-
Notifications
You must be signed in to change notification settings - Fork 1
/
hunt_hidden_tasks.ps1
82 lines (72 loc) · 3.59 KB
/
hunt_hidden_tasks.ps1
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
function Get-TaskActions($taskid)
{
$taskactions = get-itempropertyvalue -path "REGISTRY::HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\$taskid" -name "Actions"
return [System.Text.Encoding]::Unicode.GetString($taskactions)
}
$tasks = gci -Path "REGISTRY::HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\" -Recurse
$ErrorActionPreference = “silentlycontinue”
foreach($task in $tasks)
{
if ((Get-Item -Path "REGISTRY::\$task").Getvalue("Id") -ne $null)
{
if ((Get-Item -Path "REGISTRY::\$task").Getvalue("SD") -eq $null)
{
write-host "suspicious task found - missing SD value"
write-host "taskpath: "$task
$taskid = (Get-Item -Path "REGISTRY::\$task").Getvalue("Id")
write-host "Task Action: "
Get-TaskActions($taskid)
write-host "------------------------------------------------------------------"
}
elseif((Get-Item -Path "REGISTRY::\$task").Getvalue("SD").Length -eq 0)
{
write-host "suspicious task found - zero length SD value"
write-host "taskpath: "$task
write-host "Task Action: "
$taskid = (Get-Item -Path "REGISTRY::\$task").Getvalue("Id")
Get-TaskActions($taskid)
write-host "------------------------------------------------------------------"
}
else
{
$SecDescBin =(Get-Item -Path "REGISTRY::\$task").Getvalue("SD")
$SecDesc = ([WMIClass]"Win32_SecurityDescriptorHelper").BinarySDToWin32SD($SecDescBin).Descriptor
if (($SecDesc.Owner.Length -eq 0) -and ($SecDesc.Group.Length -eq 0))
{
write-host "suspicious task located: invalid SDDL data in SD value"
write-host "taskpath: "$task
write-host "Task Action: "
$taskid = (Get-Item -Path "REGISTRY::\$task").Getvalue("Id")
Get-TaskActions($taskid)
write-host "------------------------------------------------------------------"
}
elseif($SecDesc.DACL.Trustee.Name -notcontains "SYSTEM")
{
write-host "suspicious task located: SYSTEM not listed in DACL"
write-host "taskpath: "$task
write-host $SecDesc.Descriptor.Owner
write-host $SecDesc.Descriptor.Group
$taskid = (Get-Item -Path "REGISTRY::\$task").Getvalue("Id")
write-host "Task Action: "
Get-TaskActions($taskid)
write-host "------------------------------------------------------------------"
}
else
{
$SecDesc.DACL | foreach {
if ((($_.Trustee.Name -eq "SYSTEM") -or ($_.Trustee.Name -eq "Administrators") ) -and ($_.AceType -eq 1))
{
write-host "suspicious task located: SYSTEM or Administrators explicity denied in DACL"
write-host "taskpath: "$task
write-host "Security Descriptor Owner: " $SecDesc.Owner.Name
write-host "Security Descriptor Group: " $SecDesc.Group.Name
$taskid = (Get-Item -Path "REGISTRY::\$task").Getvalue("Id")
write-host "Task Action: "
Get-TaskActions($taskid)
write-host "------------------------------------------------------------------"
}
}
}
}
}
}