/
Get-Log-MD_Task_AutoRuns_Hourly.ps1
147 lines (133 loc) · 5.54 KB
/
Get-Log-MD_Task_AutoRuns_Hourly.ps1
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
<#
.SYNOPSIS
Get-LOG-MD_AutoRuns_Hourly_Task.ps1 creates an hourly task to run LOG-MD AutoRuns feature.
- Runs LOG-MD -ar -o $ARTHIR_OutputDir
Use the following to record the modules applicability to the MITRE ATT&CK Framework
MITRE ATT&CK Technique IDs:
This script does depend on IMF Security's LOG-MD.exe, which is not
packaged with ARTHIR. You will have to purchase and download it from LOG-MD.com and
drop it in the .\Modules\bin\ directory. When you run ARTHIR.ps1, if you
add the -Pushbin switch at the command line, ARTHIR.ps1 will attempt to
copy the LOG-MD.exe binary to each remote target's ADMIN$ share and then move it
to the folder you specify below.
Scheduled Task:
---------------
This module will create a schedule task at the date and time you want it to begin
and then each hour, every day it will run placing the Report files into the
output folder you specify below.
CLEANUP:
--------
Use the cleanup module "Get-Log-MD_z_Cleanup_Tasks_All.ps1" to remove all
the LOG-MD scheduled tasks that you specify in that module.
MITRE ATT&CK Technique IDs: none
Adjust the variables to what you want to do with each item:
$Tool_Name Name of the tool that you will use
$ARTHIR_OutputDir Set to a directory you want the results of the modules to be stored for harvesting
$ARTHIR_ReportName What to name the report. Match this to DOWNLOAD
$TaskName Name of the Task
$TaskDescr Description fo the Scheduled Task
$TaskStartTime When you want the task to start ("2018-03-03T14:55:00")
$WriteEventLogEntry Create an event log entry that this module ran 'Yes' or 'No'
$EventSource The name of the source the event will be written to the Application log (default is ARTHIR)
$Event_ID What event ID to use in the log entry
.NOTES
The following lines are required by ARTHIR.ps1. They are directives that
tell ARTHIR how to treat the output of this script and where to find the
binary that this script depends on.
BINDEP .\Modules\bin\Log-MD.exe
DOWNLOAD C:\Program Files\LMD\Results\*Report_Task_Created.txt
#>
# You must use the 8.3 directory name for logmdOutputDir for a Schedule Task If you use a folder with a space in it
#
# Edit the following variables to match what names and locations you want to use to store LOG-MD
#
# Tool Name
$Tool_Name = "LOG-MD.exe"
# Where LOG-MD resides
$ARTHIR_Dir = "C:\Progra~1\LMD"
# Where the results/reports will be stored
$ARTHIR_OutputDir = "C:\Progra~1\LMD\Results"
# Name of report that contains task created successfully
$ARTHIR_ReportName = "Report_Task_Created.txt"
# Name of system to add to the report
$SysName = $env:computername
# The name of the scheduled task
$TaskName = "Test_LOG-MD-AutoRuns Hourly"
# Description of the scheduled task
$TaskDescr = "Create a LOG-MD Hourly Check for Autoruns Task"
# The date and time you want the task to start to run each day and hour (e.g 2pm or 14:00:00)
$TaskStartTime = "2019-03-03T14:55:00"
# Name of Tool used
$TaskCommand = "$Tool_Name"
# The Task Action command argument
$TaskArg = "-ar"
# Write a log entry to Application log
$WriteEventLogEntry = "Yes"
$EventSource = "ARTHIR"
$Event_ID = "1337"
#
# Check for report folder existing, or create it
#
if (Test-Path $ARTHIR_OutputDir) {
Write-Output $ARTHIR_OutputDir "already exists"
} else {
new-item $ARTHIR_OutputDir -itemtype directory
}
#
# Move $Tool_Name to directory
#
Move-Item -Path "$env:SystemRoot\$Tool_Name" -Destination $ARTHIR_Dir -Force
#
# Remove any existing $Tool_Name Task
#
$schedule = new-object -com("Schedule.Service")
$schedule.connect()
$tasks = $schedule.getfolder("\").gettasks(0)
$tasks | Select-Object Name | Where-Object { $_.Name -eq $TaskName }
#
if ($tasks | Select-Object Name | Where-Object { $_.Name -eq $TaskName }) {
SchTasks.exe /Delete /TN $TaskName /F | out-file -filepath $ARTHIR_OutputDir\$SysName-$ARTHIR_ReportName
} else {
Write-Output $TaskName "$TaskName does not already exist on the system" | out-file -filepath $ARTHIR_OutputDir\$SysName-$ARTHIR_ReportName
}
#
# Create Schedule Task to run Autoruns Hourly
#
# attach the Task Scheduler com object
$service = new-object -ComObject("Schedule.Service")
$service.Connect()
$rootFolder = $service.GetFolder("\")
$TaskDefinition = $service.NewTask(0)
$TaskDefinition.RegistrationInfo.Description = "$TaskDescr"
$TaskDefinition.Settings.Enabled = $true
$TaskDefinition.Settings.AllowDemandStart = $true
$TaskDefinition.Principal.RunLevel = 1
$TaskDefinition.Settings.ExecutionTimeLimit = 'PT2H'
$triggers = $TaskDefinition.Triggers
$trigger = $triggers.Create(2)
$trigger.repetition.Interval = 'PT60M'
$trigger.StartBoundary = $TaskStartTime
$trigger.Enabled = $true
$trigger.ExecutionTimeLimit = 'PT2H'
$Action = $TaskDefinition.Actions.Create(0)
$action.Path = "$TaskCommand"
$action.Arguments = "$TaskArg"
$action.WorkingDirectory = $ARTHIR_Dir
$rootFolder.RegisterTaskDefinition("$TaskName",$TaskDefinition,6,"System",$null,5)
#
# Printout Task completed
#
Schtasks /query /FO TABLE /TN $TaskName | out-file -Append -filepath $ARTHIR_OutputDir\$SysName-$ARTHIR_ReportName
#
# Write log entry
#
If ($WriteEventLogEntry -eq 'No') {
Break
}
elseif ([System.Diagnostics.EventLog]::SourceExists($EventSource) -eq $False) {
New-EventLog -LogName Application -Source $EventSource
Write-EventLog -LogName Application -EntryType Information -EventId $Event_ID -Source $EventSource -Message 'Added Task AutoRuns Hourly by Arthir'
}
else {
Write-EventLog -LogName Application -EntryType Information -EventId $Event_ID -Source $EventSource -Message 'Added Task AutoRuns Hourly by Arthir'
}