API tools faq
paste
Advertisement
Guest User

Powershell Zero Day Check Script

a guest
Mar 5th, 2021
1,744
0
Never
Add comment
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
text 4.18 KB | None | 0 0
raw download clone embed print report
  1. #####################################################################
  2. # Author: #
  3. # Date: 03/03/2021 #
  4. # Desc: Parse exchange server logs to identify either of 4 exploits #
  5. #####################################################################
  6. cls
  7. #Global Variables
  8. $To="<shared mailbox to receive report"
  9. $i=0;$server=$env:COMPUTERNAME;$pf="D:\Program Files";$date=(get-date).AddDays(0).ToString("yyyyMMdd");$RowData=$null
  10.  
  11. #Check for exploits exchaneg logs for possible exploits to CVE-2021-26855
  12. $CVE_26855=Import-Csv -Path (Get-ChildItem -Recurse -Path "$pf\Microsoft\Exchange Server\V15\Logging\HttpProxy\" -Filter "*$date*.log").FullName|?{$_.AuthenticatedUser -eq "" -and $_.AnchorMailbox -like ‘ServerInfo~*/*’ }|select DateTime,AnchorMailbox
  13. if($CVE_26855 -ne $null){$th1="<tr><th>CVE-2021-26855</th></tr>";$rd1=$null;foreach($e in $CVE_26855){$rd1+="<tr><td>$e</td></tr>"};$RowData=$th1+$rd1;$i++}
  14.  
  15. #Check for an EventLog Application Source of "MSExchange Unified Messaging"
  16. $els=(Get-EventLog -LogName Application).Source|select -Unique|sort
  17. if($els -contains "MSExchange Unified Messaging") {$CVE_26857=Get-EventLog -LogName Application -Source "MSExchange Unified Messaging" -EntryType Error|?{ $_.Message -like "*System.InvalidCastException*" }}
  18. #then run command (if condition is met) to check for exploits to CVE-2021-26857
  19. if($CVE_26857 -ne $null){$th2="<tr><th>$null</th></tr><tr><th>CVE-2021-26857</th></tr>";$rd2=$null;foreach($e in $CVE_26857){$rd2+="<tr><td>$e</td></tr>"};$RowData=$RowData+$th2+$rd2;$i++}
  20.  
  21. #Check for exploits in exchange logs for possible exploits to CVE-2021-26858
  22. $CVE_26858=findstr /snip /c:"Download failed and temporary file" "$pf\Microsoft\Exchange Server\V15\Logging\OABGeneratorLog\*.log"
  23. if($CVE_26858 -ne $null){$th3="<tr><th>$null</th></tr><tr><th>CVE-2021-26858</th></tr>";$rd3=$null;foreach($e in $CVE_26858){$rd3+="<tr><td>$e</td></tr>"};$RowData=$RowData+$th3+$rd3;$i++}
  24.  
  25. #Check for exploits in exchange logs for possible exploits to CVE-2021-27065
  26. $CVE_27065=Select-String -Path “$pf\Microsoft\Exchange Server\V15\Logging\ECP\Server\*.log” -Pattern ‘Set-.+VirtualDirectory’
  27. if($CVE_27065 -ne $null){$th4="<tr><th>$null</th></tr><tr><th>CVE-2021-27065</th></tr>";$rd4=$null;foreach($e in $CVE_27065){$rd4+="<tr><td>$e</td></tr>"};$RowData=$RowData+$th4+$rd4;$i++}
  28.  
  29. #Set up email variables
  30. $SmtpSrvr="<your smtp server>";$From="<an existing mailbox that can send this message>"
  31. $Sub="[SUBJECT] $server (CVE-2021-26855, CVE-2021-26857, CVE-2021-26858, CVE-2021-27065)"
  32. $Bod1="<!DOCTYPE html><html><head></head><body>Team,<br><br>We have run the 0-Day Exploits check as suggested by Msf and found no issues!<br><br>Thank You,<br><br>Messaging</body></html>"
  33. $Bod2="<!DOCTYPE html><html><head><style>table {font-family: arial, sans-serif; border-collapse: collapse; width: 100%;} td, th {text-align: left; padding: 5px;}</style></head>
  34. <body>Team,<br><br>We have run the 0-Day Exploits check as suggested by Msf and found the following issues:<br><br>
  35. <table>$RowData</table><br>Thank You,<br><br>Messaging</body></html>"
  36.  
  37. #Send Email with No Exploits found
  38. if($i -eq 0)
  39. {
  40. #Send Message Setup Section
  41. $message = new-object System.Net.Mail.MailMessage
  42. $message.From=$From
  43. $message.Sender=$From
  44. $message.ReplyTo=$From
  45. foreach($t in $To){$message.To.Add($t)}
  46. $message.IsBodyHtml = $True
  47. $Sub=$Sub.Replace("[SUBJECT]","REPORT: No Exploits found on")
  48. $message.Subject = $Sub
  49. $message.Body = $Bod1
  50. $smtp = new-object Net.Mail.SmtpClient($SmtpSrvr)
  51. $smtp.Send($message)
  52. }
  53. #At least 1 exploit found, send email with data table
  54. else
  55. {
  56. #Send Message Setup Section
  57. $message = new-object System.Net.Mail.MailMessage
  58. $message.From=$From
  59. $message.Sender=$From
  60. $message.ReplyTo=$From
  61. foreach($t in $To){$message.To.Add($t)}
  62. $message.IsBodyHtml = $True
  63. $Sub=$Sub.Replace("[SUBJECT]","ALERT: EXPLOITS found on")
  64. $Bod2=$Bod2
  65. $message.Subject = $Sub
  66. $message.Body = $Bod2
  67. $smtp = new-object Net.Mail.SmtpClient($SmtpSrvr)
  68. $smtp.Send($message)
  69. }
  70.  
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement
Public Pastes
Advertisement
We use cookies for various purposes including analytics. By continuing to use Pastebin, you agree to our use of cookies as described in the Cookies Policy.  OK, I Understand
Not a member of Pastebin yet?
Sign Up, it unlocks many cool features!