From d58b2f689c255e9101a07c7951264237bb630198 Mon Sep 17 00:00:00 2001 From: Saporito Date: Tue, 9 Mar 2021 22:12:15 -0500 Subject: [PATCH 1/3] Improvements to Get-SuspiciousFiles --- Security/Test-ProxyLogon.ps1 | 27 +++++++++++++-------------- 1 file changed, 13 insertions(+), 14 deletions(-) diff --git a/Security/Test-ProxyLogon.ps1 b/Security/Test-ProxyLogon.ps1 index 988bb33815..733d8dfb2e 100644 --- a/Security/Test-ProxyLogon.ps1 +++ b/Security/Test-ProxyLogon.ps1 @@ -184,28 +184,27 @@ process { [CmdletBinding()] param () - foreach ($file in Get-ChildItem -Recurse -Path "$env:WINDIR\temp\lsass.*dmp") { - [PSCustomObject]@{ - ComputerName = $env:COMPUTERNAME - Type = 'LsassDump' - Path = $file.FullName - Name = $file.Name - } - } - foreach ($file in Get-ChildItem -Recurse -Path "c:\root\lsass.*dmp" -ErrorAction SilentlyContinue) { + $zipFilter = "*.7z", "*,zip", "*.rar" + $dmpFilter = "lsass.*dmp" + $dmpPaths = "c:\root", "$env:WINDIR\temp" + + Get-ChildItem -Path $dmpPaths -Filter $dmpFilter -Recurse -ErrorAction SilentlyContinue | + ForEach-Object{ [PSCustomObject]@{ ComputerName = $env:COMPUTERNAME Type = 'LsassDump' - Path = $file.FullName - Name = $file.Name + Path = $_.FullName + Name = $_.Name } } - foreach ($file in Get-ChildItem -Recurse -Path $env:ProgramData -ErrorAction SilentlyContinue | Where-Object { $_.Extension -Match "\.7z$|\.zip$|\.rar$" }) { + + Get-ChildItem -Path $env:ProgramData -Include $zipFilter -Recurse -ErrorAction SilentlyContinue | + ForEach-Object{ [PSCustomObject]@{ ComputerName = $env:COMPUTERNAME Type = 'SuspiciousArchive' - Path = $file.FullName - Name = $file.Name + Path = $_.FullName + Name = $_.Name } } } From 74e5f04edca9a69330216fef12ba82919513f8db Mon Sep 17 00:00:00 2001 From: Saporito Date: Wed, 10 Mar 2021 11:21:53 -0500 Subject: [PATCH 2/3] Update Get-SuspiciousFiles > Update filtering approach. > Consolidate loops --- Security/Test-ProxyLogon.ps1 | 16 +++++++++------- 1 file changed, 9 insertions(+), 7 deletions(-) diff --git a/Security/Test-ProxyLogon.ps1 b/Security/Test-ProxyLogon.ps1 index 733d8dfb2e..ca4a4f3247 100644 --- a/Security/Test-ProxyLogon.ps1 +++ b/Security/Test-ProxyLogon.ps1 @@ -184,7 +184,7 @@ process { [CmdletBinding()] param () - $zipFilter = "*.7z", "*,zip", "*.rar" + $zipFilter = ".7z", ".zip", ".rar" $dmpFilter = "lsass.*dmp" $dmpPaths = "c:\root", "$env:WINDIR\temp" @@ -198,13 +198,15 @@ process { } } - Get-ChildItem -Path $env:ProgramData -Include $zipFilter -Recurse -ErrorAction SilentlyContinue | + Get-ChildItem -Path $env:ProgramData -Recurse -ErrorAction SilentlyContinue | ForEach-Object{ - [PSCustomObject]@{ - ComputerName = $env:COMPUTERNAME - Type = 'SuspiciousArchive' - Path = $_.FullName - Name = $_.Name + If( $_.Extension -in $zipFilter ) { + [PSCustomObject]@{ + ComputerName = $env:COMPUTERNAME + Type = 'SuspiciousArchive' + Path = $_.FullName + Name = $_.Name + } } } } From ff6dba9942a020fbe5269a684d7fb9c5605f8ef2 Mon Sep 17 00:00:00 2001 From: Bill Long Date: Wed, 10 Mar 2021 11:58:36 -0600 Subject: [PATCH 3/3] Formatting --- Security/Test-ProxyLogon.ps1 | 30 +++++++++++++++--------------- 1 file changed, 15 insertions(+), 15 deletions(-) diff --git a/Security/Test-ProxyLogon.ps1 b/Security/Test-ProxyLogon.ps1 index 5fbdeedd2c..7c807d83e2 100644 --- a/Security/Test-ProxyLogon.ps1 +++ b/Security/Test-ProxyLogon.ps1 @@ -192,29 +192,29 @@ begin { $zipFilter = ".7z", ".zip", ".rar" $dmpFilter = "lsass.*dmp" - $dmpPaths = "c:\root", "$env:WINDIR\temp" + $dmpPaths = "c:\root", "$env:WINDIR\temp" Get-ChildItem -Path $dmpPaths -Filter $dmpFilter -Recurse -ErrorAction SilentlyContinue | - ForEach-Object{ - [PSCustomObject]@{ - ComputerName = $env:COMPUTERNAME - Type = 'LsassDump' - Path = $_.FullName - Name = $_.Name - } - } - - Get-ChildItem -Path $env:ProgramData -Recurse -ErrorAction SilentlyContinue | - ForEach-Object{ - If( $_.Extension -in $zipFilter ) { + ForEach-Object { [PSCustomObject]@{ ComputerName = $env:COMPUTERNAME - Type = 'SuspiciousArchive' + Type = 'LsassDump' Path = $_.FullName Name = $_.Name } } - } + + Get-ChildItem -Path $env:ProgramData -Recurse -ErrorAction SilentlyContinue | + ForEach-Object { + If ( $_.Extension -in $zipFilter ) { + [PSCustomObject]@{ + ComputerName = $env:COMPUTERNAME + Type = 'SuspiciousArchive' + Path = $_.FullName + Name = $_.Name + } + } + } } function Get-AgeInDays {