Trawler

Trawler copied to clipboard

Json output instead of csv for detections

3

I have a thought on a somewhat easy way to transition from csv to json if that is something that you're interested in. In quite a few places where detections...

baileydauterman

Pester-based Test Creation

2

Currently, the code base lacks any form of testing - Pester tests should be developed to help keep development stable and ensure that functionality is not impacted when making any...

joeavanzato

Discover and Parse Certificate Files for offline analysis

4

Currently we are using PowerShell cmdlets to retrieve this information - need to get the same information from the files directly for use in deadbox analysis.

joeavanzato

Will likely use https://github.com/mgreen27/Invoke-BitsParser or a variation for this since the hard work has already been done. Just need to cherry-pick and refactor for my own needs on this one.

joeavanzato

For offline drive analysis, we cannot directly query CIM classes for obvious reasons. Data related to WMI is stored in a few locations, provided below; C:\Windows\System32\wbem\Repository\OBJECTS.DATA - Objects managed by...

joeavanzato

Additional persistence info

1

It's a bit dated by now but take a look at these [launch points](https://silentrunners.org/launchpoints.html), in case there is something useful there that you aren't taking into account yet.

bontchev

Break the large script into multiple smaller scripts to make maintenance easier.

2

Here I have dissected the 17,613 line `trawler.ps1` script into a myriad of smaller more manageable scripts. The original `trawler.ps1` script can be created by running the `build.ps1` script. Here...

baileydauterman

Script level todos

1

- [ ] JSON Detection Output to easily encapsulate more details - [ ] Non-Standard Service/Task running as/created by Local Administrator - [ ] Browser Extension Analysis - [ ]...

baileydauterman

Implement Registry check for default notification values

1

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon - Notify Value Investigate for value/defaults and add to appropriate Winlogon Helper check (winlogongnotificationpackage)[https://github.com/persistence-info/persistence-info.github.io/blob/main/Data/winlogonnotificationpackage.md]

baileydauterman

Update to allow for json output

2

Update the arguments taken in by trawler.ps1 to allow for new json output format. Detriment of json output is that it cannot be written until all values have been collected...

baileydauterman