Kaseya Endpoint Exploitation Detection.ps1

Clear-Host
Write-Host "Checking For Suspicious Certificates..."
$RegPath = Join-Path -Path $SoftwareKey -ChildPath 'Kaseya\Agent\*'
Write-Host "==== Kaseya Endpoint Detection Tool v3 ===="
$SoftwareKey = 'HKLM:\Software'
if ([Environment]::Is64BitOperatingSystem)
{ $SoftwareKey = 'HKLM:\Software\WOW6432Node' }
$var = 0
[string[]]$FoundAgentPaths = Get-ItemProperty -Path $RegPath | Select-Object -ExpandProperty TempPath

foreach($Path in $FoundAgentPaths)
{
    $SuspiciousFile = Get-Childitem –Path $Path -Recurse -ErrorAction SilentlyContinue |  Where-Object { $_.Name -eq [System.Text.Encoding]::ASCII.GetString([System.Convert]::FromBase64String("YWdlbnQuY3J0")) }
    if ($null -ne $SuspiciousFile)
    {
        Write-Host "FAIL: Suspicious Certificate Found" -ForegroundColor Red
        $var = 1
    }
    else
    {
        Write-Host "PASS: Suspicious Certificate Not Found" -ForegroundColor Green
    }
}

Write-Host "Checking For Suspicious Executables..."
foreach($Path in $FoundAgentPaths)
{
    $SuspiciousFile = Get-Childitem –Path $Path -Recurse -ErrorAction SilentlyContinue |  Where-Object { $_.Name -eq [System.Text.Encoding]::ASCII.GetString([System.Convert]::FromBase64String("YWdlbnQuZXhl")) }
    if ($null -ne $SuspiciousFile)
    {
        #Avoid false-positive
        if ((Get-FileHash -Path $($SuspiciousFile.FullName) -Algorithm MD5 | Select-Object -ExpandProperty Hash) -ine '10ec4c5b19b88a5e1b7bf1e3a9b43c12')
        {
            Write-Host "FAIL: Suspicious Executable Found" -ForegroundColor Red
            $var = 1
        } else {
            Write-Host "PASS: Huntress Executable Not Found" -ForegroundColor Green
        }
    }
    else
    {
        Write-Host "PASS: Suspicious Executable Not Found" -ForegroundColor Green
    }
}

Write-Host "Checking For Suspicious Executables..."
foreach($Path in $FoundAgentPaths)
{
    $SuspiciousFile = Get-Childitem –Path $Path -Recurse -ErrorAction SilentlyContinue |  Where-Object { $_.Name -eq [System.Text.Encoding]::ASCII.GetString([System.Convert]::FromBase64String("YWdlbnQuZXhl")) }
    if ($null -ne $SuspiciousFile)
    {
        #Avoid false-positive
        if ((Get-FileHash -Path $($SuspiciousFile.FullName) -Algorithm MD5 | Select-Object -ExpandProperty Hash) -ine '10ec4c5b19b88a5e1b7bf1e3a9b43c12')
        {
            Write-Host "FAIL: Suspicious Executable Found" -ForegroundColor Red
            $var = 1
        } else {
            Write-Host "PASS: Huntress Executable Not Found" -ForegroundColor Green
        }
    }
    else
    {
        Write-Host "PASS: Suspicious Executable Not Found" -ForegroundColor Green
    }
}

Write-Host "Searching For Evidence of Encryption..."
$encryption = 0

[datetime]$StartFrom = "07/02/2021 00:01 AM"
[string] $SearchString = "Your files are encrypted, and currently unavailable"

if($null -eq $FoundAgentPaths) {
    $SearchPaths = Get-WmiObject –query "SELECT * from win32_logicaldisk where DriveType = '3'" | Select-Object -ExpandProperty DeviceID | ForEach-Object {Write-Output "$_\"}
} else {$SearchPaths = $FoundAgentPaths}
foreach($Path in $SearchPaths) {

    $Found = Get-ChildItem -Path $Path -Filter *readme.txt -File -Recurse -ErrorAction SilentlyContinue | Where-Object {$_.LastWriteTime -ge $StartFrom} | Select-String $SearchString
    if ($null -ne $Found)
    {
        $encryption = 1
        $var = 3
        break
    }
}


if ($encryption -eq 1) {
    Write-Host "FAIL: Evidence of Encryption Found" -ForegroundColor Red
} else {
    Write-Host "PASS: Evidence of Encryption Not Detected" -ForegroundColor Green
}

Write-Host "Generating Results..."
if ($var -gt 0 )
{
    if ($var -eq 3) {
        Write-Host "RESULT: Scan Indicates Endpoint May Be Encrypted" -ForegroundColor Red
    } else {
        Write-Host "RESULT: Scan Indicates Endpoint May Be Vulnerable" -ForegroundColor Red
    }
}
else
{
    Write-Host "RESULT: Scan Did Not Indicate Endpoint Is Vulnerable" -ForegroundColor Green
}

Read-Host -Prompt "Press Enter to exit"