Created
April 29, 2024 23:29
-
-
Save thinkst-cs/37983b25175946a541a926646d790c75 to your computer and use it in GitHub Desktop.
RATPACK - DFIR Common exes - Single Script to setup and alert on any of them executing on an endpoint
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
# List of apps to monitor execution. | |
$monitoredApp = @("nltest.exe","systeminfo.exe","adfind.exe","wmic.exe", "klist.exe") | |
# | |
## If we need Process Details use = $pn=$(Get-WmiObject win32_process -Filter ''ProcessID = %e'' | select ProcessName,PrcessID, CommandLine etc..) | |
<# | |
Sample Use: | |
1. Create a Sensitive Command Token - Either in your customer console or online canarytokens.org | |
2. Modify Domain in line 12 | |
#> | |
foreach ($cmd in $monitoredApp) | |
{ | |
$cmd_trim = $cmd -replace ".{4}$" | |
$monitor = 'cmd.exe /c start /min powershell.exe -windowstyle hidden -command "$($u=$(\"u$env:username\" -replace(''[^a-zA-Z0-9\-]+'', ''''))[0..63] -join '''';$c=$(\"c$env:computername\" -replace(''[^a-zA-Z0-9\-]+'', ''''))[0..63] -join '''';'+' Resolve-DnsName -Name \"$c.UN.$u-'+$cmd_trim+'.CMD.EXAMPLE.canarytokens.com\")"' | |
Write-Host $cmd_trim -ForegroundColor Green | |
New-Item -Force -Path "HKLM:\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\$cmd" | Out-Null | |
Set-ItemProperty -Path "HKLM:\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\$cmd" -Name GlobalFlag -Value 512 | |
New-Item -Force -Path "HKLM:\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SilentProcessExit\$cmd" | Out-Null | |
Set-ItemProperty -Path "HKLM:\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SilentProcessExit\$cmd" -Name ReportingMode -Value 1 | |
Set-ItemProperty -Path "HKLM:\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SilentProcessExit\$cmd" -Name MonitorProcess -Value $monitor | |
} |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment