Created
April 16, 2020 14:05
-
-
Save thomjs/e7c5f6087ff646acf32dae89e9c7ecf2 to your computer and use it in GitHub Desktop.
an incident response script for checking for kernel driver rootkits.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
# Default Check (where KDU writes by default) | |
write-host -ForegroundColor green "Checking Default Location" | |
$discoveries=@() | |
gi "HKLM:\" | % { | |
$parent = $_.PSpath | |
(gp $_.PSpath).PsObject.Properties | % { | |
if($_.Value[0] -eq 77 -and $_.Value[1] -eq 90 -and $_.Value.length -gt 100){ | |
write-host -ForegroundColor red "Discovered a potential driver rootkit embedded in registry: " | |
write-host -ForegroundColor red "$parent$($_.Name)" | |
$discoveries += "$parent$($_.Name)" | |
} | |
} | |
} | |
# Deep Recursive Check (in case an attacker modified it) | |
write-host -ForegroundColor green "Checking Recursively... this can take a while so go grab a coffee..." | |
gci "HKLM:\SOFTWARE\Microsoft\" -Recurse -ea ignore | % { | |
gi $_.PSpath -ea ignore | % { | |
$parent = $_.PSpath | |
write-host -ForegroundColor gray "Currently inside $parent" | |
(gp $_.PSpath).PsObject.Properties | % { | |
if($_.TypeNameOfValue -eq "System.Byte[]"){ | |
if($_.Value[0] -eq 77 -and $_.Value[1] -eq 90 -and $_.Value.length -gt 100){ | |
write-host -ForegroundColor red "Discovered a potential driver rootkit embedded in registry: " | |
write-host -ForegroundColor red "$parent\$($_.Name)" | |
$discoveries += "$parent\$($_.Name)" | |
} | |
} | |
} | |
} | |
} | |
# Reporting | |
write-host -ForegroundColor yellow "COMPLETED" | |
if($discoveries -eq @()) { | |
write-host -foregroundcolor green "NO ROOTKITS DISCOVERED." | |
} else { | |
write-host -foregrouncolor red "Please check the following registry keys for possible PE data such as .exe or .sys." | |
write-host -ForegroundColor red $discoveries | |
} |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment