forked from mubix/PowerWorm
-
Notifications
You must be signed in to change notification settings - Fork 0
/
Copy pathTest-PowerWormInfection.ps1
152 lines (114 loc) · 4.17 KB
/
Test-PowerWormInfection.ps1
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
function Test-PowerWormInfection
{
<#
.SYNOPSIS
Detects the presence of a Power Worm infection.
Author: Matthew Graeber (@mattifestation)
License: BSD 3-Clause
.DESCRIPTION
Test-PowerWormInfection will alert you if it detects any file or registry
artifacts left behind by Power Worm. You can also optionally remove
Power Worm artifacts from an infected system.
.PARAMETER Remove
Deletes Power Worm file and registry artifacts if they are present.
.EXAMPLE
Test-PowerWormInfection
.EXAMPLE
Test-PowerWormInfection -Remove
.NOTES
Test-PowerWormInfection does not remove malicious macros from Office
documents. To remove macros from Office documents, use the Get-ExcelMacro
and Get-WordMacro functions with the '-Remove' switch.
.LINK
http://www.exploit-monday.com/2014/04/powerworm-analysis.html
#>
[CmdletBinding(SupportsShouldProcess=$True, ConfirmImpact='High')] Param ([Switch] $Remove)
$MachineGUID = (Get-WmiObject Win32_ComputerSystemProduct).UUID
$DownloadedToolsPath = Join-Path $Env:APPDATA $MachineGuid
$DownloadedToolsDir = $null
$Infected = $False
Write-Verbose 'Testing for Power Worm file artifacts...'
if (Test-Path $DownloadedToolsPath)
{
Write-Warning 'Power Worm may have executed based upon the existence of the following path:'
Write-Warning $DownloadedToolsPath
$DownloadedToolsDir = Get-ChildItem -LiteralPath (Split-Path -Parent $DownloadedToolsPath) -Attributes D+H+S+NotContentIndexed
}
$Files = Get-ChildItem -Force $DownloadedToolsPath -ErrorAction SilentlyContinue
if ($Files)
{
Write-Warning 'The following files should be deleted:'
foreach ($File in $Files)
{
Write-Warning $File.FullName
}
}
Write-Verbose 'Testing for Power Worm registry artifacts...'
$Payload1Properties = @{
Path = 'HKCU:\Software\Microsoft\Windows\CurrentVersion\Run'
Name = $MachineGuid
ErrorAction = 'SilentlyContinue'
}
$Payload2Properties = @{
Path = 'HKCU:\Software\Microsoft'
Name = ($MachineGuid + '0')
ErrorAction = 'SilentlyContinue'
}
$Payload3Properties = @{
Path = 'HKCU:\Software\Microsoft'
Name = ($MachineGuid + '1')
ErrorAction = 'SilentlyContinue'
}
$Payload1 = Get-ItemProperty @Payload1Properties
$Payload2 = Get-ItemProperty @Payload2Properties
$Payload3 = Get-ItemProperty @Payload3Properties
if ($Payload1)
{
Write-Warning "A Power Worm payload was found in $($Payload1Properties['Path']) -> $($Payload1Properties.Name)"
}
if ($Payload2)
{
Write-Warning "A Power Worm payload was found in $($Payload2Properties['Path']) -> $($Payload2Properties.Name)"
}
if ($Payload3)
{
Write-Warning "A Power Worm payload was found in $($Payload3Properties['Path']) -> $($Payload3Properties.Name)"
}
if (-not $Remove)
{
# If there are any Power Worm artifacts, then you are most likely infected
if ($DownloadedToolsDir -or $Files -or $Payload1 -or $Payload2 -or $Payload3)
{
New-Object PSObject -Property @{ Infected = $True }
}
else
{
New-Object PSObject -Property @{ Infected = $False }
}
}
else
{
if ($Files -or $DownloadedToolsDir)
{
Write-Verbose 'Removing discovered Power Worm file artifacts...'
if ($Files)
{
$Files | Remove-Item
}
if ($DownloadedToolsDir)
{
# Restore normal directory attributes
$DownloadedToolsDir.Attributes = 'Directory'
$DownloadedToolsDir | Remove-Item
}
}
if ($Payload1 -or $Payload2 -or $Payload3)
{
Write-Verbose 'Removing discovered Power Worm registry artifacts...'
if ($Payload1) { Remove-ItemProperty @Payload1Properties }
if ($Payload2) { Remove-ItemProperty @Payload2Properties }
if ($Payload3) { Remove-ItemProperty @Payload3Properties }
}
Write-Verbose 'Power Worm artifacts removed. Office documents may remain infected though.'
}
}