An open-source and easy-to-use PowerShell script to automate indicator of compromise (IOC) scanning on Windows machines. It checks for the following IOCs: File Paths, File Hashes, IP Addresses, and Domains. Users will need to specify a JSON file containing the IOCs (see files within the IOCs directory for reference) and run the script.
To run the script, specify the JSON file location with the -IOCFilePath option, for example:
.\buck.ps1 -IOCFilePath .\IOCs\BackdoorDiplomacy.json
The script's PowerShell (PS) modules and sub-modules are pre-built; no import is needed.
The script runs a Test-Path to check if a file exists within the specified path. This detection checks for the existence of complete file path IOCs (i.e., c:\programdata\microsoft\diagnosis\etllogs\vmnat.exe).
The script captures the file hash with the Get-FileHash sub-module and supports MD5, SHA1, SHA256, SHA384, and SHA512 algorithms.
The Get-NetTCPConnection sub-module to identify remote addresses. It leverages a regular expression (regex) to remote private IP addresses (i.e., loopback and RFC 1918).
Please note that this is a point-in-time scan and can potentially miss certain connections depending on when the script was run. As a result, no connection state filter is applied to capture as many remote addresses as possible.
Consolidated domain entries from Winodws DNS Client Event ID 3008, DNS Client Cache (Get-DnsClientCache), and reverse DNS lookup of Get-NetTCPConnection (Resolve-DnsName) are used by the script to detect potential external domain IOCs.
This is also a point-in-time detection, which can also potentially result in missed domain entries. Furthermore, if the Winodws DNS Client event is disabled, fewer domain entries can be captured by the script.
The script uses JSON files for its IOC feeds. You can refer to the files in the IOC directory for the format. The JSON file can also include additional information about the threat actor, such as its description, MITRE ID, etc. This will not affect the script's functionality.
For the file hash IOCs, you can specify a directory and the extensions to make the search efficient. If no directory is specified, the script will attempt to capture all file hash recursively from the C: drive. Additionally, if no extension is included, it will include all file extensions (i.e., .)
I have added JSON IOC files in this repository for others to use -- most are from the ESET research team (hats off to these guys).
The script divides the console output per IOC type and will highlight, in red, any IOC it finds.
It will first check if the directory is present. If the directory (path) is present, it displays a yellow text. The script will then check if the files exist within the given path. If it matches an IOC, it highlights it. Otherwise, it will simply state no file IOC was found in the directory.
The script will display the captured remote addresses from the Get-NetTCPConnection sub-module. It uses the Compare-Object sub-module to check if an IP address matches an IOC, which will be highlighted at the end.
As previously stated, the script displays the consolidated domain entries from the three sources. The script will state, in green text, if no IOC matches.
A progress bar will be shown, displaying the number of processed files and the current directory. To make the search more efficient, it is recommended to specify a directory and/or file extensions.
When a file hash IOC matches, it returns the hash and the full path location.
- Implement Windows Defender Firewall logs to capture more remote addresses.