Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- Clear-Host
- Write-Host "Checking For Suspicious Certificates..."
- $RegPath = Join-Path -Path $SoftwareKey -ChildPath 'Kaseya\Agent\*'
- Write-Host "==== Kaseya Endpoint Detection Tool v3 ===="
- $SoftwareKey = 'HKLM:\Software'
- if ([Environment]::Is64BitOperatingSystem)
- { $SoftwareKey = 'HKLM:\Software\WOW6432Node' }
- $var = 0
- [string[]]$FoundAgentPaths = Get-ItemProperty -Path $RegPath | Select-Object -ExpandProperty TempPath
- foreach($Path in $FoundAgentPaths)
- {
- $SuspiciousFile = Get-Childitem –Path $Path -Recurse -ErrorAction SilentlyContinue | Where-Object { $_.Name -eq [System.Text.Encoding]::ASCII.GetString([System.Convert]::FromBase64String("YWdlbnQuY3J0")) }
- if ($null -ne $SuspiciousFile)
- {
- Write-Host "FAIL: Suspicious Certificate Found" -ForegroundColor Red
- $var = 1
- }
- else
- {
- Write-Host "PASS: Suspicious Certificate Not Found" -ForegroundColor Green
- }
- }
- Write-Host "Checking For Suspicious Executables..."
- foreach($Path in $FoundAgentPaths)
- {
- $SuspiciousFile = Get-Childitem –Path $Path -Recurse -ErrorAction SilentlyContinue | Where-Object { $_.Name -eq [System.Text.Encoding]::ASCII.GetString([System.Convert]::FromBase64String("YWdlbnQuZXhl")) }
- if ($null -ne $SuspiciousFile)
- {
- #Avoid false-positive
- if ((Get-FileHash -Path $($SuspiciousFile.FullName) -Algorithm MD5 | Select-Object -ExpandProperty Hash) -ine '10ec4c5b19b88a5e1b7bf1e3a9b43c12')
- {
- Write-Host "FAIL: Suspicious Executable Found" -ForegroundColor Red
- $var = 1
- } else {
- Write-Host "PASS: Huntress Executable Not Found" -ForegroundColor Green
- }
- }
- else
- {
- Write-Host "PASS: Suspicious Executable Not Found" -ForegroundColor Green
- }
- }
- Write-Host "Checking For Suspicious Executables..."
- foreach($Path in $FoundAgentPaths)
- {
- $SuspiciousFile = Get-Childitem –Path $Path -Recurse -ErrorAction SilentlyContinue | Where-Object { $_.Name -eq [System.Text.Encoding]::ASCII.GetString([System.Convert]::FromBase64String("YWdlbnQuZXhl")) }
- if ($null -ne $SuspiciousFile)
- {
- #Avoid false-positive
- if ((Get-FileHash -Path $($SuspiciousFile.FullName) -Algorithm MD5 | Select-Object -ExpandProperty Hash) -ine '10ec4c5b19b88a5e1b7bf1e3a9b43c12')
- {
- Write-Host "FAIL: Suspicious Executable Found" -ForegroundColor Red
- $var = 1
- } else {
- Write-Host "PASS: Huntress Executable Not Found" -ForegroundColor Green
- }
- }
- else
- {
- Write-Host "PASS: Suspicious Executable Not Found" -ForegroundColor Green
- }
- }
- Write-Host "Searching For Evidence of Encryption..."
- $encryption = 0
- [datetime]$StartFrom = "07/02/2021 00:01 AM"
- [string] $SearchString = "Your files are encrypted, and currently unavailable"
- if($null -eq $FoundAgentPaths) {
- $SearchPaths = Get-WmiObject –query "SELECT * from win32_logicaldisk where DriveType = '3'" | Select-Object -ExpandProperty DeviceID | ForEach-Object {Write-Output "$_\"}
- } else {$SearchPaths = $FoundAgentPaths}
- foreach($Path in $SearchPaths) {
- $Found = Get-ChildItem -Path $Path -Filter *readme.txt -File -Recurse -ErrorAction SilentlyContinue | Where-Object {$_.LastWriteTime -ge $StartFrom} | Select-String $SearchString
- if ($null -ne $Found)
- {
- $encryption = 1
- $var = 3
- break
- }
- }
- if ($encryption -eq 1) {
- Write-Host "FAIL: Evidence of Encryption Found" -ForegroundColor Red
- } else {
- Write-Host "PASS: Evidence of Encryption Not Detected" -ForegroundColor Green
- }
- Write-Host "Generating Results..."
- if ($var -gt 0 )
- {
- if ($var -eq 3) {
- Write-Host "RESULT: Scan Indicates Endpoint May Be Encrypted" -ForegroundColor Red
- } else {
- Write-Host "RESULT: Scan Indicates Endpoint May Be Vulnerable" -ForegroundColor Red
- }
- }
- else
- {
- Write-Host "RESULT: Scan Did Not Indicate Endpoint Is Vulnerable" -ForegroundColor Green
- }
- Read-Host -Prompt "Press Enter to exit"
Add Comment
Please, Sign In to add comment