r00t-3xp10it · August 26, 2024 07:04 · r00t-3xp10it · Dec 21, 2023 · r00t-3xp10it · Dec 22, 2023
diff --git a/identify_offensive_tools.ps1 b/identify_offensive_tools.ps1
 <#
 .SYNOPSIS
   Identify possible ams1 strings inside scripts

   Author: @r00t-3xp10it
   Tested Under: Windows 10 (19044) x64 bits
   Required Dependencies: none
   Optional Dependencies: none
   PS cmdlet Dev version: v2.2.18

 .DESCRIPTION
   This cmdlet was written to detect suspicious ams1 strings in .ps1 or .psm1
   scripts, helping developers identify which line of the script the malicious
   string is in and to take the necessary steps to prevent further detections.

 .NOTES
   When scanning its advice to disable windows defender RealTime Protection.
   All the strings contained in this script were found in diferent web forums
   since microssoft oficial ams1 documentation until free open sources. This
   script it will not make any heuristic\memory scans just a string search.

   This project detects suspicious strings, large $variable names and count
   the amount of special characters present inside script compared with the
   number of script max lines then cmdlet does the math [is_suspicious_?]

 .Parameter FileToScan
   Script to scan full path

 .Parameter LogFile
   Switch that creates report logfile

 .Parameter RateHigh
   Switch to only display 'rate High' results

 .EXAMPLE
   PS C:\> .\identify_offencive_tools.ps1 -filetoscan "$pwd\evil.ps1"

 .EXAMPLE
   PS C:\> .\identify_offencive_tools.ps1 -filetoscan "$pwd\evil.ps1" -logfile

 .EXAMPLE
   PS C:\> .\identify_offencive_tools.ps1 -filetoscan "$pwd\evil.ps1" -ratehigh

 .INPUTS
   None. You cannot pipe objects into identify_offencive_tools.ps1

 .OUTPUTS
   👁‍🗨 Detecting [ams1] malicious strings 👁‍🗨

   File information
   Total lines       : 4183
   File size         : 277107
   Current Time      : 26/12/2023 04:15:54
   Last access       : 26/12/2023 04:15:51
   File hash         : 0E2044C484CD29FE8E16E15E4CD2D3765703BF7E042239D01E0C5C1B29DC6079
   File to scan      : C:\Users\pedro\Coding\meterpeter\meterpeter.ps1


   🍳 Scanning file ..

   Token              : 1
   DetectionRate      : Critical
   MaliciousString    : IE`X
   LineNumber         : 4407

   Token              : 2
   DetectionRate      : Critical
   MaliciousString    : powershell -vers`ion 2
   LineNumber         : 3622 3632 3637 3654 3658 3664

   Token              : 3
   DetectionRate      : Critical
   MaliciousString    : ru`nas
   LineNumber         : 385 465 542 546 672 676 3343 3363 3458 3916

   Token              : 4
   DetectionRate      : Medium
   MaliciousString    : while($true)
   LineNumber         : 794 978 3103


   🍳 File scanning report
   =====================================================================================
   Tokens found       : 4
   Urgent attention   : 3
   File total lines   : 4183
   Special characters : 9356 [`+&'] MaxAllowed:[7395]
   Scan elapsed time  : 00:02:06 ⏱️ 29 Friday 2023
   File scanned       : C:\Users\pedro\Coding\meterpeter\meterpeter.ps1

   ⚙️ recomendation
      Its advice to obfuscate all high rate results found [3]
      because System.Management.Automation.Amsi contains entry
      http://bit.ly/System_Management_Automation_Engine_Runtime

   ⚙️ recomendation
      Its advice to reduce the number of special characters
      inside file like [`+&'] that reveal to forensics that
      we are dealing with an heavily obfuscated file\script
      URL:http://bit.ly/malicious-powershell-usage-detection
   =====================================================================================
  
 .LINK
   https://github.com/r00t-3xp10it/redpill
   http://bit.ly/malicious-powershell-usage-detection
   http://bit.ly/System_Management_Automation_Engine_Runtime
   https://docs.velociraptor.app/exchange/artifacts/pages/powershellmonitoring
   https://learn.microsoft.com/en-us/windows/win32/amsi/antimalware-scan-interface-portal
 #>


 [CmdletBinding(PositionalBinding=$false)] param(
   [string]$FileToScan="$pwd\identify_offensive_tools.ps1",
   [switch]$RateHigh,
   [switch]$LogFile
 )


 $TotalTokens = "321"
 ## Global variable declarations
 $ErrorActionPreference = "SilentlyContinue"
 $host.UI.RawUI.WindowTitle = "Identify_Offensive_Tools (IOT)"
 write-host "👁‍🗨 Detecting [ams1] malicious strings 👁‍🗨`n" -ForegroundColor Green
 $ScriptSize = (Get-Content -Path "$FileToScan"|Measure-Object -Line).Lines


 $MaliciousKeywordsList = @(
   "I@E'X",
   "-e@n'c",
   "-n'o@p",
   "am@si",
   "vi'r@us",
   "key@log",
   "tr@ojan",
   "t@r'y'{",
   "cm'd /@c",
   "mal@ware",
   "payl@oad",
   "-b@x'o@r",
   "revsh@ell",
   "mimi@katz",
   "t'r@y '{'",
   "am@si.dl'l",
   "hashd@ump",
   "Ad@d-Ty'pe",
   "phi@sh@ing",
   "-@enc@od'ed",
   "DllI@mport",
   "obfu@sca@te",
   "imp@ers@onate",
   "rever@sesh@ell",
   "Exc@lus'ion@Path",
   "reve@rse sh@ell",
   "re@verse-she@ll",
   "s@y'st@'emi@n'f@o",
   "Ams@iSca'n@Bu'ff@er",   
   "in@vok'e-mim@ik'atz",
   "-e@nco@de'dcom@ma'nd",
   "Excl'us@ionP@roc'ess",
   "In@vo'ke-Exp@ress'ion",
   "la@z'ag@ne.e'x'@e a'l@l",
   ":@:A'd@m'ini@s'tr@a'to@r",
   "re@d team@ing",
   "ams@iu'ti@ls",
   "ams'iIn@itFa'il@ed",
   "keys@troke",
   "buff@er ove@rflow",
   "bru@tefo@rce",
   "redte@am",
   "red te@am",
   "she@llcode",
   "file@less",
   "prive@sc",
   "esca@late pri@vileges",
   "passwo@rd guess@ing",
   "gue@ss log@in",
   "crede@ntial du@mp",
   "passw@ord spr@aying",
   "passwo@rd spr@ay",
   "clea@rte@xt pas@swo'rds",
   "rem@ote execut@ion",
   "cre@ds du@mp",
   "cre@denti@als du@mp",
   "pass th@e ha@sh",
   "pa@ss-the-h@ash",
   "gol@den tic@ket",
   "dump@ing the lsa@ss",
   "dumpi@ng lsa@ss",
   "du@mp ls'as@s",
   "cache@d crede@n'tials",
   "l@s'a secr@ets",
   "cry@pt'o:@:sc'a@u't@h",
   "impe'rso@nat@ing user",
   "imper@so'nate us@er",
   "im@pa'ck@et",
   "ls@as's du@mp",
   "pro@cdu@m'p",
   "obfu@scated",
   "obfu@scat@ion",
   "pw@du@m'p",
   "comm@and a@nd con@t'rol",
   "drop@per",
   "web sh@ell",
   "we@bsh@ell",
   "kerb@er'os re@la'y",
   "spo@ofing",
   "ele@va@te pr'ivi@lege",
   "ab@use ele'va@tion",
   "b@ypas@s u@a'c",
   "ua@c b'ypa@ss",
   "acce@ss tok@en man'ip@ula@ti'on",
   "to@ken imp'ers@onation",
   "tok@en the@ft",
   "ev@ade pro@c@ess-mon@i'to@ring",
   "bypa@ss pa@ss'wo@rd",
   "vi@ctim ip",
   "snif@fing",
   "poi@soning",
   "elev@ate pr'oc@ess pr@ivi'leg@es",
   "ele'v@ate its pr@ivi'leg@es",
   "by@pa'ss us@er acc@ou'nt con'tr@ol",
   "po'we@rsh'ell -e@p 'by@pa@ss",
   "po'we@rsh'ell -@exe@cut'io@np@ol'ic@y by@pas@s",
   "R'u@be'u@s.e'x@e du@m'p",
   "expl@oit",
   "key@log@ger",
   "sn@if@fer",
   "pas@sw'ord cr@ack",
   "pass@wo'rd hac@king",
   "pa@ss'wo@rd bre@ac'h",
   "pa's@swor@d at@ta'ck",
   "pass@wo'rd st@e'al@er",
   "by@pa'ss ant@ivi'rus",
   "b'ru@te fo@r'ce",
   "re@mo'te acc@e'ss",
   "pa'ss@wo'rd ha@sh'ing",
   "co@d'e inje@ction",
   "key@st'ro@ke log@gi'ng",
   "keyl@ogg'ing",
   "pas@swor'd sni@ff'ing",
   "ciph@er",
   "coo@kie steal@ing",
   "pas'sw@ord crac@king",
   "enc@rypt'ion",
   "pr@iv'ile@ge @es'cala@ti'on",
   "k'ey log@gi'ng",
   "pa'ss@word ha@rves@ting",
   "ea've@sdr@oppi@ng",
   "bru@te-fo'rc@ing",
   "coo@ki'e the@ft",
   "ref'lec@tion atta@ck",
   "cr@yp'to atta@ck",
   "smu@rfing",
   "pin@g o'f de@a'th",
   "crede@n'tial @th'eft",
   "ke'yl@ogg'e@r in@stall@at'ion",
   "has@hing",
   "file@le@ss at@ta@ck",
   "imp@er'sonati@on",
   "file@le'ss ma@lwa're",
   "payl'oa@d deliv@ery",
   "an@tivi'rus @ev'as@ion",
   "dat@a obfus@cation",
   "l@da'p in@je'ction",
   "dec@ry'ption",
   "Defi@neD@yn'ami@cAssembly",
   "Defi@ne@Dy'nam@icMo'dule",
   "Def@i'ne@Ty'pe",
   "Def@in'eC@onst'r@uc@tor",
   "Cre@at'eTy@pe",
   "Defi'ne@Lite@ral",
   "Def@in'eE@num",
   "Defin@eF'ie@ld",
   "ILG@en'er@ator",
   "Em'i@t",
   "Unv@e'rifi@abl'eC@ode@Att'rib@ute",
   "Defi@nePI'nvok@eMe'th@od",
   "G@e'tS@tr'e@am";
   "@Get@Ty'pes",
   "Get@Ass@em'blies",
   "Met@ho'ds",
   "Ge@tCon'stru@ct'or",
   "GetC@ons'tru@cto'rs",
   "Ge'tDef@ault'Me@mb'ers",
   "Ge@tEve@nt",
   "GetE@ve'nts",
   "Get@Fie'ld",
   "Ge@tFie'lds",
   "@Ge@tInt@er'face",
   "GetInt@erf'aceMap",
   "Ge@tIn'terf@aces",
   "GetM@em'be@r",
   "G'etM@emb@ers",
   "Get@Met'ho@d",
   "Get@Met'ho@ds",
   "Ge@tN'es@te'dType",
   "Get@Ne'st@ed@Ty'pes",
   "Ge@tPr'ope@rt'ies",
   "Ge@tPro'pe@rt'y",
   "@In'vok@eMe'mb@er",
   "Ma@k'eAr@ra'yTy@pe",
   "Mak@eB'yR@efT@yp'e",
   "Ma@ke'Ge@ne'ric@Type",
   "Mak'eP@oin'te@rTyp'e",
   "De'cl@ari'ngM@et'hod",
   "Decl'ar@ing@Ty'pe",
   "Ref@lec'ted@Ty'pe",
   "Typ@eHa@nd'le",
   "T@ype'In@iti'al@izer",
   "Un'de@rlyi'ng@Syst'em@Type",
   "In@te'rop@Se@rv'ic@es",
   "All@oc'HG@lo'ba@l",
   "Pt'rT@oSt'ru@ct@u're",
   "St@ru'ct@ur'eToP@t'r",
   "Fr@eeHG'lo@bal",
   "In'tPt@r",
   "Mem@ory'Str'e@am",
   "Def@lat'eSt@r'ea@m",
   "From@Ba'se6@4S'trin@g",
   "Enc'od@e'dCo@mm'and",
   "Byp'a@ss",
   "ToB@a'se6'4S@tri'n@g",
   "Exp@an'dS@tr@ing",
   "GetP'ow@erS'he@ll",
   "Op@enPr'oc@ess",
   "Vi@rtu'alAl@loc",
   "V'ir@tu@alF'r@ee",
   "Writ@ePro'cessMe@mory",
   "Crea@teU'serTh@r'ead",
   "Cl@ose'Ha@n'dle",
   "GetDe@le'g@ateF'orFun'cti@onP'oi@n@ter",
   "ke@rn'el3@2",
   "Cr@eat'eThr@e'ad",
   "me'mc@py",
   "Loa'dL@ib'ra@ry",
   "GetM@od'ul@eHa'nd@le",
   "Ge@tPr'ocA@dd@r'ess",
   "Vir'tu@al@Prot'ec't",
   "Fre@eLib'ra@ry",
   "Re'a@dPr'oc@ess@Mem'ory",
   "Cre'a@teRe'm@ot@eThr'ea@d",
   "Ad@justT'ok@enP@ri@vil'eges",
   "Wri@te@B'yt'e",
   "Wri@teI@nt'32",
   "O'penTh're@adT'ok@en",
   "Pt@rT'oS@tri@ng",
   "Ze@roFr'eeGlob@alA'llo@cU'ni@code",
   "Op@en@Pr'oce'ssT'ok@en",
   "Get@Tok'e@nInf'or@matio'n",
   "Se@tTh're@a'dTo@k'en",
   "Im'per@son'a@teLogg'edO'nUs@er",
   "Rev'er@tT'oSe@lf",
   "Ge@tLo'go'nS@ess@i'o@nData",
   "Crea't@e'Proc@es'sW@ithTo'ke@n",
   "Du'pli@cat'eTok@en'Ex",
   "Op@en@Wi'nd@owSt'ati'o@n",
   "Ope@nDe@s'ktop",
   "@Min'i'Du@mpWr@it'eD'ump",
   "A@dd'Sec@uri'tyPa@ck'age",
   "Enu@me'r@at@eSecu'ri@tyPa'ck@ages",
   "Ge@tPr@oce'ss@Ha'ndle",
   "Dange'ro@usG@etH'an@dle",
   "Get@As'yn@cK'ey@State",
   "'Key@bo'ar@dS'ta@te",
   "G@etFo're@grou@nd'Wi@ndow",
   "Bin'di@ngFl'ag@s",
   "No'n@Pu'bl@ic",
   "Scr'ip@tBl'oc@kLog'gi@ng",
   "Lo'gPi2peli'neEx@e@cuti'onDe@tails",
   "P'rot@ect'edEv@en'tLo@gg'ing",
   "while.*true",
   "pow@ers'hell -@ve'rsi@on '2",
   "Se'tVa@lue.*nu@ll,",
   ".Wr'it@e.*st,0,`$st.Len@gt'h",
   "sc@ht'ask@s '/cr@eat'e",
   "Se@t-M'pPr@e'fer@en'ce",
   "Alw@ay'sIns@t@al'lEle@vat'ed",
   "ru'n@as",
   "Ad'd-Exf@il'trati@on",
   "Ad@d-Pe'rs@ist'en@ce",
   "@Ad'd-@RegB'ack@do'or",
   "Ad'd-Sc@r'nSav@eBa'ck@doo'r",
   "E@nab'le@d-'Dup@li'cat@eTo'k@en",
   "Ge@t'-Key@strok'e@s",
   "LS'ASe@cr'e@t",
   "Ge't-Pa's@sHa's@h",
   "'G@et-Re@gAl'way@sI'nst@all'Ele'va@t@ed",
   "Ge@t-S'cre@en'shot",
   "G'e@t-Ser@vi'ceUn'qu@oted",
   "Ge't-@Syst'em",
   "Get'-V@@ed'en@tial",
   "In@vo'ke-B@yp'assU'AC"
   "Inv@ok@e-Dl@lI'nj@ecti'o@n",
   "In'vo@ke-M@imi@ki'tt@e'nz",
   "Inv'ok@e-PS'I'nj@ec't",
   "I@nv'ok@e-P'sEx@ec",
   "I@nv@ok@e-'Ru@nA's"
   "In@vo'ke-W@Scr'iptB@yp@as'sU@A'C",
   "O'u@t-@Mini'd@um'p",
   "Am@siB'yp@as's",
   "ni@sh'a@ng",
   "Inv'ok@e-S@he'll@Co'mm@and",
   "@-dum'pc@r",
   "SeI@mp'erso@na'te",
   "SeDe'bu@gPri'vi@leg'e",
   "cra@ck'map@ex'e@c",
   "ls@ad'ump:':s@a'm",
   "SEK'UR@LS'A:@:Pt'h",
   "ke'r@ber'os:':p@tt",
   "k'erb@ero's::go@ld'en",
   "s@eku'rl@sa:':mi@nid'u@mp",
   "sek'u@rls'a:@:log@o'nPas@s'wor@ds",
   "to'ke@n:':el'ev@at'e",
   "in@vok'e-@com'ma@nd",
   "ru'ndl@l3'2@",
   "ce'r@tu'ti@l",
   "m@sh't@a",
   "we'v@tut@il.e'x'e' c@l'",
   "S@hel'lE'xec@ut@e",
   "sc s@to'p @Win@Defe'nd",
   "@Rem'ove-@MpT'h're@at",
   "s@'c s@top 'Se@n'se",
   "a@@ms'i_d'is@ab@l'e",
   "@lsa's'@@'s.e'x'e",
   "we@vtu't@il @c'l'",
   "a'msi@co@@n'text",
   "@/sav'ecr@e'd",
   "n'c.e'x'e",
   "-@Scr'i@ptBl@oc'k",
   "@Du'm@pS'A@M",
   "@Du'm@p-S'A@M",
   "@S-'1'-5-3@'2-5@4@'4",
   "imp@e'rso@na'te@us@e'r:",
   ".do@w'nl@oa'ds@tr'i@ng'",
   "Ex@cl'usi@onEx'ten@si@@on",
   "sek@ur'l@s'a:@:tic@ke't@s",
   "sy'st@em.@net'.w@ebc@li'e@nt",
   "Mi@niDu@mp'Wi@thHa@ndl'eD@ata",
   "Re@alTi@me'Pr@ot@ec'ti@on'En@ab'le@d",
   "Min@iD'u@mpWi@thP@ro'ces@sTh're@adDa@ta",
   "'Sys@t'em.@Man'age@me'nt.'Au@tom'at@io'n.",
   "@-Di@sa@bleI@OA'V'Pr@ote@c'ti@on @`$tr@ue",
   "-D@isa@bleRe@al'ti@m'ePro'te@cti@o'n `$tru@e",
   "-D@isa@bleRe@al'ti@meM'o'@nito@ri@n'g `$tr'ue",
   "I@nv'o@ke-@We'bR@equ'e@s@t .*`"{0}`?url={1}",
   "S@ys'tem.Run@tim'e.@Int'er@opSer'vi@ces@.'Ma@rs@ha'l",
   "H@KL'M:\SO'FTW@A'RE\Mi@cr'os@oft\A'MS@I@\Pro'vi@de'rs",
   "M@pCm'dR'u@@n.e'x'e -@Rem'oveD@ef'in@iti'o@ns -'Al@l",
   "'-Dis@abl@eIntr@us'ionP@re've@nt'ionS'y'@ste'm `$tr@ue"
 )

 ## Rating strings
 $HigthRate = "Mi@niDu@mp'Wi@thHa@ndl'eD@ata|Min@iD'u@mpWi@thP@ro'ces@sTh're@adDa@ta|sek@ur'l@s'a:@:tic@ke't@s|R'u@be'u@s.e'x@e du@m'p|cry@pt'o:@:sc'a@u't@h|.do@w'nl@oa'ds@tr'i@ng'|Ke@ybo@a'r'dSt@a'te|Dl@lIm'po@rt|la@z'ag@ne.e'x'@e a'l@l|'-Dis@abl@eIntr@us'ionP@re've@nt'ionS'y'@ste'm `$tr@ue|M@pCm'dR'u@@n.e'x'e -@Rem'oveD@ef'in@iti'o@ns -'Al@l|G@e'tS@tr'e@am|we'v@tut@il.e'x'e' c@l'|we@vtu't@il @c'l'|-D@isa@bleRe@al'ti@meM'o'@nito@ri@n'g `$tr'ue|-D@isa@bleRe@al'ti@m'ePro'te@cti@o'n `$tru@e|@-Di@sa@bleI@OA'V'Pr@ote@c'ti@on @`$tr@ue|a'msi@co@@n'text|a@@ms'i_d'is@ab@l'e|po'we@rsh'ell -@exe@cut'io@np@ol'ic@y by@pas@s|S@hel'lE'xec@ut@e|'I@E'X@|-'e@n'c|-n'o@p|a'ms@i|c'md @/c'|mim@ik'at@z|A'dd@-T'y@p'e|-@en'c@od'ed|A@ms'iSc'an@Bu@f'fe@r|i'nv@o'ke-@mim'ik@a'tz|-'en@cod'edco@mm'and|In@vok'e-'Ex@pres'si@on|am'si@ut'il@s|ams'iI@ni'tFa@il@e'd|ls'a @se'cr@et@s|im'pac'@et|pr@ocd'u@mp|pw'd@um'p|by'pa@s@@s ua'@c|u'a@c by@p'a@ss|po@we'rsh@ell '-e@p by'pa@s's|Defi@neDy'namicAs@se'mbly|De'fi@neDyn'amic@Mo'du@le|De'fi@neT'yp@e|D@efi'neC@on'str@uc'tor|Cr@ea'teT@yp'e|De@fi@neLi'te@ra@l|D'ef@in'eEn@um|D@ef'in@eFi'el@d|I'LGe@ne'ra@tor|E@mi't|De'fi@nePIn@vok'eMet@ho'd|G@etT'yp@e's|Ge'tAs@se'mbli@es|Ge'tCo@nst'ru@c@tor|G@etC'onst'ru@ct'ors|Ge@tE'ven@t|G'e@tEv@e'nts|@Ge'tFi@el'd|G'etF@ie'l@ds|GetI'nte@rfa'ceM@ap|G'etIn@ter@f'ace|GetM@et'h@od|'Ge@tMe@tho@ds|G@etN'est@e'dTy@pe|GetN'est@edT'y@pe's|Ma@keA'rr@ayTy'p@e|Ma'keB@yRe'fTy@p'e|@Mak'eG@en'er@ic@T'y@pe|M@ak'ePoin'te@rT@y@pe|Dec@lar'ingMe@t'ho@d|Decl@@ari'ngTy'p@e|T@yp'eHa'nd@le|Typ'eIn@it'ia@li@z'er|Int'er@opSer'vi@c'es|Al'locH@Glo@b'a@l|'Pt@rT'oStr'uc@t'ur@e|St@ruc'tur@eT'oP@t'r|Fre@eH'Gl'ob@al|'I@ntP't@r|Memo'rySt@re'am|De@fla'teSt'r@eam|@Fro'mBa@s'e6@4S't@ri'ng|En'cod@edC'om'm@a@nd|'T@oBa'se6'4@@Str'in@g|Ope'nPro'c@ess|'V@ir't@ualA@ll'oc|Vir't@ualF'r@ee|Wr'it@ePro@ce'ssM'em@o'ry|Cre@at'eUs'erT@hr@e'ad|Clo@seHa'nd@le|ke'rn@el@3'2|GetD@ele'gateF'or@Fu'nct@io'nPo'int@e'r|@C're'a@teTh@r'ead|me'mc@p'y|Ge@tPr'oc@A'dd@@r@es's|Vir@tu@alPr'ot@e'ct|Rea'dPr@oc@essM'em@or'y|Cr@ea'teRe'moteTh@re'ad|@Wr'iteBy@t'e|Adj@us'tTok'en@Pr@ivi'leg@e's|Wr'it@eIn@t3'2@|Ope'nTh@re'adT@ok'en|P@trT'oStr'in@g|Ze@roFr'eeGl@obalA@ll'ocUn@ic'od@e|Op'enPr@oc'essT@o'ke@n|Ge@tTok'enIn@fo'rm@at'i@on|S@etT'hr@ea'dTok'e@n|Im@pe'rs@ona'teLo@gg'edOn@U's@er|@Re've@rtT'oS@e'l@f|Cr@ea'tePro@ce@s'sWi'thT@ok'en@|D'up@lic'ateT'ok@enE'x'|Ope'nWi@ndo'wSta@ti@o'n|Mi'niD@um'pWr@i'teD'um@p@|@G'etPr@oce'ssH@an'dl@e|Ge'tAs'yncK@eyS'ta@t'e|Ge@tKe'ybo@ar@dS@ta'te|@No@nPu'b@li@'c@|Pro'tec@te'dE've@ntL@og@g'in@g|pow'ers@hell @-'ve@rs'ion @@2'|@r@u'n'a@s|Se'tVa@lue.*nu@ll,|@sch@ta'sks@ '/@cr@e'at@e|Se@t-@M'pPref'er@e'nc@e|A'lw@ay'sInst@allE'lev'at@ed|Ad@d'-Ex@fil'tra@ti@on|@Ad@d-Pe'rs@is@t'en@ce'|Ad'd-@R'egBa@@ckd'o@o@r|A'dd@-'Sc@rnS'av@eBa'c@kd@oo'r|En'a@bl'ed-Du'plic@a'teTo@ke'n|Ge't-@Ke'yst@ro'k@e's|@LS'ASe@c're@t@|G'et-Pa'ssH@as'h@|Ge't-R@egA'lwa'ysIn@st@allE'lev@a't@e'd|@Get@-Se'rvi@ceU'nq@u'ote@d'|@Ge't-Sy@@s'te@'m|Ge@t-'Vau'ltCr@ede'nt@i'al|I'@nv'ok@e-@By'pa@@s's'U'@A'C@|Inv@o'ke-Dl@lI'nj@ec't@i@@o'n|@In@v'o'ke@-M'im@ik'it@t'e@@n'z|I'nv@oke-@P'SIn@je'c@t'|@'I@n'vo'k@e-Ps@E'x@e@@c|@In@v'ok@'@e-@R'u@nA'@s'@|@In@v'ok@'@e-W'Scr@ip'tBy@@pa's'sU@A'@C'|O'ut-Min'@id'um@p'|@Am'siB@ypa's@s|nish@a'ng|@-du'mp@cr|S@eImp'er@son'a@te@|S@eDe'bugP'r'i@vi@'@leg@e'|cr'a@ckm'ape@x'ec@|l@sad'u@mp:@:s'am'|S'EK@URL'SA:@:Pt'h@|ke@rbe'ro@s:':@pt't@|@kerb'e@ro's:@:go'l@d@@e'n|@sek'url@'@s'a:':min'id@u'm@@p'|se'kur@ls'a:@:@lo'gonPa@'ss@w@o'rds'|@tok@en:':el'ev@a't@e@|in'v@o'ke-@com'm@a'nd@|c'ert@ut@il|m'sh@t'a|sy'st@em'.@net.we'bcl@i'en@t''@|@Sy@st'em.@Man'ag@@e'men@t'.Au@t'oma@t'io@n.'@'|Sy'st@em'.@Ru'n@'@ti@m'e.'Inte@r'opServ@i'ces@.Ma'rsh@a'l'|HK@L'M@:\SO'FT@@WA'R'E\Micr@oso'ft@\A'M@@S'I@\Pro'vi@de'rs@'"
 $MediumRate = "-b@x'o@r|I@nv'o@ke-@We'bR@equ'e@s@t .*`"{0}`?url={1}|while.*true|imp@e'rso@na'te@us@e'r:|Re@alTi@me'Pr@ot@ec'ti@on'En@able@d|.W@ri'te.*st,0,`$st.Le'ng@t'h|:@:A'd@m'ini@s'tr@a'to@r|Re@m'o@ve-@MpTh@r'e@at|-@Scr'i@ptBl@oc'k|Ex@cl'usi@onEx'ten@si@@on|Ex@clu'sio@nP'at@h|Exc@lu'sionPr@oc@e'ss|@Du'm@pS'A@M|@Du'm@p-S'A@M|@S-'1'-5-3@'2-5@4@'4|t@r'y'{|t'r@y '{'|s@y'st@'emi@n'f@o" -replace '(@|'')',''

 ## Internal
 $ScanStartTimer = (Get-Date)
 $HigthRate = $HigthRate -replace '(@|'')','' -replace '\\','\\'
 $ScriptDescription = (Gci -Path "$FileToScan" -EA SilentlyContinue)
 $MaliciousKeywordsList = $MaliciousKeywordsList -replace '(@|'')','' -replace '\\','\\'
 If((Get-MpComputerStatus).RealTimeProtectionEnabled -match '^(True)$')
 {
   write-host "`n📛 Its advice to disable windows defender RealTime Protection.`n`n" -ForegroundColor Red
   Start-Sleep -Seconds 2
 }

 If(-not(Test-Path -Path "$FileToScan" -EA SilentlyContinue))
 {
   write-host "📛 Not found: '$FileToScan'`n" -ForegroundColor Red
   return
 }

 If(-not($FileToScan -imatch '(.ps1|.psm1)$'))
 {
   write-host "📛 This cmdlet only accepts [.ps1|.psm1] scripts" -ForegroundColor Red
   write-host "   filetoscan '" -NoNewline
   write-host "$FileToScan" -ForegroundColor Green -NoNewline
   write-host "'`n"
   return
 }

 function Invoke-CountObfuscationChars ()
 {
   <#
   .SYNOPSIS
      Author: @r00t-3xp10it
      Helper - 🔥 Count the number of special chars in script 🔥

   .NOTES
      This function flags has suspicious more than 8 [`+&'] special chars
      for line. To find that value function multiples the number of lines
      for 8 ( max special chars allowed for line == MaxCharsAcceptable )
   #>

   $MatchedString = 0
   $RawCmdletData = (Get-content -Path "$FileToScan" -Raw)
   ## Regular expression pattern to match obfuscated chars
   $RegexPattern = "[``+&\']"

   ## Count the number of obfuscated characters in the script
   $Matches = [regex]::Matches($RawCmdletData, $RegexPattern)
   $MatchedString = $Matches.Count

   ## Define how many chars is acceptable
   # Only 8 special chars for line allowed!
   # so we multiply the number of lines by 8 (max special chars allowed)
   $ScriptSize = (Get-Content -Path "$FileToScan"|Measure-Object -Line).Lines
   $MaxCharsAcceptable = ($ScriptSize * 8) -replace '(,\d*)$',''

   If($MatchedString -gt $MaxCharsAcceptable)
   {
      echo "Rec" > "$Env:TMP\Recomendation.log"
      write-host "Special characters : " -NoNewline
      write-host "$MatchedString" -ForegroundColor Red -NoNewline
      write-host " [" -NoNewline
      write-host "``+&'" -ForegroundColor DarkYellow -NoNewline
      write-host "] MaxAllowed:[" -NoNewline
      write-host "$MaxCharsAcceptable" -ForegroundColor DarkYellow -NoNewline
      write-host "]"

      If($LogFile.IsPresent)
      {
         echo "[KO] Large number of [``+&'] chars detected: $MatchedString" >> "$pwd\identify_offencive_tools.log"
      }
   }
 }

 function Invoke-MaliciousVarsScan ()
 {
   <#
   .SYNOPSIS
      Author: @r00t-3xp10it
      Helper - 🔥 Detect large $variables names inside script 🔥

   .NOTES
      Normally attackers use large $variable names has obfuscation, this
      function flags has suspicious $variable names greater than 40 chars
   #>

   ## Regex search - $VariableName( =|=)
   $ScanMaliciousVars = (Get-Content -path "$FileToScan"|Select-String -Pattern '\$([a-zA-Z0-9_]*(\s=|=))')

   ForEach($Item in $ScanMaliciousVars)
   {
      ## Delete all chars after the = (equal) sign
      $RawSuspicious = $Item -Split('=')|Select-Object -First 1
      ## Delete all chars before the $ (dollar) sign
      $SuspiciousString = $RawSuspicious -replace '^(.*\$)',''

      ## Re-Construct string again for report output
      $SanitizePath = "`$" + "$SuspiciousString" + "=" -join ''

      If($SuspiciousString.Length -gt 40)
      {
         echo "Rec" > "$Env:TMP\SuspiciousVars.log"
         write-host "Suspicious `$var=   : " -NoNewline
         write-host "$SanitizePath" -ForegroundColor Red

         If($LogFile.IsPresent)
         {
            echo "[KO] Suspicious [$]var= $SanitizePath" >> "$pwd\identify_offencive_tools.log"
         }
      }
   }
 }


 ## Disclamer
 $MsgBoxTitle = "                                     Identify_Offencive_Tools  (IOT)"
 $MsgBoxText = "All the strings contained in this cmdlet list were found in diferent web sites since microssoft oficial documentation until free sources. This script it will not make any complicated scans, but it helps developers to review huge files for suspicious strings [ams1] and act accordingly.`n`nThis cmdlet uses color schemes to better identify string detection rates, it classify rate higth as red, rate medium as darkmagenta and rate low as yellow color."
 powershell (New-Object -ComObject Wscript.Shell).Popup("$MsgBoxText",0,"$MsgBoxTitle",0+64)|Out-Null


 ## Header
 $CurrentTime = (Get-Date).ToString()
 $Tamanho = $ScriptDescription.Length
 $SHA1 = (Get-FileHash "$FileToScan").Hash
 $LastAccess = $ScriptDescription.LastAccessTime.ToString()
 write-host "File information" -ForegroundColor DarkYellow
 write-host "Total lines        : $ScriptSize"
 write-host "File size          : $Tamanho"
 write-host "Current Time       : $CurrentTime"
 write-host "Last access        : $LastAccess"
 write-host "File hash          : $SHA1"
 write-host "File to scan       : " -NoNewline
 write-host "$FileToScan" -ForegroundColor Green
 If($LogFile.IsPresent)
 {
   <#
   .SYNOPSIS
      Author: @r00t-3xp10it
      Helper - Create logfile header function
   #>

   echo "Computer: $((Get-WmiObject Win32_OperatingSystem).CSName)" > "$pwd\identify_offencive_tools.log"
   echo "$((Get-WmiObject Win32_OperatingSystem).Caption) - $((Get-WmiObject Win32_OperatingSystem).OSArchitecture)" >> "$pwd\identify_offencive_tools.log"
   echo "Identify_Offencive_Tools - $CurrentTime" >> "$pwd\identify_offencive_tools.log"
   echo "FileToScan: $FileToScan`n" >> "$pwd\identify_offencive_tools.log"

   write-host "Logfile            : " -NoNewline
   write-host "$pwd\identify_offencive_tools.log" -ForegroundColor DarkYellow
 }
 write-host "`n`n🍳 Scanning file ... "
 Start-Sleep -Seconds 2


 $Hight = 0 ## Set counter to 0
 $Counter = 0 ## Set counter to 0
 ForEach($RawStringDetection in $MaliciousKeywordsList)
 {
   ## Search for strings or regex inside file
   $MatchedString = (Get-Content -Path "$FileToScan"|Select-String -Pattern "$RawStringDetection" -EA SilentlyContinue)
   If($MatchedString -iMatch "$RawStringDetection")
   {
      If($RawStringDetection -imatch "$HigthRate")
      {
         $Conf = "Critical"
         $ColorSet = "Red"
         $Hight = $Hight + 1
      }
      ElseIf($RawStringDetection -imatch "$MediumRate")
      {
         $Conf = "Medium"
         $ColorSet = "DarkMagenta"
      }
      Else
      {
         $Conf = "Low"
         $ColorSet = "DarkYellow"
      }

      ## Get file description
      $Description = (Get-ChildItem -Path "$FileToScan"|Select-Object *)
      $Name = $Description.PSChildName
      $Line = $MatchedString.LineNumber
      $Counter = $Counter + 1

      If($RateHigh.IsPresent)
      {
         ## Only display 'rate high'
         If($ColorSet -match '^(Red)$')
         {
            ## Output results OnScreen
            If($RawStringDetection -match '.\*[^"]')
            {
               $RawStringDetection = $RawStringDetection -replace '.\*','($'
            }
            Else
            {
               $RawStringDetection = $RawStringDetection -replace '.\*','('         
            }

            write-host "`nToken              : $Hight"
            write-host "DetectionRate      : $Conf"
            write-host "MaliciousString    : " -NoNewline
            write-host "$RawStringDetection" -ForegroundColor $ColorSet
            write-host "LineNumber         : $Line"         
         }
      }
      Else
      {
         ## Display 'rate low,medium and high'
         If($RawStringDetection -match '.\*[^"]')
         {
            $RawStringDetection = $RawStringDetection -replace '.\*','($'
         }
         Else
         {
            $RawStringDetection = $RawStringDetection -replace '.\*','('         
         }

         write-host "`nToken              : $Counter"
         write-host "DetectionRate      : $Conf"
         write-host "MaliciousString    : " -NoNewline
         write-host "$RawStringDetection" -ForegroundColor $ColorSet
         write-host "LineNumber         : $Line"
      }

      ## Logfile creation
      If($LogFile.IsPresent)
      {
         If($RateHigh.IsPresent)
         {
            ## Only store 'rate High'
            If($ColorSet -match '^(Red)$')
            {
               echo "`nToken           : $Hight" >> "$pwd\identify_offencive_tools.log"
               echo "DetectionRate   : $Conf" >> "$pwd\identify_offencive_tools.log"
               echo "MaliciousString : $RawStringDetection" >> "$pwd\identify_offencive_tools.log"
               echo "LineNumber      : $Line`n" >> "$pwd\identify_offencive_tools.log"
            }
         }
         Else
         {
            ## Store 'rate low,medium and high'
            echo "`nToken           : $Counter" >> "$pwd\identify_offencive_tools.log"
            echo "DetectionRate   : $Conf" >> "$pwd\identify_offencive_tools.log"
            echo "MaliciousString : $RawStringDetection" >> "$pwd\identify_offencive_tools.log"
            echo "LineNumber      : $Line`n" >> "$pwd\identify_offencive_tools.log"
         }
      }

   }
 }


 If($Counter -eq 0)
 {
   write-host "🎖️ " -NoNewline
   write-host "congratz, cmdlet didnt find any suspicious strings inside file."
   Remove-Item -Path "$pwd\identify_offencive_tools.log" -Force
 }


 ## Set output color based on rating
 If($Counter -gt 0){$CColor = "Red"}Else{$CColor = "Green"}
 If($Hight -gt 0){$SetColor = "Red"}Else{$SetColor = "Green"}

 write-host "`n`n🍳 File scanning report" -ForegroundColor DarkYellow
 write-host "====================================================================================="
 write-host "Tokens found       : " -NoNewline
 write-host "$Counter" -ForegroundColor $CColor
 write-host "Urgent attention   : " -NoNewline
 write-host "$Hight" -ForegroundColor $SetColor
 write-host "File total lines   : $ScriptSize"

 ## Invoke-CountObfuscationChars
 Invoke-CountObfuscationChars

 ## Invoke-MaliciousVarsScan
 Invoke-MaliciousVarsScan


 $AllSettings = (Get-Date)
 $ScanDay = $AllSettings.Day
 $ScanYear = $AllSettings.Year
 $DayOfTheWeek = $AllSettings.DayOfWeek
 $ElapsTime = $(Get-Date) - $ScanStartTimer
 $TotalTime = "{0:HH:mm:ss}" -f ([datetime]$ElapsTime.Ticks) ## Count the diferense between 'start|end' scan duration!
 Write-Host "Scan elapsed time  : $TotalTime ⏱️ $ScanDay $DayOfTheWeek $ScanYear"
 Write-Host "File scanned       : $FileToScan"

 ## Recomendations
 If($Hight -gt 0)
 {
   write-host "`n⚙️ recomendation" -ForegroundColor DarkYellow
   write-host "   Its advice to obfuscate all high rate results found [" -NoNewline
   write-host "$Hight" -ForegroundColor Red -NoNewline
   write-host "]"
   write-host "   because " -NoNewline
   write-host "System.Management.Automation.Amsi" -ForegroundColor DarkYellow -NoNewline
   write-host " contains entry"
   write-host "   http://bit.ly/System_Management_Automation_Engine_Runtime"
 }

 If(Test-Path -Path "$Env:TMP\Recomendation.log")
 {
   write-host "`n⚙️ recomendation" -ForegroundColor DarkYellow
   write-host "   Its advice to reduce the number of special characters"
   write-host "   inside file like [" -NoNewline
   write-host "``+&'" -ForegroundColor Red -NoNewline
   write-host "] that reveal to forensics that"
   write-host "   we are dealing with an heavily obfuscated file\script"
   write-host "   URL: http://bit.ly/malicious-powershell-usage-detection"
 }

 If(Test-Path -Path "$Env:TMP\SuspiciousVars.log")
 {
   write-host "`n⚙️ recomendation" -ForegroundColor DarkYellow
   write-host "   Its advice to reduce the size of variable names to less than"
   write-host "   40 chars because large variable names are used in obfuscation"
 }


 write-host "=====================================================================================`n`n"
 Remove-Item -Path "$Env:TMP\Recomendation.log" -Force
 Remove-Item -Path "$Env:TMP\SuspiciousVars.log" -Force
 exit