Last active
February 3, 2021 10:10
-
-
Save ZephrFish/0deb1458aeb63ae832987cc53addc404 to your computer and use it in GitHub Desktop.
Threat Analysis Group IOC Scanner
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| # Checks the registry for IOCs from https://blog.google/threat-analysis-group/new-campaign-targeting-security-researchers/ | |
| # If not vulnerable should return "ERROR: The system was unable to find the specified registry key or value." | |
| reg query "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\KernelConfig" | |
| reg query "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\DriverConfig" | |
| reg query "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\SSL Update" | |
| # Checks the paths of IOCs from https://blog.google/threat-analysis-group/new-campaign-targeting-security-researchers/ | |
| # If not vulnerable each will return false | |
| Test-Path C:\Windows\System32\Nwsapagent.sys | |
| Test-Path C:\Windows\System32\helpsvc.sys | |
| Test-Path C:\ProgramData\USOShared\uso.bin | |
| Test-Path C:\ProgramData\VMware\vmnat-update.bin | |
| Test-Path C:\ProgramData\VirtualBox\update.bin | |
| # Checks unsigned IOCs sys files, if not compromised it won't display any output | |
| # thx to https://twitter.com/gN3mes1s/status/1354047780738772994 | |
| Get-ChildItem $env:SystemRoot\System32\*.sys | %{Get-AuthenticodeSignature $_} | Where-Object {$_.status -ne "Valid"} |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Normalized system paths and added couple checks:
https://gist.github.com/VoidSec/cfe0ff5f1c47070df95e54dcf732ddd0