Skip to content

Instantly share code, notes, and snippets.

@thomjs
thomjs / check_rootkit.ps1
Created Apr 16, 2020
an incident response script for checking for kernel driver rootkits.
View check_rootkit.ps1
# Default Check (where KDU writes by default)
write-host -ForegroundColor green "Checking Default Location"
$discoveries=@()
gi "HKLM:\" | % {
$parent = $_.PSpath
(gp $_.PSpath).PsObject.Properties | % {
if($_.Value[0] -eq 77 -and $_.Value[1] -eq 90 -and $_.Value.length -gt 100){
write-host -ForegroundColor red "Discovered a potential driver rootkit embedded in registry: "
write-host -ForegroundColor red "$parent$($_.Name)"
$discoveries += "$parent$($_.Name)"
You can’t perform that action at this time.