diff --git a/ProcessMonitor.cna b/ProcessMonitor.cna new file mode 100644 index 0000000..2bfb599 --- /dev/null +++ b/ProcessMonitor.cna @@ -0,0 +1,178 @@ +#Process Monitor +#Author: @r3dQu1nn +#Queries the processes at a set interval to see what processes have been started since that interval time +#Thanks to @Alyssa (ramen0x3f) for the code snippets! Big thanks to @i_am_excite for the powershell code! +#Big thanks to raffi for the on heartbeat help! + +#Global Variables +$timer = ""; +$interval = "5m"; +include(script_resource("ProcessMonitor.ps1")); + +#Register Alias for Process Monitor +beacon_command_register("ProcessMonitor", + "Start/Stop and Change the Interval Time for Process Monitor", + "Synopsis: ProcessMonitor [Start/Stop] [Time]\n" . + "Options: 1m, 5m (default), 10m, 20m, 30m. If no time supplied, default of 5m is used."); + +#Process Monitor alias +alias ProcessMonitor { + if ( $2 eq 'Start' && $3 eq '1m' ) { + if (-exists script_resource("ProcessMonitor.ps1")) { + $bid = $1; + $timer = "Start"; + $interval = "1m"; + blog($1, "\c9Process Monitor Started! Time Interval is set to " . $interval); + blog($1, "\c4Run ProcessMonitor [Stop] to stop ProcessMonitor from running continuously."); + blog($1, "\cBDepending on your sleep time, results might come before or after checkin."); + bpowershell_import!($1, script_resource("ProcessMonitor.ps1")); + bpowerpick!($1, 'Get-Proc 1'); + } + else { + $timer = ""; + $interval = "5m"; + berror($1, "\c4ProcessMonitor.ps1 does not exist!"); + show_message("ProcessMonitor.ps1 does not exist!"); + } + } + else if ( $2 eq 'Start' && $3 eq '5m' ) { + if (-exists script_resource("ProcessMonitor.ps1")) { + $bid = $1; + $timer = "Start"; + $interval = "5m"; + blog($1, "\c9Process Monitor Started! Time Interval is set to " . $interval); + blog($1, "\c4Run ProcessMonitor [Stop] to stop ProcessMonitor from running continuously."); + blog($1, "\cBDepending on your sleep time, results might come before or after checkin."); + bpowershell_import!($1, script_resource("ProcessMonitor.ps1")); + bpowerpick!($1, 'Get-Proc 5'); + } + else { + $timer = ""; + $interval = "5m"; + berror($1, "\c4ProcessMonitor.ps1 does not exist!"); + show_message("ProcessMonitor.ps1 does not exist!"); + } + } + else if ( $2 eq 'Start' && $3 eq '10m' ) { + if (-exists script_resource("ProcessMonitor.ps1")) { + $bid = $1; + $timer = "Start"; + $interval = "10m"; + blog($1, "\c9Process Monitor Started! Time Interval is set to " . $interval); + blog($1, "\c4Run ProcessMonitor [Stop] to stop ProcessMonitor from running continuously."); + blog($1, "\cBDepending on your sleep time, results might come before or after checkin."); + bpowershell_import!($1, script_resource("ProcessMonitor.ps1")); + bpowerpick!($1, 'Get-Proc 10'); + } + else { + $timer = ""; + $interval = "5m"; + berror($1, "\c4ProcessMonitor.ps1 does not exist!"); + show_message("ProcessMonitor.ps1 does not exist!"); + } + } + else if ( $2 eq 'Start' && $3 eq '20m' ) { + if (-exists script_resource("ProcessMonitor.ps1")) { + $bid = $1; + $timer = "Start"; + $interval = "20m"; + blog($1, "\c9Process Monitor Started! Time Interval is set to " . $interval); + blog($1, "\c4Run ProcessMonitor [Stop] to stop ProcessMonitor from running continuously."); + blog($1, "\cBDepending on your sleep time, results might come before or after checkin."); + bpowershell_import!($1, script_resource("ProcessMonitor.ps1")); + bpowerpick!($1, 'Get-Proc 20'); + } + else { + $timer = ""; + $interval = "5m"; + berror($1, "\c4ProcessMonitor.ps1 does not exist!"); + show_message("ProcessMonitor.ps1 does not exist!"); + } + } + else if ( $2 eq 'Start' && $3 eq '30m' ) { + if (-exists script_resource("ProcessMonitor.ps1")) { + $bid = $1; + $timer = "Start"; + $interval = "30m"; + blog($1, "\c9Process Monitor Started! Time Interval is set to " . $interval); + blog($1, "\c4Run ProcessMonitor [Stop] to stop ProcessMonitor from running continuously."); + blog($1, "\cBDepending on your sleep time, results might come before or after checkin."); + bpowershell_import!($1, script_resource("ProcessMonitor.ps1")); + bpowerpick!($1, 'Get-Proc 30'); + } + else { + $timer = ""; + $interval = "5m"; + berror($1, "\c4ProcessMonitor.ps1 does not exist!"); + show_message("ProcessMonitor.ps1 does not exist!"); + } + } + else if ( $2 eq 'Stop' ) { + $timer = "Stop"; + $interval = "5m"; + blog($1, "\cBProcess Monitor has Stopped."); + } + else if ( $2 is $null ) { + blog($1, "\c4Please provide 'Start' then a correct time interval to Start Process Monitor."); + show_message("Please provide 'Start' then a correct time interval to Start Process Monitor."); + } + else if ( $3 != '1m' || $3 != '5m' || $3 != '10m' || $3 != '20m' || $3 != '30m' ) { + blog($1, "\c4Please provide a correct time interval to Start Process Monitor."); + show_message("Please provide a correct time interval to Start Process Monitor."); + } + else { + $timer = ""; + $interval = "5m"; + } +} + +#Process Monitor heartbeat checks +on heartbeat_1m { + if ( $timer eq 'Start' && $interval eq '1m' ) { + bpowerpick!($bid, 'Get-Proc 1'); + } + else if ( $timer eq 'Stop' ) { + } + else { + } +} + +on heartbeat_5m { + if ( $timer eq 'Start' && $interval eq '5m' ) { + bpowerpick!($bid, 'Get-Proc 5'); + } + else if ( $timer eq 'Stop' ) { + } + else { + } +} + +on heartbeat_10m { + if ( $timer eq 'Start' && $interval eq '10m' ) { + bpowerpick!($bid, 'Get-Proc 10'); + } + else if ( $timer eq 'Stop' ) { + } + else { + } +} + +on heartbeat_20m { + if ( $timer eq 'Start' && $interval eq '20m' ) { + bpowerpick!($bid, 'Get-Proc 20'); + } + else if ( $timer eq 'Stop' ) { + } + else { + } +} + +on heartbeat_30m { + if ( $timer eq 'Start' && $interval eq '30m' ) { + bpowerpick!($bid, 'Get-Proc 30'); + } + else if ( $timer eq 'Stop' ) { + } + else { + } +} \ No newline at end of file diff --git a/ProcessMonitor.ps1 b/ProcessMonitor.ps1 new file mode 100644 index 0000000..ac11db8 --- /dev/null +++ b/ProcessMonitor.ps1 @@ -0,0 +1,33 @@ +function Get-Proc { +<# +.DESCRIPTION +Cobaltstrike has a great general function for processes: the 'ps' command. Use that if you need to dump ALL the processes w/ arch. + +This solution will show the running processes that have a creation date within the past 1 hour, giving more SA to the operator/analyst than just looking through an entire process list + +Both solutions have their place. It is up to you to know how to use which when you need it. + +Module info for process list has also been removed because nobody used it in the two years that the survey script was around. If you need to do IR on a box, there are better ways to do so +than by clogging up the screen in a survey. +#> + +param + ( + [Parameter(Mandatory = $True)] + [string]$Time + ) + +$test3 = gwmi win32_process | sort -Property ProcessID +$q = get-date + +"`n[+] Processes created in the past $Time minutes`n" +"{0,-8}{1,-8}{2,-20} {3,-20} {4}" -f "PID","PPID","PID Name","PPID Name","Owner" + +foreach ($i in $test3){ + $qq = [Management.ManagementDateTimeConverter]::ToDateTime($i.creationdate) + if ($qq -gt $q.addminutes(-$Time)){ + $z = $i.ParentProcessId + "{0,-8}{1,-8}{2,-20} {3,-20} {4}" -f $i.ProcessId, $i.ParentProcessId, $( if($i.processname.length -gt 20){ $i.processname.substring(0,20)} else{$i.processname}), $($test3 | where {$_.processid -eq $z}).caption , $i.GetOwner().user + } + } +} \ No newline at end of file