diff --git a/Black-Lotus_check.ps1 b/Black-Lotus_check.ps1 new file mode 100644 index 0000000..f0284b6 --- /dev/null +++ b/Black-Lotus_check.ps1 @@ -0,0 +1,146 @@ +# BlackLotus Bootkit IoC scan from Microsodft: https://www.microsoft.com/en-us/security/blog/2023/04/11/guidance-for-investigating-attacks-using-cve-2022-21894-the-blacklotus-campaign/ + +function Green +{ + process { Write-Host $_ -ForegroundColor Green } +} + +function Red +{ + process { Write-Host $_ -ForegroundColor Red } +} + + +$directory = "C:\Windows\Boot\EFI" + +# Check if winload.efi file exists +Write-Host "Checking if suspicious .efi files are present (True = found, this is an alert!!!, if False all good :) `n" +$dataLogExists = Test-Path -Path "$directory\winload.efi" +####dir $directory +# Check if bootmgfw.efi file exists +$errorLogExists = Test-Path -Path "$directory\bootmgfw.efi" + +# Check if grubx64.efi file exists +$errorLogExists = Test-Path -Path "$directory\grubx64.efi" + +# Get all .efi files in the directory +$logFiles = Get-ChildItem -Path $directory -Filter "*.log" + +# Check if there are additional .log files +$additionalLogFilesExist = $logFiles.Count -gt 2 + +# Output the results + + +# Get all .log files in the directory +$logFiles = Get-ChildItem -Path $directory -Filter "*.log" + +# Check if there are additional .log files +$additionalLogFilesExist = $logFiles.Count -gt 2 + +# Output the results with color +Write-Host "winload.efi exists: " -NoNewline +if ($dataLogExists) { + Write-Host "True" -ForegroundColor Red +} else { + Write-Host "False" -ForegroundColor Green +} + +Write-Host "bootmgfw.efi exists: " -NoNewline +if ($errorLogExists) { + Write-Host "True" -ForegroundColor Red +} else { + Write-Host "False" -ForegroundColor Green +} + +Write-Host "grubx64.efi exists: " -NoNewline +if ($grubExists) { + Write-Host "True" -ForegroundColor Red +} else { + Write-Host "False" -ForegroundColor Green +} + +Write-Host "Additional .efi files exist: " -NoNewline +if ($additionalLogFilesExist) { + Write-Host "True" -ForegroundColor Red +} else { + Write-Host "False" -ForegroundColor Green +} + +#Write-Host "winload.efi exists: $dataLogExists" +#Write-Host "bootmgfw.efi exists: $errorLogExists" +#Write-Host "grubx64.efi exists: $errorLogExists" +#Write-Host "Additional .efi files exist: $additionalLogFilesExist" + +Write-Host "######################################" + +Write-Host "In C:\Windows\Boot\EFI only following files should be present `n mbootmgfw.efi `n bootmgr.efi `n memtest.efi `n " +#Get-ChildItem "C:\Windows\Boot\EFI" -Filter *.efi + +$directory = "C:\Windows\Boot\EFI" + +# Get .efi files in the directory +$efiFiles = Get-ChildItem -Path $directory -Filter *.efi + +# Process each file and output the filename with color +foreach ($file in $efiFiles) { + if ($file.Name -match "^(bootmgfw|bootmgr|memtest)\.efi$") { + Write-Host $file.Name -ForegroundColor Green + } else { + Write-Host $file.Name -ForegroundColor Red + } +} + +#Registry Check +Write-Host "######################################" +Write-Host "`nCheckng for BlackLotus registry presence in registry: `n HKLM:\\SYSTEM\CurrentControlSet\Control\DeviceGuard\Scenarios\HypervisorEnforcedCodeIntegrity `n (False is Good, True is BAD)" + +function Check-RegistryKey { + param ( + [Parameter(Mandatory = $true)] + [string]$RegistryKeyPath + ) + + # Check if the Registry key exists + $keyExists = Test-Path $RegistryKeyPath + + # Output the result with color + Write-Host "Registry key exists: " -NoNewline + if ($keyExists) { + Write-Host $keyExists -ForegroundColor Red + } else { + Write-Host $keyExists -ForegroundColor Green + } +} + +# Specify the Registry key path +$registryKeyPath = "HKLM:\SYSTEM\CurrentControlSet\Control\DeviceGuard\Scenarios\HypervisorEnforcedCodeIntegrity" + +# Call the function +Check-RegistryKey -RegistryKeyPath $registryKeyPath + +#Event logs Check +Write-Host "######################################" +Write-Host "checking for suspicious Event IDs of 3002 and 7023 in Microsoft-Windows-Windows for failures/disable Defender/Operational (Application and Services logs > Microsoft > Windows > Windows Defender " +$logName = "Microsoft-Windows-Windows Defender/Operational" +$eventIDs = 3002, 7023 + +# Define the filter hashtable +$filterHashtable = @{ + LogName = $logName + ID = $eventIDs +} + +# Retrieve the event logs matching the filter +$events = Get-WinEvent -FilterHashtable $filterHashtable -ErrorAction SilentlyContinue + +# Check if logs are found +if ($events) { + # Output the filtered events in a table-like view + $events | Format-Table -AutoSize + Write-Host -ForegroundColor Red "True" +} else { + # Output "False" in green color if no events are found + Write-Host -ForegroundColor Green "False" +} +