RATPACK - DFIR Common exes - Single Script to setup and alert on any of them executing on an endpoint

DFIR-RatPack.ps1

# List of apps to monitor execution.

$monitoredApp = @("nltest.exe","systeminfo.exe","adfind.exe","wmic.exe", "klist.exe")
# 

## If we need Process Details use  = $pn=$(Get-WmiObject win32_process -Filter ''ProcessID = %e'' | select ProcessName,PrcessID, CommandLine etc..) 

<#
Sample Use:

1. Create a Sensitive Command Token - Either in your customer console or online canarytokens.org
2. Modify Domain in line 12
#>



foreach ($cmd in $monitoredApp)
{
    
$cmd_trim = $cmd -replace ".{4}$" 
$monitor = 'cmd.exe /c start /min powershell.exe -windowstyle hidden -command "$($u=$(\"u$env:username\" -replace(''[^a-zA-Z0-9\-]+'', ''''))[0..63] -join '''';$c=$(\"c$env:computername\" -replace(''[^a-zA-Z0-9\-]+'', ''''))[0..63] -join '''';'+' Resolve-DnsName -Name \"$c.UN.$u-'+$cmd_trim+'.CMD.EXAMPLE.canarytokens.com\")"'

Write-Host $cmd_trim -ForegroundColor Green
New-Item -Force -Path "HKLM:\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\$cmd" | Out-Null
Set-ItemProperty -Path "HKLM:\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\$cmd" -Name GlobalFlag -Value 512

New-Item -Force -Path "HKLM:\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SilentProcessExit\$cmd" | Out-Null
Set-ItemProperty -Path "HKLM:\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SilentProcessExit\$cmd" -Name ReportingMode -Value 1
Set-ItemProperty -Path "HKLM:\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SilentProcessExit\$cmd" -Name MonitorProcess -Value $monitor
}