Add files via upload

ProcessMonitor.cna

@@ -0,0 +1,178 @@
+#Process Monitor
+#Author: @r3dQu1nn
+#Queries the processes at a set interval to see what processes have been started since that interval time
+#Thanks to @Alyssa (ramen0x3f) for the code snippets! Big thanks to @i_am_excite for the powershell code!
+#Big thanks to raffi for the on heartbeat help!
+
+#Global Variables
+$timer = "";
+$interval = "5m";
+include(script_resource("ProcessMonitor.ps1"));
+
+#Register Alias for Process Monitor
+beacon_command_register("ProcessMonitor", 
+	"Start/Stop and Change the Interval Time for Process Monitor",
+	"Synopsis: ProcessMonitor [Start/Stop] [Time]\n" .
+	"Options: 1m, 5m (default), 10m, 20m, 30m. If no time supplied, default of 5m is used.");
+
+#Process Monitor alias
+alias ProcessMonitor {
+	if ( $2 eq 'Start' && $3 eq '1m' ) {
+		if (-exists script_resource("ProcessMonitor.ps1")) {
+			$bid = $1;
+			$timer = "Start";
+			$interval = "1m";
+			blog($1, "\c9Process Monitor Started! Time Interval is set to " . $interval);
+			blog($1, "\c4Run ProcessMonitor [Stop] to stop ProcessMonitor from running continuously.");
+			blog($1, "\cBDepending on your sleep time, results might come before or after checkin.");
+			bpowershell_import!($1, script_resource("ProcessMonitor.ps1"));
+			bpowerpick!($1, 'Get-Proc 1');
+		}
+		else {
+			$timer = "";
+			$interval = "5m";
+			berror($1, "\c4ProcessMonitor.ps1 does not exist!");
+			show_message("ProcessMonitor.ps1 does not exist!");
+		}
+	}
+	else if ( $2 eq 'Start' && $3 eq '5m' ) {
+		if (-exists script_resource("ProcessMonitor.ps1")) {
+			$bid = $1;
+			$timer = "Start";
+			$interval = "5m";
+			blog($1, "\c9Process Monitor Started! Time Interval is set to " . $interval);
+			blog($1, "\c4Run ProcessMonitor [Stop] to stop ProcessMonitor from running continuously.");
+			blog($1, "\cBDepending on your sleep time, results might come before or after checkin.");
+			bpowershell_import!($1, script_resource("ProcessMonitor.ps1"));
+			bpowerpick!($1, 'Get-Proc 5');
+		}
+		else {
+			$timer = "";
+			$interval = "5m";
+			berror($1, "\c4ProcessMonitor.ps1 does not exist!");
+			show_message("ProcessMonitor.ps1 does not exist!");
+		}
+	}
+	else if ( $2 eq 'Start' && $3 eq '10m' ) {
+		if (-exists script_resource("ProcessMonitor.ps1")) {
+			$bid = $1;
+			$timer = "Start";
+			$interval = "10m";
+			blog($1, "\c9Process Monitor Started! Time Interval is set to " . $interval);
+			blog($1, "\c4Run ProcessMonitor [Stop] to stop ProcessMonitor from running continuously.");
+			blog($1, "\cBDepending on your sleep time, results might come before or after checkin.");
+			bpowershell_import!($1, script_resource("ProcessMonitor.ps1"));
+			bpowerpick!($1, 'Get-Proc 10');
+		}
+		else {
+			$timer = "";
+			$interval = "5m";
+			berror($1, "\c4ProcessMonitor.ps1 does not exist!");
+			show_message("ProcessMonitor.ps1 does not exist!");
+		}
+	}
+	else if ( $2 eq 'Start' && $3 eq '20m' ) {
+		if (-exists script_resource("ProcessMonitor.ps1")) {
+			$bid = $1;
+			$timer = "Start";
+			$interval = "20m";
+			blog($1, "\c9Process Monitor Started! Time Interval is set to " . $interval);
+			blog($1, "\c4Run ProcessMonitor [Stop] to stop ProcessMonitor from running continuously.");
+			blog($1, "\cBDepending on your sleep time, results might come before or after checkin.");
+			bpowershell_import!($1, script_resource("ProcessMonitor.ps1"));
+			bpowerpick!($1, 'Get-Proc 20');
+		}
+		else {
+			$timer = "";
+			$interval = "5m";
+			berror($1, "\c4ProcessMonitor.ps1 does not exist!");
+			show_message("ProcessMonitor.ps1 does not exist!");
+		}
+	}
+    else if ( $2 eq 'Start' && $3 eq '30m' ) {
+		if (-exists script_resource("ProcessMonitor.ps1")) {
+			$bid = $1;
+			$timer = "Start";
+			$interval = "30m";
+			blog($1, "\c9Process Monitor Started! Time Interval is set to " . $interval);
+			blog($1, "\c4Run ProcessMonitor [Stop] to stop ProcessMonitor from running continuously.");
+			blog($1, "\cBDepending on your sleep time, results might come before or after checkin.");
+			bpowershell_import!($1, script_resource("ProcessMonitor.ps1"));
+			bpowerpick!($1, 'Get-Proc 30');
+		}
+		else {
+			$timer = "";
+			$interval = "5m";
+			berror($1, "\c4ProcessMonitor.ps1 does not exist!");
+			show_message("ProcessMonitor.ps1 does not exist!");
+		}
+	}
+	else if ( $2 eq 'Stop' ) {
+		$timer = "Stop";
+		$interval = "5m";
+		blog($1, "\cBProcess Monitor has Stopped.");
+	}
+    else if ( $2 is $null ) {
+        blog($1, "\c4Please provide 'Start' then a correct time interval to Start Process Monitor.");
+        show_message("Please provide 'Start' then a correct time interval to Start Process Monitor.");
+    }
+	else if ( $3 != '1m' || $3 != '5m' || $3 != '10m' || $3 != '20m' || $3 != '30m' ) {
+        blog($1, "\c4Please provide a correct time interval to Start Process Monitor.");
+        show_message("Please provide a correct time interval to Start Process Monitor.");
+    }
+	else {
+		$timer = "";
+		$interval = "5m";
+	}
+}
+
+#Process Monitor heartbeat checks
+on heartbeat_1m {
+	if ( $timer eq 'Start' && $interval eq '1m' ) {
+		bpowerpick!($bid, 'Get-Proc 1');
+	}
+	else if ( $timer eq 'Stop' ) {
+	}
+	else {
+	}
+}
+
+on heartbeat_5m {
+	if ( $timer eq 'Start' && $interval eq '5m' ) {
+		bpowerpick!($bid, 'Get-Proc 5');
+	}
+	else if ( $timer eq 'Stop' ) {
+	}
+	else {
+	}
+}
+
+on heartbeat_10m {
+	if ( $timer eq 'Start' && $interval eq '10m' ) {
+		bpowerpick!($bid, 'Get-Proc 10');
+	}
+	else if ( $timer eq 'Stop' ) {
+	}
+	else {
+	}
+}
+
+on heartbeat_20m {
+	if ( $timer eq 'Start' && $interval eq '20m' ) {
+		bpowerpick!($bid, 'Get-Proc 20');
+	}
+	else if ( $timer eq 'Stop' ) {
+	}
+	else {
+	}
+}
+
+on heartbeat_30m {
+	if ( $timer eq 'Start' && $interval eq '30m' ) {
+		bpowerpick!($bid, 'Get-Proc 30');
+	}
+	else if ( $timer eq 'Stop' ) {
+	}
+	else {
+	}
+}

ProcessMonitor.ps1

@@ -0,0 +1,33 @@
+function Get-Proc {
+<#
+.DESCRIPTION
+Cobaltstrike has a great general function for processes: the 'ps' command. Use that if you need to dump ALL the processes w/ arch. 
+
+This solution will show the running processes that have a creation date within the past 1 hour, giving more SA to the operator/analyst than just looking through an entire process list
+
+Both solutions have their place. It is up to you to know how to use which when you need it.
+
+Module info for process list has also been removed because nobody used it in the two years that the survey script was around. If you need to do IR on a box, there are better ways to do so
+than by clogging up the screen in a survey. 
+#>
+
+param
+		(
+			[Parameter(Mandatory = $True)]
+			[string]$Time
+		)
+
+$test3 = gwmi win32_process | sort -Property ProcessID
+$q = get-date
+
+"`n[+] Processes created in the past $Time minutes`n"
+"{0,-8}{1,-8}{2,-20} {3,-20} {4}" -f "PID","PPID","PID Name","PPID Name","Owner"
+
+foreach ($i in $test3){
+    $qq = [Management.ManagementDateTimeConverter]::ToDateTime($i.creationdate)
+        if ($qq -gt $q.addminutes(-$Time)){
+            $z = $i.ParentProcessId
+            "{0,-8}{1,-8}{2,-20} {3,-20} {4}"  -f $i.ProcessId, $i.ParentProcessId, $( if($i.processname.length -gt 20){ $i.processname.substring(0,20)} else{$i.processname}), $($test3 | where {$_.processid -eq $z}).caption , $i.GetOwner().user
+        }
+    }
+}