Skip to content
Permalink
Browse files

Merge pull request #1 from olafhartong/master

changed commands to best practice
  • Loading branch information...
MalwareArchaeology committed Mar 24, 2019
2 parents a39ec02 + c50ad8b commit 278fe43366158488085261649c767dfaaa28e5f1
@@ -436,7 +436,7 @@ Param(
if (Test-Path($Modconf)) {
Write-Verbose "Found ${Modconf}."
# ARTHIR - ignore blank and commented lines, trim misc. white space
Get-Content $Modconf | Foreach-Object { $_.Trim() } | ? { $_ -gt 0 -and (!($_.StartsWith("#"))) } | Foreach-Object { $Module = $_
Get-Content $Modconf | Foreach-Object { $_.Trim() } | Where-Object { $_ -gt 0 -and (!($_.StartsWith("#"))) } | Foreach-Object { $Module = $_
# ARTHIR - verify listed modules exist
$ModuleScript = ($Module -split " ")[0]
$ModuleArgs = ($Module -split [regex]::escape($ModuleScript))[1].Trim()
@@ -464,7 +464,7 @@ Param(
function Load-AD {
# ARTHIR - no targets provided so we'll query AD to build it, need to load the AD module
Write-Debug "Entering $($MyInvocation.MyCommand)"
if (Get-Module -ListAvailable | ? { $_.Name -match "ActiveDirectory" }) {
if (Get-Module -ListAvailable | Where-Object { $_.Name -match "ActiveDirectory" }) {
$Error.Clear()
Import-Module ActiveDirectory
if ($Error) {
@@ -801,7 +801,7 @@ Param(
{
$dir = Split-Path -Path $file
$dirLength = $dir.length
$RemoteFiles = Invoke-Command -Session $PSSession -ScriptBlock {Get-ChildItem $using:file -rec | where { ! $_.PSIsContainer }}
$RemoteFiles = Invoke-Command -Session $PSSession -ScriptBlock {Get-ChildItem $using:file -rec | Where-Object { ! $_.PSIsContainer }}
foreach ($RemoteFile in $RemoteFiles)
{
$FilePath = $OutputPath+$ModuleName+"\"+$PSSession.ComputerName+"\"+([string]$RemoteFile.FullName).Substring($dirLength+1)
@@ -1163,7 +1163,7 @@ Param(

if (Get-Command -Name Logparser.exe) {
$AnalysisScripts = @()
$AnalysisScripts = Get-Content "$StartingPath\Analysis\Analysis.conf" | Foreach-Object { $_.Trim() } | ? { $_ -gt 0 -and (!($_.StartsWith("#"))) }
$AnalysisScripts = Get-Content "$StartingPath\Analysis\Analysis.conf" | Foreach-Object { $_.Trim() } | Where-Object { $_ -gt 0 -and (!($_.StartsWith("#"))) }

$AnalysisOutPath = $OutputPath + "\AnalysisReports\"
[void] (New-Item -Path $AnalysisOutPath -ItemType Directory -Force)
@@ -92,9 +92,9 @@ if (Test-Path $ARTHIR_OutputDir) {
$schedule = new-object -com("Schedule.Service")
$schedule.connect()
$tasks = $schedule.getfolder("\").gettasks(0)
$tasks | select Name | ? { $_.Name -eq $TaskName }
$tasks | Select-Object Name | Where-Object { $_.Name -eq $TaskName }
#
if ($tasks | select Name | ? { $_.Name -eq $TaskName }) {
if ($tasks | Select-Object Name | Where-Object { $_.Name -eq $TaskName }) {
SchTasks.exe /Delete /TN $TaskName /F | out-file -filepath $ARTHIR_OutputDir\$SysName-$ARTHIR_ReportName
} else {
Write-Output $TaskName "$TaskName does not already exist on the system" | out-file -filepath $ARTHIR_OutputDir\$SysName-$ARTHIR_ReportName
@@ -90,9 +90,9 @@ if (Test-Path $ARTHIR_OutputDir) {
$schedule = new-object -com("Schedule.Service")
$schedule.connect()
$tasks = $schedule.getfolder("\").gettasks(0)
$tasks | select Name | ? { $_.Name -eq $TaskName }
$tasks | Select-Object Name | Where-Object { $_.Name -eq $TaskName }
#
if ($tasks | select Name | ? { $_.Name -eq $TaskName }) {
if ($tasks | Select-Object Name | Where-Object { $_.Name -eq $TaskName }) {
SchTasks.exe /Delete /TN $TaskName /F | out-file -filepath $ARTHIR_OutputDir\$SysName-$ARTHIR_ReportName
} else {
Write-Output $TaskName "$TaskName does not already exist on the system" | out-file -filepath $ARTHIR_OutputDir\$SysName-$ARTHIR_ReportName
@@ -88,9 +88,9 @@ if (Test-Path $ARTHIR_OutputDir) {
$schedule = new-object -com("Schedule.Service")
$schedule.connect()
$tasks = $schedule.getfolder("\").gettasks(0)
$tasks | select Name | ? { $_.Name -eq $TaskName }
$tasks | Select-Object Name | Where-Object { $_.Name -eq $TaskName }
#
if ($tasks | select Name | ? { $_.Name -eq $TaskName }) {
if ($tasks | Select-Object Name | Where-Object { $_.Name -eq $TaskName }) {
SchTasks.exe /Delete /TN $TaskName /F | out-file -filepath $ARTHIR_OutputDir\$SysName-$ARTHIR_ReportName
} else {
Write-Output $TaskName "$TaskName does not already exist on the system" | out-file -filepath $ARTHIR_OutputDir\$SysName-$ARTHIR_ReportName
@@ -88,9 +88,9 @@ if (Test-Path $ARTHIR_OutputDir) {
$schedule = new-object -com("Schedule.Service")
$schedule.connect()
$tasks = $schedule.getfolder("\").gettasks(0)
$tasks | select Name | ? { $_.Name -eq $TaskName }
$tasks | Select-Object Name | Where-Object { $_.Name -eq $TaskName }
#
if ($tasks | select Name | ? { $_.Name -eq $TaskName }) {
if ($tasks | Select-Object Name | Where-Object { $_.Name -eq $TaskName }) {
SchTasks.exe /Delete /TN $TaskName /F | out-file -filepath $ARTHIR_OutputDir\$SysName-$ARTHIR_ReportName
} else {
Write-Output $TaskName "$TaskName does not already exist on the system" | out-file -filepath $ARTHIR_OutputDir\$SysName-$ARTHIR_ReportName
@@ -99,10 +99,10 @@ Move-Item -Path "$env:SystemRoot\$Tool_Name" -Destination $ARTHIR_Dir -Force
$schedule = new-object -com("Schedule.Service")
$schedule.connect()
$tasks = $schedule.getfolder("\").gettasks(0)
$tasks | select Name | ? { $_.Name -eq $TaskName }
$tasks | Select-Object Name | Where-Object { $_.Name -eq $TaskName }
#$tasks.Settings.Priority = $TaskPriorityLevel
#
if ($tasks | select Name | ? { $_.Name -eq $TaskName }) {
if ($tasks | Select-Object Name | Where-Object { $_.Name -eq $TaskName }) {
Write-Output "Checking for existing task and deleting it" | out-file -Append -filepath $ARTHIR_OutputDir\$SysName-Hash_Baseline_Status.txt
SchTasks.exe /Delete /TN $TaskName /F | out-file -Append -filepath $ARTHIR_OutputDir\$SysName-Hash_Baseline_Status.txt
} else {
@@ -112,10 +112,10 @@ Move-Item -Path "$env:SystemRoot\$Tool_Name" -Destination $ARTHIR_Dir -Force
$schedule = new-object -com("Schedule.Service")
$schedule.connect()
$tasks = $schedule.getfolder("\").gettasks(0)
$tasks | select Name | ? { $_.Name -eq $TaskName }
$tasks | Select-Object Name | Where-Object { $_.Name -eq $TaskName }
#$tasks.Settings.Priority = $TaskPriorityLevel
#
if ($tasks | select Name | ? { $_.Name -eq $TaskName }) {
if ($tasks | Select-Object Name | Where-Object { $_.Name -eq $TaskName }) {
Write-Output "Checking for existing task and deleting it" | out-file -Append -filepath $ARTHIR_OutputDir\$SysName-Hash_Baseline_Status.txt
SchTasks.exe /Delete /TN $TaskName /F | out-file -Append -filepath $ARTHIR_OutputDir\$SysName-Hash_Baseline_Status.txt
} else {
@@ -113,10 +113,10 @@ Move-Item -Path "$env:SystemRoot\$Tool_Name" -Destination $ARTHIR_Dir -Force
$schedule = new-object -com("Schedule.Service")
$schedule.connect()
$tasks = $schedule.getfolder("\").gettasks(0)
$tasks | select Name | ? { $_.Name -eq $TaskName }
$tasks | Select-Object Name | Where-Object { $_.Name -eq $TaskName }
#$tasks.Settings.Priority = $TaskPriorityLevel
#
if ($tasks | select Name | ? { $_.Name -eq $TaskName }) {
if ($tasks | Select-Object Name | Where-Object { $_.Name -eq $TaskName }) {
Write-Output "Checking for existing task and deleting it" | out-file -Append -filepath $ARTHIR_OutputDir\$SysName-Hash_Compare_Status.txt
SchTasks.exe /Delete /TN $TaskName /F | out-file -Append -filepath $ARTHIR_OutputDir\$SysName-Hash_Compare_Status.txt
} else {
@@ -123,10 +123,10 @@ Move-Item -Path "$env:SystemRoot\$Tool_Name" -Destination $ARTHIR_Dir -Force
$schedule = new-object -com("Schedule.Service")
$schedule.connect()
$tasks = $schedule.getfolder("\").gettasks(0)
$tasks | select Name | ? { $_.Name -eq $TaskName }
$tasks | Select-Object Name | Where-Object { $_.Name -eq $TaskName }
#$tasks.Settings.Priority = $TaskPriorityLevel
#
if ($tasks | select Name | ? { $_.Name -eq $TaskName }) {
if ($tasks | Select-Object Name | Where-Object { $_.Name -eq $TaskName }) {
Write-Output "Checking for existing task and deleting it" | out-file -Append -filepath $ARTHIR_OutputDir\$SysName-Hash_Compare_Status.txt
SchTasks.exe /Delete /TN $TaskName /F | out-file -Append -filepath $ARTHIR_OutputDir\$SysName-Hash_Compare_Status.txt
} else {
@@ -98,10 +98,10 @@ Move-Item -Path "$env:SystemRoot\$Tool_Name" -Destination $ARTHIR_Dir -Force
$schedule = new-object -com("Schedule.Service")
$schedule.connect()
$tasks = $schedule.getfolder("\").gettasks(0)
$tasks | select Name | ? { $_.Name -eq $TaskName }
$tasks | Select-Object Name | Where-Object { $_.Name -eq $TaskName }
#$tasks.Settings.Priority = $TaskPriorityLevel
#
if ($tasks | select Name | ? { $_.Name -eq $TaskName }) {
if ($tasks | Select-Object Name | Where-Object { $_.Name -eq $TaskName }) {
Write-Output "Checking for existing task and deleting it" | out-file -Append -filepath $ARTHIR_OutputDir\$SysName-Reg_Baseline_Status.txt
SchTasks.exe /Delete /TN $TaskName /F | out-file -Append -filepath $ARTHIR_OutputDir\$SysName-Reg_Baseline_Status.txt
} else {
@@ -110,10 +110,10 @@ Move-Item -Path "$env:SystemRoot\$Tool_Name" -Destination $ARTHIR_Dir -Force
$schedule = new-object -com("Schedule.Service")
$schedule.connect()
$tasks = $schedule.getfolder("\").gettasks(0)
$tasks | select Name | ? { $_.Name -eq $TaskName }
$tasks | Select-Object Name | Where-Object { $_.Name -eq $TaskName }
#$tasks.Settings.Priority = $TaskPriorityLevel
#
if ($tasks | select Name | ? { $_.Name -eq $TaskName }) {
if ($tasks | Select-Object Name | Where-Object { $_.Name -eq $TaskName }) {
Write-Output "Checking for existing task and deleting it" | out-file -Append -filepath $ARTHIR_OutputDir\$SysName-Reg_Compare_Status.txt
SchTasks.exe /Delete /TN $TaskName /F | out-file -Append -filepath $ARTHIR_OutputDir\$SysName-Reg_Compare_Status.txt
} else {
@@ -1 +1 @@
Get-ADComputer -Filter { OperatingSystem -Like '*MAC*' } -Properties OperatingSystem, LastLogonTimestamp | Select Name, OperatingSystem, LastLogonTimestamp | Export-Csv -Path "MAC_Systems.csv"
Get-ADComputer -Filter { OperatingSystem -Like '*MAC*' } -Properties OperatingSystem, LastLogonTimestamp | Select-Object Name, OperatingSystem, LastLogonTimestamp | Export-Csv -Path "MAC_Systems.csv"
@@ -1 +1 @@
Get-ADComputer -Filter { OperatingSystem -Like '*WINDOWS*' } -Properties OperatingSystem, LastLogonTimestamp | Select Name, OperatingSystem, @{N='LastLogonTimestamp'; E={[DateTime]::FromFileTime($_.LastLogonTimestamp)}} | Export-Csv -Path "Win_Systems.csv"
Get-ADComputer -Filter { OperatingSystem -Like '*WINDOWS*' } -Properties OperatingSystem, LastLogonTimestamp | Select-Object Name, OperatingSystem, @{N='LastLogonTimestamp'; E={[DateTime]::FromFileTime($_.LastLogonTimestamp)}} | Export-Csv -Path "Win_Systems.csv"

0 comments on commit 278fe43

Please sign in to comment.
You can’t perform that action at this time.