Last active
September 15, 2024 17:56
-
-
Save iknowjason/6a4564aa2348365f78e4696f6804ec39 to your computer and use it in GitHub Desktop.
Powershell Workflow Example - Malware Process Detection - Check for Unsigned Process
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
workflow Detect-UnsignedProcesses { | |
param ( | |
[string[]]$ComputerName | |
) | |
if (-not $ComputerName) { | |
$ComputerName = @("localhost") | |
} | |
foreach -parallel ($computer in $ComputerName) { | |
$unsignedProcesses = InlineScript { | |
$localUnsignedProcesses = @() | |
Get-WmiObject Win32_Process -ComputerName $using:computer | ForEach-Object { | |
$path = $_.ExecutablePath | |
if ($path) { | |
$signature = Get-AuthenticodeSignature -FilePath $path | |
if ($signature.Status -ne 'Valid') { | |
$localUnsignedProcesses += $_ | |
} | |
} | |
} | |
return $localUnsignedProcesses | |
} | |
InlineScript { | |
if ($using:unsignedProcesses.Count -gt 0) { | |
Write-Output ("Unsigned processes found on {0}:" -f $using:computer) | |
$using:unsignedProcesses | ForEach-Object { | |
Write-Output "$($_.Name) - $($_.ExecutablePath)" | |
} | |
} else { | |
Write-Output ("No unsigned processes found on {0}:" -f $using:computer) | |
} | |
} | |
} | |
} | |
# Now run it using correct computer names | |
Detect-UnsignedProcesses -ComputerName @{"win1", "win2"} | |
# Another example, this dumps windows processes and grabbed from MSFT documentation | |
# Step 1: Create the workflow | |
workflow Test-Workflow {Get-Process} | |
# Step 2: find the workflows in modules installed on your computer | |
Get-Command -CommandType Workflow | |
# Step 3: Start powershell | |
Start-Process PowerShell -Verb RunAs | |
# Step 4: Enable PS Remoting | |
Enable-PSRemoting -Force | |
# Step 5: Create workflow session on local computer | |
$ws = New-PSWorkflowSession | |
# Step 6: Run workflow in the workflow session | |
Invoke-Command -Session $ws {Test-Workflow} | |
# if you get an error where the cmdlet is not recognized, you can run it in the script block you're passing like this: | |
$ws = New-PSWorkflowSession | |
Invoke-Command -Session $ws { | |
workflow Test-Workflow { | |
Get-Process | |
} | |
Test-Workflow | |
} | |
# or if you need to reuse this workflow in multiple commands, you can define it once in the workflow session | |
$ws = New-PSWorkflowSession | |
Invoke-Command -Session $ws { | |
workflow Test-Workflow { | |
Get-Process | |
} | |
} | |
# Now you can run the workflow in the same session without redefining it: | |
Invoke-Command -Session $ws { Test-Workflow } | |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment