API tools faq
paste
Advertisement
Guest User

Untitled

a guest
Oct 18th, 2019
139
0
Never
Add comment
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
text 5.00 KB | None | 0 0
raw download clone embed print report
  1. ### This PowerShell script checks for common process that malware exploits.
  2. ### It will check how many of a certain process are running and what session they are in.
  3. ### You may need to run 'Set-ExecutionPolicy RemotedSigned' to get this to run
  4.  
  5. Write-Host ""
  6. $smss = (Get-Process -Name smss | Measure-Object).Count
  7. $smssSI = (Get-Process -Name smss).SI
  8. if ($smss -gt 1) { Write-Host -ForegroundColor Red "Check the SMSS process" } else { Write-Host -ForegroundColor Green "SMSS process is OK" }
  9. if ($smssSI -gt 1) { Write-Host -ForegroundColor Red "SMSS is not running in the correct session!" } else {Write-Host -ForegroundColor Green "SMSS Session is OK" }
  10.  
  11. Write-Host ""
  12. $csrss = (Get-Process -Name csrss | Measure-Object).Count
  13. $csrssSI = (Get-Process -Name csrss).SI
  14. if ($csrss -gt 2) { Write-Host -ForegroundColor Red "Check the CSRSS process" } else { Write-Host -ForegroundColor Green "CSRSS process is OK" }
  15. if ($csrssSI -gt 1) { Write-Host -ForegroundColor Red "CSRSS is not running in the correct session!" } else {Write-Host -ForegroundColor Green "CSRSS Session is OK" }
  16.  
  17. Write-Host ""
  18. $winlogon = (Get-Process -Name winlogon | Measure-Object).Count
  19. $winlogonSI = (Get-Process -Name winlogon).SI
  20. if ($winlogon -gt 1) { Write-Host -ForegroundColor Red "Check the Winlogon process" } else { Write-Host -ForegroundColor Green "Winlogon process is OK" }
  21. if ($winlogonSI -gt 1) { Write-Host -ForegroundColor Red "Winlogon is not running in the correct session!" } else {Write-Host -ForegroundColor Green "Winlogon Session is OK" }
  22.  
  23. Write-Host ""
  24. $wininit = (Get-Process -Name wininit | Measure-Object).Count
  25. $wininitSI = (Get-Process -Name wininit).SI
  26. if ($wininit -gt 1) { Write-Host -ForegroundColor Red "Check the Wininit process" } else { Write-Host -ForegroundColor Green "Wininit process is OK" }
  27. if ($wininitSI -gt 0) { Write-Host -ForegroundColor Red "Wininit is not running in the correct session!" } else {Write-Host -ForegroundColor Green "Wininit Session is OK" }
  28.  
  29. Write-Host ""
  30. $services = (Get-Process -Name services | Measure-Object).Count
  31. $servicesSI = (Get-Process -Name services).SI
  32. if ($services -gt 1) { Write-Host -ForegroundColor Red "Check the Services process" } else { Write-Host -ForegroundColor Green "Services process is OK" }
  33. if ($servicesSI -gt 0) { Write-Host -ForegroundColor Red "Services is not running in the correct session!" } else {Write-Host -ForegroundColor Green "Services Session is OK" }
  34.  
  35. Write-Host ""
  36. $lsass = (Get-Process -Name lsass | Measure-Object).Count
  37. $lsassSI = (Get-Process -Name lsass).SI
  38. if ($lsass -gt 1) { Write-Host -ForegroundColor Red "Check the Lsass process" } else { Write-Host -ForegroundColor Green "Lsass process is OK" }
  39. if ($lsassSI -gt 0) { Write-Host -ForegroundColor Red "Lsass is not running in the correct session!" } else {Write-Host -ForegroundColor Green "Lsass Session is OK" }
  40.  
  41. Write-Host ""
  42. $explorer = (Get-Process -Name explorer | Measure-Object).Count
  43. $explorerSI = (Get-Process -Name explorer).SI
  44. if ($explorer -gt 1) { Write-Host -ForegroundColor Red "Check the Explorer process" } else { Write-Host -ForegroundColor Green "Explorer process is OK" }
  45. if ($explorerSI -gt 1) { Write-Host -ForegroundColor Red "Explorer is not running in the correct session!" } else {Write-Host -ForegroundColor Green "Explorer Session is OK" }
  46.  
  47. #########################################
  48. ### Check OS Version and get LSM info ###
  49. #########################################
  50. Write-Host ""
  51. $os = (Get-WmiObject -class Win32_OperatingSystem).Caption
  52. if ($os -like "*Windows 7*") {
  53. $lsm = (Get-Process -Name lsm | Measure-Object).Count
  54. $lsmSI = (Get-Process -Name lsm).SI
  55. if ($lsm -gt 1) {Write-Host -ForegroundColor Red "Check the LSM process"} else {Write-Host -ForegroundColor Green "LSM process is OK" }
  56. if ($lsmSI -gt 1) {Write-Host -ForegroundColor Red "LSM is not running in the correct session!"} else {Write-Host -ForegroundColor Green "LSM Session is OK" }
  57. }
  58.  
  59. if ($os -like "*Windows 10*") {
  60. $lsmService = (Get-Service -Name lsm | Measure-Object).Count
  61. if ($lsmService -gt 1) {Write-host -ForegroundColor Red "Check the LSM service" } else {Write-host -ForegroundColor Green "LSM service is OK" }
  62. Write-Host -ForegroundColor Green "LSM Session not applicable"
  63. }
  64.  
  65. Write-Host ""
  66. $taskhost = (Get-Process -Name taskhost* | Measure-Object).Count
  67. $taskhostSI = (Get-Process -Name taskhost*).SI
  68. if ($taskhost -gt 1) { Write-Host -ForegroundColor Yellow "Warning: Check the TaskHost process" } else { Write-Host -ForegroundColor Green "TaskHost process is OK" }
  69. if ($taskhostSI -gt 1) { Write-Host -ForegroundColor Red "TaskHost is not running in the correct session!" } else {Write-Host -ForegroundColor Green "TaskHost Session is OK" }
  70.  
  71. Write-Host ""
  72. Write-Host -ForegroundColor Yellow -BackgroundColor Black "Here are the processes running under svchost.exe."
  73. Write-Host -ForegroundColor Yellow -BackgroundColor Black "-------------------------------------------------"
  74. get-wmiobject Win32_service | where {$_.Started -eq "True" -and $_.ServiceType -eq "Share Process"} | FT Name, ProcessId -AutoSize
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement
Public Pastes
Advertisement
We use cookies for various purposes including analytics. By continuing to use Pastebin, you agree to our use of cookies as described in the Cookies Policy.  OK, I Understand
Not a member of Pastebin yet?
Sign Up, it unlocks many cool features!