From 4f8e527c8976bd10f642a00c1d75138780b93d29 Mon Sep 17 00:00:00 2001 From: Justin Henderson Date: Thu, 29 Nov 2018 08:26:27 -0800 Subject: [PATCH] Add files via upload --- Binaries/readme.txt | 1 + Modules/ARPCache.ps1 | 21 +++++++++++++++++++ Modules/Autoruns.ps1 | 39 ++++++++++++++++++++++++++++++++++++ Modules/MultipleGateways.ps1 | 8 ++++++++ 4 files changed, 69 insertions(+) create mode 100644 Binaries/readme.txt create mode 100644 Modules/ARPCache.ps1 create mode 100644 Modules/Autoruns.ps1 create mode 100644 Modules/MultipleGateways.ps1 diff --git a/Binaries/readme.txt b/Binaries/readme.txt new file mode 100644 index 0000000..c7bd88e --- /dev/null +++ b/Binaries/readme.txt @@ -0,0 +1 @@ +This folder needs to contain any binaries necessary for specific Campaigns. As an example, the ARPCache module requires autorunsc.exe and autorunsc64.exe. \ No newline at end of file diff --git a/Modules/ARPCache.ps1 b/Modules/ARPCache.ps1 new file mode 100644 index 0000000..5e3ba3b --- /dev/null +++ b/Modules/ARPCache.ps1 @@ -0,0 +1,21 @@ +# Identifies changes to the default gateway's ARP cache [Forces: diff] +function Campaign-ARPCache { + if(Test-Path -Path "$OutputDirectory\arpcache.txt"){ + $previous_mac = Get-Content -Path "$OutputDirectory\arpcache.txt" + $previous_mac = [regex]::match($previous_mac,'([0-9a-fA-F]{2}[:-]){5}([0-9a-fA-F]{2})').Groups[0].Value + } else { + $previous_mac = "" + } + $gateway = Get-Gateway + $output = (arp -a | findstr $gateway) | Out-String + $mac = [regex]::match($output,'([0-9a-fA-F]{2}[:-]){5}([0-9a-fA-F]{2})').Groups[0].Value + if($previous_mac -eq ""){ + $mac | Out-File "$OutputDirectory\arpcache.txt" + } else { + if($mac -ne $previous_mac){ + Generate-Log $Campaign 1 "MAC address of default gateway has changed - Possible ARP Cache Poisoning attack" + } elseif ($AlwaysOutput){ + Generate-Log $Campaign 0 "Gateway MAC address has not changed" + } + } +} \ No newline at end of file diff --git a/Modules/Autoruns.ps1 b/Modules/Autoruns.ps1 new file mode 100644 index 0000000..3f2b9f0 --- /dev/null +++ b/Modules/Autoruns.ps1 @@ -0,0 +1,39 @@ +# Runs Microsoft Sysinternals Autoruns and logs results [Supports: diff]. Has prerequisite +# Prerequisite - You must have autorunsc.exe downloaded and in the binary folder +function Campaign-Autoruns { + if($script:Architecture -eq "AMD64"){ + $path = "$script:LogCampaignDirectory\Binaries\autorunsc64.exe" + } else { + $path = "$script:LogCampaignDirectory\Binaries\autorunsc.exe" + } + $script:OutputDirectory = "E:\Dropbox\Dropbox\SEC555\scripts\log_campaign" + if(Test-Path -Path $path){ + #Remove-Item -Force -Path "$script:OutputDirectory\autoruns.csv.old" -ErrorAction SilentlyContinue | Out-Null + if(Test-Path -Path "$script:OutputDirectory\autoruns.csv"){ + Move-Item -Force -Path "$script:OutputDirectory\autoruns.csv" -Destination "$script:OutputDirectory\autoruns.csv.old" + $PreviousAutoruns = Import-Csv -Path "$script:OutputDirectory\autoruns.csv.old" -Delimiter "`t" + } + & $path "-ct" "-o" "$script:OutputDirectory\autoruns.csv" "-h" "-s" "-t" + $CurrentAutoruns = Import-Csv -Path "$script:OutputDirectory\autoruns.csv" -Delimiter "`t" + if($script:Diff){ + $content = Compare-Object -ReferenceObject $CurrentAutoruns -DifferenceObject $PreviousAutoruns -PassThru | Where-Object { $_.SideIndicator -eq '<=' } + } else { + $content = $CurrentAutoruns + } + foreach($record in $content){ + $record.PSObject.Properties.Remove('SideIndicator') + if($script:LogType -eq "text"){ + $Log = $record | ConvertTo-Csv -Delimiter "`t" + } + if($script:LogType -eq "json"){ + $Log = $record | ConvertTo-Json -Compress + } + if($Debug){ + $Log + } + Generate-Log "Autoruns" 0 $Log + } + } else { + Write-Host "autorunsc.exe not found in Binaries folder. Unable to run campaign" + } +} \ No newline at end of file diff --git a/Modules/MultipleGateways.ps1 b/Modules/MultipleGateways.ps1 new file mode 100644 index 0000000..086aab3 --- /dev/null +++ b/Modules/MultipleGateways.ps1 @@ -0,0 +1,8 @@ +# Identifies if a device has more than one gateway +function Campaign-MultipleGateways { + if((Get-Gateway).Count -ge 2){ + Generate-Log $Campaign 1 "Multiple default routes found - Possible dual-homed device found" + } elseif ($AlwaysOutput){ + Generate-Log $Campaign 0 "Device does not have multiple default routes" + } +} \ No newline at end of file