgramData\Adobe\*.dat
	Get-ChildItem $env:SystemDrive\ProgramData\Adobe\*.cpl
	Get-ChildItem $env:SystemDrive\ProgramData\Mozilla\*.bin
	Get-ChildItem $env:SystemDrive\ProgramData\Mozilla\*.db
	Get-ChildItem $env:SystemDrive\ProgramData\Mozilla\*.dat
	Get-ChildItem $env:SystemDrive\ProgramData\Mozilla\*.cpl
	Get-ChildItem $env:SystemDrive\ProgramData\NVIDIA\*.bin
	Get-ChildItem $env:SystemDrive\ProgramData\NVIDIA\*.db
	Get-ChildItem $env:SystemDrive\ProgramData\NVIDIA\*.dat
	Get-ChildItem $env:SystemDrive\ProgramData\NVIDIA\*.cpl
	Get-ChildItem $env:SystemDrive\ProgramData\Oracle\*.bin
	Get-ChildItem $env:SystemDrive\ProgramData\Oracle\*.db
	Get-ChildItem $env:SystemDrive\ProgramData\Oracle\*.dat
	Get-ChildItem $env:SystemDrive\ProgramData\Oracle\*.cpl
	Get-ChildItem $env:SystemDrive\ProgramData\VirtualBox\*.bin
	Get-ChildItem $env:SystemDrive\ProgramData\VirtualBox\*.db
	Get-ChildItem $env:SystemDrive\ProgramData\VirtualBox\*.dat
	Get-ChildItem $env:SystemDrive\ProgramData\VirtualBox\*.cpl