Skip to content
Permalink
Browse files

Initial release

This is ARTHIR version 1.0 initial release.
  • Loading branch information...
MalwareArchaeology committed Mar 17, 2019
0 parents commit 891319ba83a6a9b5dd781d52f19fb0a1ed029295
Showing with 7,555 additions and 0 deletions.
  1. +1,341 −0 ARTHIR.ps1
  2. BIN ATT&CK/Windows ATT&CK_Logging Cheat Sheet_ver_Sept_2018.pdf
  3. BIN ATT&CK/Windows Attack Matrix_Template_Example.xlsx
  4. BIN ATT&CK/Windows_LOG-MD_ATT&CK_Cheat_Sheet_ver_Sept_2018.pdf
  5. BIN Documentation/Configuring WinRM_Guide v1.pdf
  6. +130 −0 Documentation/_README_1st_Documentation.txt
  7. +7 −0 Hosts.txt
  8. +4 −0 Known_3rd_Party_Modules/3rd_Party_Providers_of_Modules.txt
  9. +23 −0 Known_3rd_Party_Modules/LOG-MD-Free-Edition.txt
  10. +88 −0 Known_3rd_Party_Modules/LOG-MD-Professional.txt
  11. +42 −0 Modules/Cleanup/Get-Delete_ARTHIR_Folders.ps1
  12. +6 −0 Modules/Cleanup/_Read_Me_1st_Cleanup.txt
  13. +75 −0 Modules/Info/Get-OS_Version_Details.ps1
  14. +103 −0 Modules/Info/Get-PS_Version_Logging_Details.ps1
  15. +7 −0 Modules/Info/_Read_Me_1st_Info.txt
  16. +73 −0 Modules/Kansa_Legacy/Config/Get-Anti-MW-HealthStatus.ps1
  17. +73 −0 Modules/Kansa_Legacy/Config/Get-Anti-MW-InfectionStatus.ps1
  18. +60 −0 Modules/Kansa_Legacy/Config/Get-Hotfix_Patches.ps1
  19. +61 −0 Modules/Kansa_Legacy/Config/Get-Local_Accounts.ps1
  20. +63 −0 Modules/Kansa_Legacy/Config/Get-Local_Admin_Accounts.ps1
  21. +76 −0 Modules/Kansa_Legacy/Disk/Get-Temp_Dir_Listing.ps1
  22. +103 −0 Modules/Kansa_Legacy/Log/Get-AppCompatCache.ps1
  23. +71 −0 Modules/Kansa_Legacy/Log/Get-CBS_Log.ps1
  24. +67 −0 Modules/Kansa_Legacy/Net/Get-Arp.ps1
  25. +63 −0 Modules/Kansa_Legacy/Net/Get-DNS-Cache.ps1
  26. +68 −0 Modules/Kansa_Legacy/Net/Get-Net-IP-Interface.ps1
  27. +149 −0 Modules/Kansa_Legacy/Net/Get-Netstat.ps1
  28. +7 −0 Modules/Kansa_Legacy/_Read_Me_1st_Legacy_Kansa.txt
  29. +68 −0 Modules/LOG-MD-Tasks/Get-Log-MD-Free_Task_z_Cleanup_All.ps1
  30. +147 −0 Modules/LOG-MD-Tasks/Get-Log-MD_Task_AutoRuns_Hourly.ps1
  31. +149 −0 Modules/LOG-MD-Tasks/Get-Log-MD_Task_Large_Keys_Daily.ps1
  32. +147 −0 Modules/LOG-MD-Tasks/Get-Log-MD_Task_Logs_Daily.ps1
  33. +147 −0 Modules/LOG-MD-Tasks/Get-Log-MD_Task_Running_Processes_Hourly.ps1
  34. +2 −0 Modules/LOG-MD-Tasks/_Read_Me_1st_LOG-MD-Tasks.txt
  35. +88 −0 Modules/LOG-MD/Get-LOG-MD_1_Configs.ps1
  36. +92 −0 Modules/LOG-MD/Get-LOG-MD_2_Configs_Registry.ps1
  37. +93 −0 Modules/LOG-MD/Get-LOG-MD_3_Configs_Hash.ps1
  38. +109 −0 Modules/LOG-MD/Get-Log-MD_AutoRuns.ps1
  39. +213 −0 Modules/LOG-MD/Get-Log-MD_Hash_Baseline.ps1
  40. +224 −0 Modules/LOG-MD/Get-Log-MD_Hash_Baseline_Folder.ps1
  41. +226 −0 Modules/LOG-MD/Get-Log-MD_Hash_Compare.ps1
  42. +237 −0 Modules/LOG-MD/Get-Log-MD_Hash_Compare_Folder.ps1
  43. +107 −0 Modules/LOG-MD/Get-Log-MD_Logs_1_Day.ps1
  44. +107 −0 Modules/LOG-MD/Get-Log-MD_Logs_2_Days.ps1
  45. +106 −0 Modules/LOG-MD/Get-Log-MD_Logs_3_Days.ps1
  46. +106 −0 Modules/LOG-MD/Get-Log-MD_Logs_4_Days.ps1
  47. +106 −0 Modules/LOG-MD/Get-Log-MD_Logs_5_Days.ps1
  48. +106 −0 Modules/LOG-MD/Get-Log-MD_Logs_6_Days.ps1
  49. +106 −0 Modules/LOG-MD/Get-Log-MD_Logs_7_Days.ps1
  50. +209 −0 Modules/LOG-MD/Get-Log-MD_Reg_Baseline.ps1
  51. +220 −0 Modules/LOG-MD/Get-Log-MD_Reg_Compare.ps1
  52. +109 −0 Modules/LOG-MD/Get-Log-MD_Reg_Large_Keys.ps1
  53. +105 −0 Modules/LOG-MD/Get-Log-MD_Running_Processes.ps1
  54. +107 −0 Modules/LOG-MD/Get-Log-MD_Settings.ps1
  55. +116 −0 Modules/LOG-MD/Get-Log-MD_Settings_Audit.ps1
  56. +58 −0 Modules/LOG-MD/Get-Log-MD_z_Cleanup_All.ps1
  57. +57 −0 Modules/LOG-MD/Get-Log-MD_z_Cleanup_Reports.ps1
  58. +14 −0 Modules/LOG-MD/_READ_Me_1st_LOG-MD.txt
  59. +232 −0 Modules/Modules.conf
  60. +143 −0 Modules/Sysinternals/Get-Handle64.ps1
  61. +102 −0 Modules/Sysinternals/Get-SigCheck64.ps1
  62. +95 −0 Modules/Templates/Get-Binary-Template.ps1
  63. +69 −0 Modules/Templates/Get-Script-Template.ps1
  64. +130 −0 Modules/Templates/Get-Task-Template-Daily.ps1
  65. +132 −0 Modules/Templates/Get-Task-Template-Hourly.ps1
  66. +93 −0 Modules/Templates/Get-Zip-Template.ps1
  67. +9 −0 Modules/Templates/_Read_Me_1st_Templates.txt
  68. +10 −0 Modules/bin/_Read_Me_1st_Configs.txt
  69. +67 −0 Recon/Recon-Ping_Alive.ps1
  70. +1 −0 Recon/Recon_List_of_MAC_OS_Versions.ps1
  71. +1 −0 Recon/Recon_List_of_WS_OS_Versions.ps1
  72. +18 −0 Recon/_Read_Me_1st.txt
  73. +12 −0 z_Credits.txt
1,341 ARTHIR.ps1

Large diffs are not rendered by default.

Oops, something went wrong.
Binary file not shown.
Binary file not shown.
Binary file not shown.
Binary file not shown.
@@ -0,0 +1,130 @@
___ ______ _____ _ _ ___________
/ _ \ | ___ \_ _| | | |_ _| ___ \
/ /_\ \| |_/ / | | | |_| | | | | |_/ /
| _ || / | | | _ | | | | /
| | | || |\ \ | | | | | |_| |_| |\ \
\_| |_/\_| \_| \_/ \_| |_/\___/\_| \_|

Running ARTHIR
--------------

Edit Modules.conf adjust it to what you want to run. Read each module and what it does should be recorded
in the beginning of the module.

Keep in mind some modules that take longer than others to run, do them last. modules are ordered by how
long they take in modules.conf.

Populate the systems you want to run the modules against in the 'Hosts.txt' file.

Pushing a binary or Zip file, be sure to include the '-Pushbin' parameter or you wil get an error.

The '-Transcribe' and '-Verbose' options are optional, they just provide the console launch details in a log file.

Read the "Configuring WinRM Guide.pdf" for more on enabling WinRM

###########################################################################################################################

Launch all modules enabled in modules.conf \Modules
---------------------------------------------------

To cache your credentials
-------------------------
$Credential = Get-Credential <your username>

-------------------------------
For Domain attached systems: |
-------------------------------
The following uses Kerberos to authenticate which is the default for domains.

Run all modules selected in Modules.conf
----------------------------------------

- With a binary or Zip to push
.\ARTHIR.ps1 -TargetList hosts.txt .\Modules -Pushbin -Verbose -Transcribe -Credential $Credential

- With just scripts, no binary or zip
.\ARTHIR.ps1 -TargetList Hosts.txt .\Modules -Verbose -Transcribe -Credential <username>

- Specify one target and a username - with a binary or zip to push
.\ARTHIR.ps1 -Target <computername> .\Modules -Pushbin -Verbose -Transcribe -Credential <username>

Launch one module at a time
---------------------------

- With a binary or Zip to push
.\ARTHIR.ps1 -Target <computername> -ModulePath ".\Modules\LOG-MD\Get_Log-MD_1_Configs.ps1" -Pushbin -Transcribe -Credential $Credential
.\ARTHIR.ps1 -Target <computername> -ModulePath ".\Modules\LOG-MD\Get-Log-MD_AutoRuns.ps1" -Pushbin -Transcribe -Credential <username>

.\ARTHIR.ps1 -Target DEFENDER -ModulePath ".\Modules\LOG-MD\Get-LOG-MD-1_Configs.ps1" -Pushbin -Transcribe -Credential <username>

########################################################################################################################################################################

-----------------------------------
For Non-Domain attached systems: |
-----------------------------------

Run all modules selected in Modules.conf
----------------------------------------

.\ARTHIR.ps1 -TargetList hosts.txt .\Modules -Verbose -Authentication Negotiate -Transcribe -Credential $Credential
- With a binary or Zip to push
.\ARTHIR.ps1 -TargetList hosts.txt .\Modules -Pushbin -Authentication Negotiate -Verbose -Transcribe -Credential $Credential

- With just scripts, no binary or zip
.\ARTHIR.ps1 -TargetList Hosts.txt .\Modules -Authentication Negotiate -Verbose -Transcribe -Credential <username>

- Specify one target and a username - with a binary or zip to push
.\ARTHIR.ps1 -Target <computername> .\Modules -Pushbin -Authentication Negotiate -Verbose -Transcribe -Credential <username>

Launch one module at a time
---------------------------

- With a binary or Zip to push
.\ARTHIR.ps1 -Target <computername> -ModulePath ".\Modules\LOG-MD\Get_Log-MD_1_Configs.ps1" -Pushbin -Authentication Negotiate -Transcribe -Credential $Credential
.\ARTHIR.ps1 -Target <computername> -ModulePath ".\Modules\LOG-MD\Get-Log-MD_AutoRuns.ps1" -Pushbin -Authentication Negotiate -Transcribe -Credential <username>

.\ARTHIR.ps1 -Target DEFENDER -ModulePath ".\Modules\LOG-MD\Get-LOG-MD-1_Configs.ps1" -Pushbin -Authentication Negotiate -Transcribe -Credential <username>

########################################################################################################################################################################

TROUBLESHOOTING
---------------

----------------------------
To open a PS Remoting shell
----------------------------

This will give you console access to the remote system to do whatever you want, but NOT retrieve files, this requires the next option "PS Remoting Session".

$Credential = Get-Credential <your username>

- Domain
Enter-PSSession <computername> -Credential $Credential
Enter-PSSession <computername> -Credential <username>

- Non domain
Enter-PSSession <computername> -Authentication Negotiate -Credential $Credential
Enter-PSSession <computername> -Authentication Negotiate -Credential <username>

Do whatever you want and then when done;
- Exit-PSSession

--------------------------------------
To open a PS Remoting Session method 2
--------------------------------------

This will give you an interactive session that allows you to run commands and retrieve and send files to the target.

$Credential = Get-Credential <your username>

- Non domain
$MySession = New-PSSession -ComputerName <computername> -Authentication Negotiate -Credential $Credential
$MySession = New-PSSession -ComputerName <computername> -Authentication Negotiate -Credential <username>
Invoke-Command -Session $MySession {Get-Process}
Invoke-Command -Session $MySession {C:\'Program Files'\LMD\Log-MD-Pro.exe -ar -md -o 'C:\Program Files\LMD\Results'}
Copy-Item -Path "C:\Program Files\LMD\Results\Report_AutoRuns*" -Destination "D:\ARTHIR" -FromSession $MySession

Do whatever you want and then when done;
- Exit-PSSession

########################################################################################################################################################################
@@ -0,0 +1,7 @@
DEFENDER
BOBS-PC





@@ -0,0 +1,4 @@
This folder contains known modules from 3rd party tools that have created ARTHIR modules.

Each file will contain information where to get the modules.

@@ -0,0 +1,23 @@
LOG-MD Free Edition ARTHIR modules
Updated - March 2019

Function: LOG-MD is a Log Harvesting, Threat Hunting, and Incident Response tool.

website: LOG-MD.com

How to get modules: Modules are avaialble with ARTHIR and at LOG-MD.com\arthir

Tool: LOG-MD Free Edition. Download it from the website above and place the binary in \bin

Options: To push LOG-MD configuration files, create a zip file and push them out with the Get-LOG-MD-Free_Configs.module

---------------------------------------------------------------------------------------------------------------------------

Several LOG-MD-Free Edition modules are included with ARTHIR. The following are included;

- Get-LOG-MD-Free_AutoRuns.ps1
- Get-LOG-MD-1-Day_Logs.ps1
- Get-LOG-MD-Free_Sched_AutoRuns.ps1



@@ -0,0 +1,88 @@
LOG-MD Professional and Consulting ARTHIR modules
Updated - March 2019

Function: LOG-MD is a Log Harvesting, Threat Hunting, and Incident Response tool.

website: LOG-MD.com

How to get modules: Modules are included with the purchase of LOG-MD-Professional. A guide for
using LOG-MD-Professional with ARTHIR is included with the purchase of LOG-MD-Professional

Options: To push LOG-MD configuration files, create a zip file and push them out with the Get-LOG-MD-Free_Configs.module

---------------------------------------------------------------------------------------------------------------------------

There are modules available for all LOG-MD-Professional and Consulting features.
Also available are modules to schedule tasks for many LOG-MD-Professional features.
The following modules are available;

RECON SCRIPTS - Get information you want to populate Hosts.txt with
-------------------------------------------------------------------

- Recon_List_of_MAC_OS_Versions.ps1 List of Apple OS systems from AD
- Recon_List_of_WS_OS_Versions.ps1 List of Windows systems from AD
- Recon-Ping_Alive.ps1 Ping system in Hosts.txt for being online

INFO GATHERING SCRIPTS
----------------------
- Get-OS_Version_Details.ps1 Get System name, OS Version and Architecture
- Get-PS_Version_Logging_Details.ps1 Get PowerShell version, and logging settings

LOG-MD-Professional MODULES
---------------------------
- Get-LOG-MD-API-Settings.ps1
- Get-LOG-MD-Pro_1_Configs.ps1
- Get-LOG-MD-Pro_2_Configs_Registry.ps1
- Get-LOG-MD-Pro_3_Configs_Hash.ps1
- Get-Log-MD-Pro_Settings.ps1
- Get-Log-MD-Pro_AutoRuns.ps1
- Get-Log-MD-Pro_AutoRuns_VirusTotal.ps1
- Get-Log-MD-Pro_AutoRuns_WMI.ps1
- Get-Log-MD-Pro_Hash_Baseline.ps1
- Get-Log-MD-Pro_Hash_Compare.ps1
- Get-Log-MD-Pro_Logs_1_Day.ps1
- Get-Log-MD-Pro_Logs_1_Day_WhoIS.ps1
- Get-Log-MD-Pro_Logs_2_Days.ps1
- Get-Log-MD-Pro_Logs_2_Days_WhoIS.ps1
- Get-Log-MD-Pro_Logs_3_Days.ps1
- Get-Log-MD-Pro_Logs_3_Days_WhoIS.ps1
- Get-Log-MD-Pro_Logs_4_Days.ps1
- Get-Log-MD-Pro_Logs_4_Days_WhoIS.ps1
- Get-Log-MD-Pro_Logs_5_Days.ps1
- Get-Log-MD-Pro_Logs_5_Days_WhoIS.ps1
- Get-Log-MD-Pro_Logs_6_Days.ps1
- Get-Log-MD-Pro_Logs_6_Days_WhoIS.ps1
- Get-Log-MD-Pro_Logs_7_Days.ps1
- Get-Log-MD-Pro_Logs_7_Days_WhoIS.ps1
- Get-Log-MD-Pro_Logs_99_Days.ps1
- Get-Log-MD-Pro_Logs_99_Days_WhoIS.ps1
- Get-Log-MD-Pro_PS_Logs_1_Day.ps1
- Get-Log-MD-Pro_PS_Logs_2_Days.ps1
- Get-Log-MD-Pro_PS_Logs_3_Days.ps1
- Get-Log-MD-Pro_PS_Logs_4_Days.ps1
- Get-Log-MD-Pro_PS_Logs_5_Days.ps1
- Get-Log-MD-Pro_PS_Logs_6_Days.ps1
- Get-Log-MD-Pro_PS_Logs_7_Days.ps1
- Get-Log-MD-Pro_PS_Logs_99_Days.ps1
- Get-Log-MD-Pro_Reg_Baseline.ps1
- Get-Log-MD-Pro_Reg_Compare.ps1
- Get-Log-MD-Pro_Reg_Large_Keys.ps1
- Get-Log-MD-Pro_Running_Processes.ps1
- Get-Log-MD-Pro_Running_Processes_VirusTotal.ps1
- Get-Log-MD-Pro_SRUM.ps1

LOG-MD SCHEDULE TASKS MODULES
-----------------------------
- Get-Log-MD-Pro_AutoRuns_Check_VT_Hourly_Task.ps1
- Get-Log-MD-Pro_AutoRuns_Hourly_Task.ps1
- Get-Log-MD-Pro_Large_Keys_Daily_Task.ps1
- Get-Log-MD-Pro_Logs_Daily_Task.ps1
- Get-Log-MD-Pro_PS_Logs_Daily_Task.ps1
- Get-Log-MD-Pro_Running_Processes_Check_VT_Hourly_Task.ps1
- Get-Log-MD-Pro_Running_Processes_Hourly_Task.ps1
- Get-Log-MD-Pro_WMI_Persistence_Daily_Task.ps1

CLEANUP LOG-MD MODULES
----------------------
- Get-Log-MD-Pro_z_Cleanup_All.ps1
- Get-Log-MD-Pro_z_Cleanup_Reports.ps1
@@ -0,0 +1,42 @@
<#
.SYNOPSIS
Get-Delete_ARTHIR_Folders.ps1 deletes the folder created by your scripts. Just add the folder(s)
you want to delete below to cleanup after your modules. Add multiple folders if you use them.
The DOWNLOAD directive is not used in this module unless you want to create a status report.
Adjust the variables to what you want to do with each item:
$ARTHIR_OutputDir Set to a directory you want the results of the modules to be removed
$WriteEventLogEntry Create an event log entry that this module ran 'Yes' or 'No'
$EventSource The name of the source the event will be written to the Application log (default is ARTHIR)
$Event_ID What event ID to use in the log entry
.NOTES
The following DIRECTIVE lines are needed by ARTHIR.ps1 to determine how to handle output
from this script.
#>
$ARTHIR_OutputDir = "C:\Program Files\ARTHIR"
$WriteEventLogEntry = "Yes"
$EventSource = "ARTHIR"
$Event_ID = "1337"
#
# Check and delete the folder specified above. Add more entries if you are using multiple folders
#
if (Test-Path $ARTHIR_OutputDir) {
Remove-Item -path $ARTHIR_OutputDir -recurse
} else {
Write-Error "ARTHIR folder not found at" $ARTHIR_OutputDir
}
#
# Write log entry
#
If ($WriteEventLogEntry -eq 'No') {
Break
}
elseif ([System.Diagnostics.EventLog]::SourceExists($EventSource) -eq $False) {
New-EventLog -LogName Application -Source $EventSource
Write-EventLog -LogName Application -EntryType Information -EventId $Event_ID -Source $EventSource -Message 'ARTHIR folder deleted'
}
else {
Write-EventLog -LogName Application -EntryType Information -EventId $Event_ID -Source $EventSource -Message 'ARTHIR folder deleted'
}
@@ -0,0 +1,6 @@
This cleanup file is designed for script based modules stored in a directory named:
- \ARTHIR

Generally data scripts could be stored seperate from your binary modules as they can
be maintained deleted differently than your binary jobs.

@@ -0,0 +1,75 @@
<#
.SYNOPSIS
Get-OS_Version_Details.ps1 queries the local system for its operating system.
* Computername
* Operating System
* OS Architecture
MITRE ATT&CK Technique IDs: none
If you want to remove the reports and directories from remote systems after it has run
use the cleanup module Get-Delete_ARTHIR_Folders.ps1.
Adjust the variables to what you want to do with each item:
$ARTHIR_OutputDir Set to a directory you want the results of the modules to be stored for harvesting
$ARTHIR_ReportName What to name the report. Match this to DOWNLOAD
$SysName What you want each report to be pre-pended wiht like "computername"
$WriteEventLogEntry Create an event log entry that this module ran 'Yes' or 'No'
$EventSource The name of the source the event will be written to the Application log (default is ARTHIR)
$Event_ID What event ID to use in the log entry
DOWNLOAD The name of the report you will copy back to the host or launching system, wildcards are acceptable
.NOTES
The following DIRECTIVE lines are needed by ARTHIR.ps1 to determine how to handle output
from this script.
DOWNLOAD C:\Program Files\ARTHIR\Results\*Report_System_Info.txt
#>
$ARTHIR_Dir = "C:\Program Files\ARTHIR"
$ARTHIR_OutputDir = "C:\Program Files\ARTHIR\Results"
$ARTHIR_ReportName = "Report_System_Info.txt"
$SysName = $env:computername
$MinPSVersion = 6
$WriteEventLogEntry = "Yes"
$EventSource = "ARTHIR"
$Event_ID = "1337"
#
# Check for minimal PowerShell version
#
If ($PSVersionTable.PSVersion.Major -ge $MinPSVersion) {
Write-Output "System has PS $MinPSVersion or greater"
Break
}
#
# Check for report folder existing, or create it
#
if (Test-Path $ARTHIR_OutputDir) {
Write-Output $ARTHIR_OutputDir "already exists"
} else {
new-item $ARTHIR_OutputDir -itemtype directory
}
#
# Get OS details
#
Write-Output $SysName | out-file -filepath $ARTHIR_OutputDir\$SysName-$ARTHIR_ReportName
$wmiOS = Get-WmiObject -ComputerName $env:computername -Class Win32_OperatingSystem;
$OS = $wmiOS.caption;
$OS | out-file -Append -filepath $ARTHIR_OutputDir\$SysName-$ARTHIR_ReportName
(Get-WmiObject win32_operatingsystem).osarchitecture | out-file -Append -filepath $ARTHIR_OutputDir\$SysName-$ARTHIR_ReportName
#
Write-Output "@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@" | out-file -Append -filepath $ARTHIR_OutputDir\$SysName-$ARTHIR_ReportName
#
# Write log entry
#
If ($WriteEventLogEntry -eq 'No') {
Break
}
elseif ([System.Diagnostics.EventLog]::SourceExists($EventSource) -eq $False) {
New-EventLog -LogName Application -Source $EventSource
Write-EventLog -LogName Application -EntryType Information -EventId $Event_ID -Source $EventSource -Message 'Operating System info gathered by Arthir'
}
else {
Write-EventLog -LogName Application -EntryType Information -EventId $Event_ID -Source $EventSource -Message 'Operating System info gathered by Arthir'
}
Oops, something went wrong.

0 comments on commit 891319b

Please sign in to comment.
You can’t perform that action at this time.