AggressorScripts/ProcessColor.cna

#Color Coded Process Listing
#Author: @r3dQu1nn
#Takes the PS output in CS and color codes all AV processes, explorer process, browsers processes, and current process running
#Thanks to @oldb00t for creating the original beacon-ps-highlight.cna script! Script here: https://github.com/oldb00t/AggressorScripts/tree/master/Ps-highlight
#This script removes the need for the av_hips_executables.txt requirement

set BEACON_OUTPUT_PS {

	$bd = bdata($1);
    	@av = @("KeyPass.exe", "avgui.exe", "emet_agent.exe", "emet_service.exe", "firesvc.exe", "firetray.exe", "hipsvc.exe", "mfevtps.exe", "mcafeefire.exe", "scan32.exe", "shstat.exe", "tbmon.exe", "vstskmgr.exe", "engineserver.exe", "mfevtps.exe", "mfeann.exe", "mcscript.exe", "updaterui.exe", "udaterui.exe", "naprdmgr.exe", "frameworkservice.exe", "cleanup.exe", "cmdagent.exe", "frminst.exe", "mcscript_inuse.exe", "mctray.exe", "mcshield.exe", "AAWTray.exe", "Ad-Aware.exe", "MSASCui.exe", "_avp32.exe", "_avpcc.exe", "_avpm.exe", "aAvgApi.exe", "ackwin32.exe", "adaware.exe", "advxdwin.exe", "agentsvr.exe", "agentw.exe", "alertsvc.exe", "alevir.exe", "alogserv.exe", "amon9x.exe", "anti-trojan.exe", "antivirus.exe", "ants.exe", "apimonitor.exe", "aplica32.exe", "apvxdwin.exe", "arr.exe", "atcon.exe", "atguard.exe", "atro55en.exe", "atupdater.exe", "atwatch.exe", "au.exe", "aupdate.exe", "auto-protect.nav80try.exe", "autodown.exe", "autotrace.exe", "autoupdate.exe", "avconsol.exe", "ave32.exe", "avgcc32.exe", "avgctrl.exe", "avgemc.exe", "avgnt.exe", "avgrsx.exe", "avgserv.exe", "avgserv9.exe", "avguard.exe", "avgw.exe", "avkpop.exe", "avkserv.exe", "avkservice.exe", "avkwctl9.exe", "avltmain.exe", "avnt.exe", "avp.exe", "avp.exe", "avp32.exe", "avpcc.exe", "avpdos32.exe", "avpm.exe", "avptc32.exe", "avpupd.exe", "avsched32.exe", "avsynmgr.exe", "avwin.exe", "avwin95.exe", "avwinnt.exe", "avwupd.exe", "avwupd32.exe", "avwupsrv.exe", "avxmonitor9x.exe", "avxmonitornt.exe", "avxquar.exe", "backweb.exe", "bargains.exe", "bd_professional.exe", "beagle.exe", "belt.exe", "bidef.exe", "bidserver.exe", "bipcp.exe", "bipcpevalsetup.exe", "bisp.exe", "blackd.exe", "blackice.exe", "blink.exe", "blss.exe", "bootconf.exe", "bootwarn.exe", "borg2.exe", "bpc.exe", "brasil.exe", "bs120.exe", "bundle.exe", "bvt.exe", "ccapp.exe", "ccevtmgr.exe", "ccpxysvc.exe", "ccsvchst.exe", "ccSvcHst.exe", "cdp.exe", "cfd.exe", "cfgwiz.exe", "cfiadmin.exe", "cfiaudit.exe", "cfinet.exe", "cfinet32.exe", "claw95.exe", "claw95cf.exe", "clean.exe", "cleaner.exe", "cleaner3.exe", "cleanpc.exe", "click.exe", "cmesys.exe", "cmgrdian.exe", "cmon016.exe", "connectionmonitor.exe", "cpd.exe", "cpf9x206.exe", "cpfnt206.exe", "ctrl.exe", "cv.exe", "cwnb181.exe", "cwntdwmo.exe", "datemanager.exe", "dcomx.exe", "defalert.exe", "defscangui.exe", "defwatch.exe", "deputy.exe", "divx.exe", "dllcache.exe", "dllreg.exe", "doors.exe", "dpf.exe", "dpfsetup.exe", "dpps2.exe", "drwatson.exe", "drweb32.exe", "drwebupw.exe", "dssagent.exe", "dvp95.exe", "dvp95_0.exe", "ecengine.exe", "efpeadm.exe", "EMET_Agent.exe", "EMET_Service.exe", "emsw.exe", "ent.exe", "esafe.exe", "escanhnt.exe", "escanv95.exe", "espwatch.exe", "ethereal.exe", "etrustcipe.exe", "evpn.exe", "exantivirus-cnet.exe", "exe.avxw.exe", "expert.exe", "explore.exe", "f-agnt95.exe", "f-prot.exe", "f-prot95.exe", "f-stopw.exe", "fameh32.exe", "fast.exe", "fch32.exe", "fih32.exe", "findviru.exe", "firewall.exe", "fnrb32.exe", "fp-win.exe", "fp-win_trial.exe", "fprot.exe", "frw.exe", "fsaa.exe", "fsav.exe", "fsav32.exe", "fsav530stbyb.exe", "fsav530wtbyb.exe", "fsav95.exe", "fsgk32.exe", "fsm32.exe", "fsma32.exe", "fsmb32.exe", "gator.exe", "gbmenu.exe", "gbpoll.exe", "generics.exe", "gmt.exe", "guard.exe", "guarddog.exe", "hacktracersetup.exe", "hbinst.exe", "hbsrv.exe", "hotactio.exe", "hotpatch.exe", "htlog.exe", "htpatch.exe", "hwpe.exe", "hxdl.exe", "hxiul.exe", "iamapp.exe", "iamserv.exe", "iamstats.exe", "ibmasn.exe", "ibmavsp.exe", "icload95.exe", "icloadnt.exe", "icmon.exe", "icsupp95.exe", "icsuppnt.exe", "idle.exe", "iedll.exe", "iedriver.exe", "iface.exe", "ifw2000.exe", "inetlnfo.exe", "infus.exe", "infwin.exe", "init.exe", "intdel.exe", "intren.exe", "iomon98.exe", "istsvc.exe", "jammer.exe", "jdbgmrg.exe", "jedi.exe", "kavlite40eng.exe", "kavpers40eng.exe", "kavpf.exe", "kazza.exe", "keenvalue.exe", "kerio-pf-213-en-win.exe", "kerio-wrl-421-en-win.exe", "kerio-wrp-421-en-win.exe", "kernel32.exe", "killprocesssetup161.exe", "launcher.exe", "ldnetmon.exe", "ldpro.exe", "ldpromenu.exe", "ldscan.exe", "lnet

	local('$outps $temp $name $ppid $pid $arch $user $session @ps');
	$outps .= "\cC[*]\o Process List with process highlighting of AV/HIPS, Browsers, Explorer/Winlogon, current processes\n";
	$outps .= "\cC[*]\o Current Running PID: \c8 Yellow \o \n";
	$outps .= "\cC[*]\o AV/HIPS: \c4 RED \o \n";
	$outps .= "\cC[*]\o Browsers: \c3 GREEN \o \n";
	$outps .= "\cC[*]\o Explorer/Winlogon: \c2 BLUE \o \n\n";
	$outps .= " PID   PPID  Name                         Arch  Session     User\n";
	$outps .= "\cE ---   ----  ----                         ----  -------     -----\n";

	foreach $temp (split("\n", ["$2" trim])) {
		($name, $ppid, $pid, $arch, $user, $session) = split("\t", $temp);
		# highlight AV processes in RED.
		if(iff($name in @av,true,false)) {
		push(@ps, %(pid => $pid, entry => "\c4 $[5]pid $[5]ppid $[28]name $[5]arch $[11]session $user \o"));
		# highlight explorer , winlogon in BLUE 
		} else if ($name eq "explorer.exe" || $name eq "winlogon.exe") {
		push(@ps, %(pid => $pid, entry => "\c2 $[5]pid $[5]ppid $[28]name $[5]arch $[11]session $user \o"));
		# highlight browsers processes in GREEN
		} else if ($name eq "chrome.exe" || $name eq "firefox.exe" || $name eq "iexplore.exe") {
		push(@ps, %(pid => $pid, entry => "\c3 $[5]pid $[5]ppid $[28]name $[5]arch $[11]session $user \o"));
		# highlight current process in YELLOW
		} else if ($pid eq $bd['pid']) {
		push(@ps, %(pid => $pid, entry => "\c8 $[5]pid $[5]ppid $[28]name $[5]arch $[11]session $user \o"));
		} else {
		push(@ps, %(pid => $pid, entry => " $[5]pid $[5]ppid $[28]name $[5]arch $[11]session $user"));
		}
	}
	# sort the processes please
	sort({ return $1['pid'] <=> $2['pid']; }, @ps);
	# append to our outstring
	foreach $temp (@ps) {
		$outps .= "$temp['entry'] \n";
	}
	return $outps;
}
Add files via upload 2017-12-04 23:35:20 +00:00			`#Color Coded Process Listing`
			`#Author: @r3dQu1nn`
			`#Takes the PS output in CS and color codes all AV processes, explorer process, browsers processes, and current process running`
Thanks to @oldb00t for original version 2017-12-04 23:53:32 +00:00			`#Thanks to @oldb00t for creating the original beacon-ps-highlight.cna script! Script here: https://github.com/oldb00t/AggressorScripts/tree/master/Ps-highlight`
			`#This script removes the need for the av_hips_executables.txt requirement`
Add files via upload 2017-12-04 23:35:20 +00:00
			`set BEACON_OUTPUT_PS {`

			`$bd = bdata($1);`
Update ProcessColor.cna 2017-12-04 23:36:06 +00:00			@av = @("KeyPass.exe", "avgui.exe", "emet_agent.exe", "emet_service.exe", "firesvc.exe", "firetray.exe", "hipsvc.exe", "mfevtps.exe", "mcafeefire.exe", "scan32.exe", "shstat.exe", "tbmon.exe", "vstskmgr.exe", "engineserver.exe", "mfevtps.exe", "mfeann.exe", "mcscript.exe", "updaterui.exe", "udaterui.exe", "naprdmgr.exe", "frameworkservice.exe", "cleanup.exe", "cmdagent.exe", "frminst.exe", "mcscript_inuse.exe", "mctray.exe", "mcshield.exe", "AAWTray.exe", "Ad-Aware.exe", "MSASCui.exe", "_avp32.exe", "_avpcc.exe", "_avpm.exe", "aAvgApi.exe", "ackwin32.exe", "adaware.exe", "advxdwin.exe", "agentsvr.exe", "agentw.exe", "alertsvc.exe", "alevir.exe", "alogserv.exe", "amon9x.exe", "anti-trojan.exe", "antivirus.exe", "ants.exe", "apimonitor.exe", "aplica32.exe", "apvxdwin.exe", "arr.exe", "atcon.exe", "atguard.exe", "atro55en.exe", "atupdater.exe", "atwatch.exe", "au.exe", "aupdate.exe", "auto-protect.nav80try.exe", "autodown.exe", "autotrace.exe", "autoupdate.exe", "avconsol.exe", "ave32.exe", "avgcc32.exe", "avgctrl.exe", "avgemc.exe", "avgnt.exe", "avgrsx.exe", "avgserv.exe", "avgserv9.exe", "avguard.exe", "avgw.exe", "avkpop.exe", "avkserv.exe", "avkservice.exe", "avkwctl9.exe", "avltmain.exe", "avnt.exe", "avp.exe", "avp.exe", "avp32.exe", "avpcc.exe", "avpdos32.exe", "avpm.exe", "avptc32.exe", "avpupd.exe", "avsched32.exe", "avsynmgr.exe", "avwin.exe", "avwin95.exe", "avwinnt.exe", "avwupd.exe", "avwupd32.exe", "avwupsrv.exe", "avxmonitor9x.exe", "avxmonitornt.exe", "avxquar.exe", "backweb.exe", "bargains.exe", "bd_professional.exe", "beagle.exe", "belt.exe", "bidef.exe", "bidserver.exe", "bipcp.exe", "bipcpevalsetup.exe", "bisp.exe", "blackd.exe", "blackice.exe", "blink.exe", "blss.exe", "bootconf.exe", "bootwarn.exe", "borg2.exe", "bpc.exe", "brasil.exe", "bs120.exe", "bundle.exe", "bvt.exe", "ccapp.exe", "ccevtmgr.exe", "ccpxysvc.exe", "ccsvchst.exe", "ccSvcHst.exe", "cdp.exe", "cfd.exe", "cfgwiz.exe", "cfiadmin.exe", "cfiaudit.exe", "cfinet.exe", "cfinet32.exe", "claw95.exe", "claw95cf.exe", "clean.exe", "cleaner.exe", "cleaner3.exe", "cleanpc.exe", "click.exe", "cmesys.exe", "cmgrdian.exe", "cmon016.exe", "connectionmonitor.exe", "cpd.exe", "cpf9x206.exe", "cpfnt206.exe", "ctrl.exe", "cv.exe", "cwnb181.exe", "cwntdwmo.exe", "datemanager.exe", "dcomx.exe", "defalert.exe", "defscangui.exe", "defwatch.exe", "deputy.exe", "divx.exe", "dllcache.exe", "dllreg.exe", "doors.exe", "dpf.exe", "dpfsetup.exe", "dpps2.exe", "drwatson.exe", "drweb32.exe", "drwebupw.exe", "dssagent.exe", "dvp95.exe", "dvp95_0.exe", "ecengine.exe", "efpeadm.exe", "EMET_Agent.exe", "EMET_Service.exe", "emsw.exe", "ent.exe", "esafe.exe", "escanhnt.exe", "escanv95.exe", "espwatch.exe", "ethereal.exe", "etrustcipe.exe", "evpn.exe", "exantivirus-cnet.exe", "exe.avxw.exe", "expert.exe", "explore.exe", "f-agnt95.exe", "f-prot.exe", "f-prot95.exe", "f-stopw.exe", "fameh32.exe", "fast.exe", "fch32.exe", "fih32.exe", "findviru.exe", "firewall.exe", "fnrb32.exe", "fp-win.exe", "fp-win_trial.exe", "fprot.exe", "frw.exe", "fsaa.exe", "fsav.exe", "fsav32.exe", "fsav530stbyb.exe", "fsav530wtbyb.exe", "fsav95.exe", "fsgk32.exe", "fsm32.exe", "fsma32.exe", "fsmb32.exe", "gator.exe", "gbmenu.exe", "gbpoll.exe", "generics.exe", "gmt.exe", "guard.exe", "guarddog.exe", "hacktracersetup.exe", "hbinst.exe", "hbsrv.exe", "hotactio.exe", "hotpatch.exe", "htlog.exe", "htpatch.exe", "hwpe.exe", "hxdl.exe", "hxiul.exe", "iamapp.exe", "iamserv.exe", "iamstats.exe", "ibmasn.exe", "ibmavsp.exe", "icload95.exe", "icloadnt.exe", "icmon.exe", "icsupp95.exe", "icsuppnt.exe", "idle.exe", "iedll.exe", "iedriver.exe", "iface.exe", "ifw2000.exe", "inetlnfo.exe", "infus.exe", "infwin.exe", "init.exe", "intdel.exe", "intren.exe", "iomon98.exe", "istsvc.exe", "jammer.exe", "jdbgmrg.exe", "jedi.exe", "kavlite40eng.exe", "kavpers40eng.exe", "kavpf.exe", "kazza.exe", "keenvalue.exe", "kerio-pf-213-en-win.exe", "kerio-wrl-421-en-win.exe", "kerio-wrp-421-en-win.exe", "kernel32.exe", "killprocesssetup161.exe", "launcher.exe", "ldnetmon.exe", "ldpro.exe", "ldpromenu.exe", "ldscan.exe", "lnet
Add files via upload 2017-12-04 23:35:20 +00:00
			`local('$outps $temp $name $ppid $pid $arch $user $session @ps');`
			`$outps .= "\cC[*]\o Process List with process highlighting of AV/HIPS, Browsers, Explorer/Winlogon, current processes\n";`
			`$outps .= "\cC[*]\o Current Running PID: \c8 Yellow \o \n";`
			`$outps .= "\cC[*]\o AV/HIPS: \c4 RED \o \n";`
			`$outps .= "\cC[*]\o Browsers: \c3 GREEN \o \n";`
			`$outps .= "\cC[*]\o Explorer/Winlogon: \c2 BLUE \o \n\n";`
			`$outps .= " PID PPID Name Arch Session User\n";`
			`$outps .= "\cE --- ---- ---- ---- ------- -----\n";`

			`foreach $temp (split("\n", ["$2" trim])) {`
			`($name, $ppid, $pid, $arch, $user, $session) = split("\t", $temp);`
			`# highlight AV processes in RED.`
			`if(iff($name in @av,true,false)) {`
			`push(@ps, %(pid => $pid, entry => "\c4 $[5]pid $[5]ppid $[28]name $[5]arch $[11]session $user \o"));`
			`# highlight explorer , winlogon in BLUE`
			`} else if ($name eq "explorer.exe" \|\| $name eq "winlogon.exe") {`
			`push(@ps, %(pid => $pid, entry => "\c2 $[5]pid $[5]ppid $[28]name $[5]arch $[11]session $user \o"));`
			`# highlight browsers processes in GREEN`
			`} else if ($name eq "chrome.exe" \|\| $name eq "firefox.exe" \|\| $name eq "iexplore.exe") {`
			`push(@ps, %(pid => $pid, entry => "\c3 $[5]pid $[5]ppid $[28]name $[5]arch $[11]session $user \o"));`
			`# highlight current process in YELLOW`
			`} else if ($pid eq $bd['pid']) {`
			`push(@ps, %(pid => $pid, entry => "\c8 $[5]pid $[5]ppid $[28]name $[5]arch $[11]session $user \o"));`
			`} else {`
			`push(@ps, %(pid => $pid, entry => " $[5]pid $[5]ppid $[28]name $[5]arch $[11]session $user"));`
			`}`
			`}`
			`# sort the processes please`
			`sort({ return $1['pid'] <=> $2['pid']; }, @ps);`
			`# append to our outstring`
			`foreach $temp (@ps) {`
			`$outps .= "$temp['entry'] \n";`
			`}`
			`return $outps;`
Update ProcessColor.cna 2017-12-04 23:36:06 +00:00			`}`