Add files via upload

Binaries/readme.txt

@@ -0,0 +1 @@
+This folder needs to contain any binaries necessary for specific Campaigns. As an example, the ARPCache module requires autorunsc.exe and autorunsc64.exe.

Modules/ARPCache.ps1

@@ -0,0 +1,21 @@
+# Identifies changes to the default gateway's ARP cache [Forces: diff]
+function Campaign-ARPCache {
+    if(Test-Path -Path "$OutputDirectory\arpcache.txt"){
+        $previous_mac = Get-Content -Path "$OutputDirectory\arpcache.txt"
+        $previous_mac = [regex]::match($previous_mac,'([0-9a-fA-F]{2}[:-]){5}([0-9a-fA-F]{2})').Groups[0].Value
+    } else {
+        $previous_mac = ""
+    }
+    $gateway = Get-Gateway
+    $output = (arp -a | findstr $gateway) | Out-String
+    $mac = [regex]::match($output,'([0-9a-fA-F]{2}[:-]){5}([0-9a-fA-F]{2})').Groups[0].Value
+    if($previous_mac -eq ""){
+        $mac | Out-File "$OutputDirectory\arpcache.txt"
+    } else {
+        if($mac -ne $previous_mac){
+            Generate-Log $Campaign 1 "MAC address of default gateway has changed - Possible ARP Cache Poisoning attack"
+        } elseif ($AlwaysOutput){
+            Generate-Log $Campaign 0 "Gateway MAC address has not changed"
+        }
+    }
+}

Modules/Autoruns.ps1

@@ -0,0 +1,39 @@
+# Runs Microsoft Sysinternals Autoruns and logs results [Supports: diff]. Has prerequisite
+# Prerequisite - You must have autorunsc.exe downloaded and in the binary folder
+function Campaign-Autoruns {
+    if($script:Architecture -eq "AMD64"){
+        $path = "$script:LogCampaignDirectory\Binaries\autorunsc64.exe"
+    } else {
+        $path = "$script:LogCampaignDirectory\Binaries\autorunsc.exe"
+    }
+    $script:OutputDirectory = "E:\Dropbox\Dropbox\SEC555\scripts\log_campaign"
+    if(Test-Path -Path $path){
+        #Remove-Item -Force -Path "$script:OutputDirectory\autoruns.csv.old" -ErrorAction SilentlyContinue | Out-Null
+        if(Test-Path -Path "$script:OutputDirectory\autoruns.csv"){
+            Move-Item -Force -Path "$script:OutputDirectory\autoruns.csv" -Destination "$script:OutputDirectory\autoruns.csv.old"
+            $PreviousAutoruns = Import-Csv -Path "$script:OutputDirectory\autoruns.csv.old" -Delimiter "`t"
+        }
+        & $path "-ct" "-o" "$script:OutputDirectory\autoruns.csv" "-h" "-s" "-t"
+        $CurrentAutoruns = Import-Csv -Path "$script:OutputDirectory\autoruns.csv" -Delimiter "`t"
+        if($script:Diff){
+            $content = Compare-Object -ReferenceObject $CurrentAutoruns -DifferenceObject $PreviousAutoruns -PassThru | Where-Object { $_.SideIndicator -eq '<=' }
+        } else {
+            $content = $CurrentAutoruns
+        }
+        foreach($record in $content){
+            $record.PSObject.Properties.Remove('SideIndicator')
+            if($script:LogType -eq "text"){
+                $Log = $record | ConvertTo-Csv -Delimiter "`t"
+            }
+            if($script:LogType -eq "json"){
+                $Log = $record | ConvertTo-Json -Compress
+            }
+            if($Debug){
+                $Log
+            }
+            Generate-Log "Autoruns" 0 $Log
+        }
+    } else {
+        Write-Host "autorunsc.exe not found in Binaries folder. Unable to run campaign"
+    }
+}

Modules/MultipleGateways.ps1

@@ -0,0 +1,8 @@
+# Identifies if a device has more than one gateway
+function Campaign-MultipleGateways {
+    if((Get-Gateway).Count -ge 2){
+        Generate-Log $Campaign 1 "Multiple default routes found - Possible dual-homed device found"
+    } elseif ($AlwaysOutput){
+        Generate-Log $Campaign 0 "Device does not have multiple default routes"
+    }
+}