Advertisement
Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- ### This PowerShell script checks for common process that malware exploits.
- ### It will check how many of a certain process are running and what session they are in.
- ### You may need to run 'Set-ExecutionPolicy RemotedSigned' to get this to run
- Write-Host ""
- $smss = (Get-Process -Name smss | Measure-Object).Count
- $smssSI = (Get-Process -Name smss).SI
- if ($smss -gt 1) { Write-Host -ForegroundColor Red "Check the SMSS process" } else { Write-Host -ForegroundColor Green "SMSS process is OK" }
- if ($smssSI -gt 1) { Write-Host -ForegroundColor Red "SMSS is not running in the correct session!" } else {Write-Host -ForegroundColor Green "SMSS Session is OK" }
- Write-Host ""
- $csrss = (Get-Process -Name csrss | Measure-Object).Count
- $csrssSI = (Get-Process -Name csrss).SI
- if ($csrss -gt 2) { Write-Host -ForegroundColor Red "Check the CSRSS process" } else { Write-Host -ForegroundColor Green "CSRSS process is OK" }
- if ($csrssSI -gt 1) { Write-Host -ForegroundColor Red "CSRSS is not running in the correct session!" } else {Write-Host -ForegroundColor Green "CSRSS Session is OK" }
- Write-Host ""
- $winlogon = (Get-Process -Name winlogon | Measure-Object).Count
- $winlogonSI = (Get-Process -Name winlogon).SI
- if ($winlogon -gt 1) { Write-Host -ForegroundColor Red "Check the Winlogon process" } else { Write-Host -ForegroundColor Green "Winlogon process is OK" }
- if ($winlogonSI -gt 1) { Write-Host -ForegroundColor Red "Winlogon is not running in the correct session!" } else {Write-Host -ForegroundColor Green "Winlogon Session is OK" }
- Write-Host ""
- $wininit = (Get-Process -Name wininit | Measure-Object).Count
- $wininitSI = (Get-Process -Name wininit).SI
- if ($wininit -gt 1) { Write-Host -ForegroundColor Red "Check the Wininit process" } else { Write-Host -ForegroundColor Green "Wininit process is OK" }
- if ($wininitSI -gt 0) { Write-Host -ForegroundColor Red "Wininit is not running in the correct session!" } else {Write-Host -ForegroundColor Green "Wininit Session is OK" }
- Write-Host ""
- $services = (Get-Process -Name services | Measure-Object).Count
- $servicesSI = (Get-Process -Name services).SI
- if ($services -gt 1) { Write-Host -ForegroundColor Red "Check the Services process" } else { Write-Host -ForegroundColor Green "Services process is OK" }
- if ($servicesSI -gt 0) { Write-Host -ForegroundColor Red "Services is not running in the correct session!" } else {Write-Host -ForegroundColor Green "Services Session is OK" }
- Write-Host ""
- $lsass = (Get-Process -Name lsass | Measure-Object).Count
- $lsassSI = (Get-Process -Name lsass).SI
- if ($lsass -gt 1) { Write-Host -ForegroundColor Red "Check the Lsass process" } else { Write-Host -ForegroundColor Green "Lsass process is OK" }
- if ($lsassSI -gt 0) { Write-Host -ForegroundColor Red "Lsass is not running in the correct session!" } else {Write-Host -ForegroundColor Green "Lsass Session is OK" }
- Write-Host ""
- $explorer = (Get-Process -Name explorer | Measure-Object).Count
- $explorerSI = (Get-Process -Name explorer).SI
- if ($explorer -gt 1) { Write-Host -ForegroundColor Red "Check the Explorer process" } else { Write-Host -ForegroundColor Green "Explorer process is OK" }
- if ($explorerSI -gt 1) { Write-Host -ForegroundColor Red "Explorer is not running in the correct session!" } else {Write-Host -ForegroundColor Green "Explorer Session is OK" }
- #########################################
- ### Check OS Version and get LSM info ###
- #########################################
- Write-Host ""
- $os = (Get-WmiObject -class Win32_OperatingSystem).Caption
- if ($os -like "*Windows 7*") {
- $lsm = (Get-Process -Name lsm | Measure-Object).Count
- $lsmSI = (Get-Process -Name lsm).SI
- if ($lsm -gt 1) {Write-Host -ForegroundColor Red "Check the LSM process"} else {Write-Host -ForegroundColor Green "LSM process is OK" }
- if ($lsmSI -gt 1) {Write-Host -ForegroundColor Red "LSM is not running in the correct session!"} else {Write-Host -ForegroundColor Green "LSM Session is OK" }
- }
- if ($os -like "*Windows 10*") {
- $lsmService = (Get-Service -Name lsm | Measure-Object).Count
- if ($lsmService -gt 1) {Write-host -ForegroundColor Red "Check the LSM service" } else {Write-host -ForegroundColor Green "LSM service is OK" }
- Write-Host -ForegroundColor Green "LSM Session not applicable"
- }
- Write-Host ""
- $taskhost = (Get-Process -Name taskhost* | Measure-Object).Count
- $taskhostSI = (Get-Process -Name taskhost*).SI
- if ($taskhost -gt 1) { Write-Host -ForegroundColor Yellow "Warning: Check the TaskHost process" } else { Write-Host -ForegroundColor Green "TaskHost process is OK" }
- if ($taskhostSI -gt 1) { Write-Host -ForegroundColor Red "TaskHost is not running in the correct session!" } else {Write-Host -ForegroundColor Green "TaskHost Session is OK" }
- Write-Host ""
- Write-Host -ForegroundColor Yellow -BackgroundColor Black "Here are the processes running under svchost.exe."
- Write-Host -ForegroundColor Yellow -BackgroundColor Black "-------------------------------------------------"
- get-wmiobject Win32_service | where {$_.Started -eq "True" -and $_.ServiceType -eq "Share Process"} | FT Name, ProcessId -AutoSize
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement