This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
# Quick tip to find super common artifacts of the HAFNIUM Exchange attacks with nothing more than IIS logs... | |
# Run this grep pattern against all logs in C:\inetpub\logs\LogFiles\W3SVC1 | |
# | |
# https://twitter.com/eric_capuano | |
# Quick check for likely successful attacks | |
## Bash (faster) | |
egrep -i '((POST.*\/aspnet_client\/)|(system_web\/[A-Za-z0-9]{8}\.aspx|\/ecp\/y\.js)).*2[0-9]{2}\s[0-9]+' *.log | |
## PowerShell | |
Select-String -Pattern '((POST.*\/aspnet_client\/)|(system_web\/[A-Za-z0-9]{8}\.aspx|\/ecp\/y\.js)).*2[0-9]{2}\s[0-9]+' *.log |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
<# | |
.SYNOPSIS | |
Inventory Chrome Extension information and dump the info to the Windows Event Log | |
.DESCRIPTION | |
This is a simplified adaptation of zsattler's Set-ChromeExtensions.ps1 which writes extension info to a WMI namespace for SCCM to pick up | |
This version writes the information to a custom Windows Event Log instead, easily picked up for WEF or similar log forwarding tools. | |
Original script: https://github.com/zsattler/PowerShell/blob/master/Set-ChromeExtensions/Set-ChromeExtensions.ps1 | |
Original blog post: https://zsattler.wordpress.com/2017/02/27/chrome-extension-inventory-for-sccm/ |