Full Code Repository:
https://github.com/DHS-NCCIC/Sogu/SoguFileSearch.psm1
import-module SoguFileSearch.ps1 ShowFileNames Displays a list of all possible Sogu log filenames generated for each drive.
CustomSerial 1. Displays a list of all possible Sogu log filenames generated based on the
Serial Number provided by the user.
2. A user can provide a single or list of serials in the form of an array in the powershell
console or a user generated text file.
3. If the Serial Number entered does not correlate to an active local drive on the machine
the user is prompted with an error message.
4. The Serials used in the examples for this parameter will cause the script to throw an error,
unless a drive is found with a serial that matches.
SearchFiles 1. Searches the filesytem for the presence of Sogu log files.
2. Information for each file is saved as an object in a hashtable named output.
3. The output hashtable separates the file information based on the presence/absence of each Sogu log on disk.
4. The information collected by this option can be exported to log files for review.
Examples
Import module for use and display a list of Sogu file names generated based on local disk serial numbers.PS> Get-SoguFileNames -ShowFileNames
Displays a list of Sogu file names based on a single serial number provided by the user.
PS> Get-SoguFileNames-CustomSerial AAAAAAAA
Displays a list of Sogu file names based on a list of serial numbers provided by the user in the powershell console.
PS> $Serials = @('AAAAAAAA','BBBBBBBB','CCCCCCCC','DDDDDDDD')
PS> foreach($Serial in $Serials)
{
Get-SoguFileNames -CustomSerial $Serial
}
Display a list of Sogu file names based on a list of serial numbers provided by the user in a text file.
PS> $Serials = Get-Content
PS> foreach($Serial in $Serials)
{
Get-SoguFileNames -CustomSerial $Serial
} PS> $SoguFiles = Get-SoguFileNames -ShowFileNames-SearchFiles
The following commands explain how to display the output or pipe the data to a log file.
Displays the "FilesFound" output from the $SoguFiles variable created in the example above.PS> $SoguFiles.FilesFound
Displays the "FilesNotFound" output from the $SoguFiles variable created in the example above.PS> $SoguFiles.FilesNotFound
Export the "FilesFound" output from the $Sogufiles variable to a log file.
PS> $SoguFiles.FilesFound | Out-File -FilePath \.txt
Export the "FilesNotFound" output from the $Sogufiles variable to a log file.
PS> $SoguFiles.FilesNotFound | Out-File -FilePath \.txt
The powershell output: Drive D: (801221BF) ------------------------------------------------------
Type1 CC VictimID HD Serial 801221BF Filename: qcrugzwgvzacyug
Type1 CX ConfigBlock HD Serial 801221BF Filename: vtzxxqtzff
Type1 KL KeylogCache HD Serial 801221BF Filename: bnpnzw
Type1 HZ LearnedProxies HD Serial 801221BF Filename: rmvfafwy
Type2 CC VictimID HD Serial 801221BF Filename: qwxfxwmgweywtbv
Type2 CF ConfigBlock HD Serial 801221BF Filename: nvponiqvlfnx
Type2 KL KeylogCache HD Serial 801221BF Filename: bhrgxm
Type2 HP LearnedProxies HD Serial 801221BF Filename: blukacjozrqzpskuxh LICENSE: https://github.com/DHS-NCCIC/Sogu/LICENSE.md The Detection Tool for PlugX Malware (Technology) is a work developed by
the U.S. Government Agency and its contractors and provided to the
Department of Homeland Security, Office of Cybersecurity and
Communications (CS&C). Pursuant to Federal Acquisition Regulation,
the United States. Pursuant
to Federal Acquisition Regulation, the United States Government has
unlimited rights in the copyright in the Technology,
which is sufficient to allow end users to download, access, install,
copy and use the Technology for its intended purpose.
The Technology is subject to United States Copyright law.
No comments:
Post a Comment
Thank you for your comment. Will try to react as soon as possible.
Regards,
Networ King