Hi All,
I wrote this script because I was finding that symantec was not logging all of my exceptions to the exception list in System Lockdown. This script will import a list of computer names from a CSV file, collect all of the proccesslog files, store them centrally, then create a CSV with only the MD5, Caller Process and Called process. Happy to provide help if need be.
#Cleanup after script run
$cleanup = $true
#Computer List
$csv = Import-Csv D:\Scripts\Symantec\complete.csv | where {$_.name -like "*.domain.*" -or $_.name -like "*.domain.*"}
#Folder to gather all processlog files.
$exportfolder = "D:\Scripts\Symantec\ProcessLog\"
#Remove All Files from Exportfolder
Remove-Item $exportfolder\*.*
#Parse list of Computernames
foreach($a in $csv){
#Header of CSV file
$name = $a.name
#Build Export file
$exportfile = $exportfolder + "\" + $name + "_processlog.log"
#Copy processlog.log from SRV2008/7
copy "\\$name\C$\Programdata\symantec\Symantec Endpoint Protection\12*\Data\logs\processlog.log" $exportfile -ErrorAction SilentlyContinue
#Copy processlog.log from SRV2003/XP
copy "\\$name\C$\Documents and Settings\All Users\Application Data\Symantec\Symantec Endpoint Protection\12*\Data\Logs\processlog.log" $exportfile -ErrorAction SilentlyContinue
}
#Get the filenames of the process log folder.
$gci = gci $exportfolder
#Parse All Collected processlog.log
foreach ($b in $gci){
#Gather All Fullnames
$file = $b.fullname
#Regex Expression
$regex = "(System)(.*)(.SCSI)"
#Select only the string that is required.
$select = Select-String -Path $file -Pattern $regex -All
$value = $select | select -expandproperty matches
#Export to a Temporary unclean file.
$value | select value | add-content $exportfolder\full.txt
}
#cleanup csv, Put headers on file and export cleaner version
import-csv $exportfolder\full.txt -delimiter `t -header MD5,1,2,3,4,5,6,Path,7,8,CalledFile | select @{Name="MD5";Expression={($_.md5).replace("@{Value=System Lockdown - Target MD5=", "")}},Path,CalledFile | Export-Csv $exportfolder\clean.csv -NoTypeInformation
#Remove all files as a cleanup task if cleanup is set to $true
if($cleanup -eq $true){
rm $exportfolder\*.log
rm $exportfolder\*.txt
}
I am employed by Splunk as a Sales engineer and blog with a focus on Security. The comments, opinions and information is my own and does not represent my employer.
Monday, 23 June 2014
Sunday, 1 June 2014
Export All Certificates that have a private key - Powershell Pentesting.
Hi all,
This script can export all certificates that have a exportable key. If you receive 'Key Not Valid for use in specified state' it means that it is not exportable. This is useful in a pentest to show clients that there SSL/TLS certificates are only as strong as the protection you provide on them.
Open up Powershell as administrator then issue the following script.
#Change location to Certificate store
sl cert:
#Get all certifiicates that have a private key associated with them
gci -Recurse | where {$_.hasprivatekey -eq $true} |
#For each result with a private key write the output to c:\temp directory with the password of password.
Where-Object { $_.hasPrivateKey } |
Foreach-Object { [system.IO.file]::WriteAllBytes(
"c:\temp\$($_.thumbprint).pfx",
($_.Export('PFX', 'password')) ) }
This script can export all certificates that have a exportable key. If you receive 'Key Not Valid for use in specified state' it means that it is not exportable. This is useful in a pentest to show clients that there SSL/TLS certificates are only as strong as the protection you provide on them.
Open up Powershell as administrator then issue the following script.
#Change location to Certificate store
sl cert:
#Get all certifiicates that have a private key associated with them
gci -Recurse | where {$_.hasprivatekey -eq $true} |
#For each result with a private key write the output to c:\temp directory with the password of password.
Where-Object { $_.hasPrivateKey } |
Foreach-Object { [system.IO.file]::WriteAllBytes(
"c:\temp\$($_.thumbprint).pfx",
($_.Export('PFX', 'password')) ) }
Subscribe to:
Posts (Atom)