Upload files to ''

This commit is contained in:
Ekranoplan 2023-06-21 07:41:54 +00:00
parent 250487a876
commit 37d11b19ee

146
Black-Lotus_check.ps1 Normal file
View File

@ -0,0 +1,146 @@
# BlackLotus Bootkit IoC scan from Microsodft: https://www.microsoft.com/en-us/security/blog/2023/04/11/guidance-for-investigating-attacks-using-cve-2022-21894-the-blacklotus-campaign/
function Green
{
process { Write-Host $_ -ForegroundColor Green }
}
function Red
{
process { Write-Host $_ -ForegroundColor Red }
}
$directory = "C:\Windows\Boot\EFI"
# Check if winload.efi file exists
Write-Host "Checking if suspicious .efi files are present (True = found, this is an alert!!!, if False all good :) `n"
$dataLogExists = Test-Path -Path "$directory\winload.efi"
####dir $directory
# Check if bootmgfw.efi file exists
$errorLogExists = Test-Path -Path "$directory\bootmgfw.efi"
# Check if grubx64.efi file exists
$errorLogExists = Test-Path -Path "$directory\grubx64.efi"
# Get all .efi files in the directory
$logFiles = Get-ChildItem -Path $directory -Filter "*.log"
# Check if there are additional .log files
$additionalLogFilesExist = $logFiles.Count -gt 2
# Output the results
# Get all .log files in the directory
$logFiles = Get-ChildItem -Path $directory -Filter "*.log"
# Check if there are additional .log files
$additionalLogFilesExist = $logFiles.Count -gt 2
# Output the results with color
Write-Host "winload.efi exists: " -NoNewline
if ($dataLogExists) {
Write-Host "True" -ForegroundColor Red
} else {
Write-Host "False" -ForegroundColor Green
}
Write-Host "bootmgfw.efi exists: " -NoNewline
if ($errorLogExists) {
Write-Host "True" -ForegroundColor Red
} else {
Write-Host "False" -ForegroundColor Green
}
Write-Host "grubx64.efi exists: " -NoNewline
if ($grubExists) {
Write-Host "True" -ForegroundColor Red
} else {
Write-Host "False" -ForegroundColor Green
}
Write-Host "Additional .efi files exist: " -NoNewline
if ($additionalLogFilesExist) {
Write-Host "True" -ForegroundColor Red
} else {
Write-Host "False" -ForegroundColor Green
}
#Write-Host "winload.efi exists: $dataLogExists"
#Write-Host "bootmgfw.efi exists: $errorLogExists"
#Write-Host "grubx64.efi exists: $errorLogExists"
#Write-Host "Additional .efi files exist: $additionalLogFilesExist"
Write-Host "######################################"
Write-Host "In C:\Windows\Boot\EFI only following files should be present `n mbootmgfw.efi `n bootmgr.efi `n memtest.efi `n "
#Get-ChildItem "C:\Windows\Boot\EFI" -Filter *.efi
$directory = "C:\Windows\Boot\EFI"
# Get .efi files in the directory
$efiFiles = Get-ChildItem -Path $directory -Filter *.efi
# Process each file and output the filename with color
foreach ($file in $efiFiles) {
if ($file.Name -match "^(bootmgfw|bootmgr|memtest)\.efi$") {
Write-Host $file.Name -ForegroundColor Green
} else {
Write-Host $file.Name -ForegroundColor Red
}
}
#Registry Check
Write-Host "######################################"
Write-Host "`nCheckng for BlackLotus registry presence in registry: `n HKLM:\\SYSTEM\CurrentControlSet\Control\DeviceGuard\Scenarios\HypervisorEnforcedCodeIntegrity `n (False is Good, True is BAD)"
function Check-RegistryKey {
param (
[Parameter(Mandatory = $true)]
[string]$RegistryKeyPath
)
# Check if the Registry key exists
$keyExists = Test-Path $RegistryKeyPath
# Output the result with color
Write-Host "Registry key exists: " -NoNewline
if ($keyExists) {
Write-Host $keyExists -ForegroundColor Red
} else {
Write-Host $keyExists -ForegroundColor Green
}
}
# Specify the Registry key path
$registryKeyPath = "HKLM:\SYSTEM\CurrentControlSet\Control\DeviceGuard\Scenarios\HypervisorEnforcedCodeIntegrity"
# Call the function
Check-RegistryKey -RegistryKeyPath $registryKeyPath
#Event logs Check
Write-Host "######################################"
Write-Host "checking for suspicious Event IDs of 3002 and 7023 in Microsoft-Windows-Windows for failures/disable Defender/Operational (Application and Services logs > Microsoft > Windows > Windows Defender "
$logName = "Microsoft-Windows-Windows Defender/Operational"
$eventIDs = 3002, 7023
# Define the filter hashtable
$filterHashtable = @{
LogName = $logName
ID = $eventIDs
}
# Retrieve the event logs matching the filter
$events = Get-WinEvent -FilterHashtable $filterHashtable -ErrorAction SilentlyContinue
# Check if logs are found
if ($events) {
# Output the filtered events in a table-like view
$events | Format-Table -AutoSize
Write-Host -ForegroundColor Red "True"
} else {
# Output "False" in green color if no events are found
Write-Host -ForegroundColor Green "False"
}