Initial APThunter
This commit is contained in:
TKE
80
start.sh
Normal file
80
start.sh
Normal file
@@ -0,0 +1,80 @@
|
||||
#!/bin/bash
|
||||
#check which destination is writeable /data or /output
|
||||
if [[ ! -f /output/notmounted ]] && [[ -w /output ]] ; then
|
||||
echo "output folder was mounted"
|
||||
echo "output can be written"
|
||||
output="/output"
|
||||
else
|
||||
if [[ -w /data ]] ; then
|
||||
echo "data can be written"
|
||||
output="/data"
|
||||
else
|
||||
echo "no output folder available"
|
||||
exit 1
|
||||
fi
|
||||
fi
|
||||
|
||||
#find all suiteable logfiles in /data
|
||||
log_security=$(find /data -iname "Security.evtx" 2>/dev/null | head -n 1)
|
||||
log_system=$(find /data -iname "System.evtx" 2>/dev/null | head -n 1)
|
||||
log_powershell=$(find /data -iname "Windows PowerShell.evtx" 2>/dev/null | head -n 1)
|
||||
log_terminal=$(find /data -iname "Microsoft-Windows-TerminalServices-LocalSessionManager*Operational.evtx" 2>/dev/null | head -n 1)
|
||||
log_defender=$(find /data -iname "Microsoft-Windows-Windows Defender*Operational.evtx" 2>/dev/null | head -n 1)
|
||||
log_scheduler=$(find /data -iname "Microsoft-Windows-TaskScheduler*Operational.evtx" 2>/dev/null | head -n 1)
|
||||
log_winrm=$(find /data -iname "Microsoft-Windows-WinRM*Operational.evtx" 2>/dev/null | head -n 1)
|
||||
log_sysmon=$(find /data -iname "Microsoft-Windows-Sysmon*Operational.evtx" 2>/dev/null | head -n 1)
|
||||
log_powershellop=$(find /data -iname "Microsoft-Windows-PowerShell*Operational.evtx" 2>/dev/null | head -n 1)
|
||||
|
||||
#base command for apthunter
|
||||
cmd=(/usr/bin/python3 /APT-Hunter/APT-Hunter.py)
|
||||
|
||||
#evtx mode
|
||||
cmd+=(-t evtx)
|
||||
|
||||
#list all found logfiles
|
||||
echo "log_security : ${log_security}"
|
||||
echo "log_system : ${log_system}"
|
||||
echo "log_powershell : ${log_powershell}"
|
||||
echo "log_terminal : ${log_terminal}"
|
||||
echo "log_defender : ${log_defender}"
|
||||
echo "log_scheduler : ${log_scheduler}"
|
||||
echo "log_winrm : ${log_winrm}"
|
||||
echo "log_sysmon : ${log_sysmon}"
|
||||
echo "log_powershellop : ${log_powershellop}"
|
||||
|
||||
#set output-destination
|
||||
output="${output}/apthunter_$(date +%s)"
|
||||
echo "output is goint to : ${output}"
|
||||
cmd+=(-o "${output}")
|
||||
|
||||
#enable processing for each found logfile by extending the command
|
||||
if [[ ! -z "${log_security}" ]] ; then
|
||||
cmd+=(--security "${log_security}")
|
||||
fi
|
||||
if [[ ! -z "${log_system}" ]] ; then
|
||||
cmd+=(--system "${log_system}")
|
||||
fi
|
||||
if [[ ! -z "${log_powershell}" ]] ; then
|
||||
cmd+=(--powershell "${log_powershell}")
|
||||
fi
|
||||
if [[ ! -z "${log_terminal}" ]] ; then
|
||||
cmd+=(--terminal "${log_terminal}")
|
||||
fi
|
||||
if [[ ! -z "${log_defender}" ]] ; then
|
||||
cmd+=(--defender "${log_defender}")
|
||||
fi
|
||||
if [[ ! -z "${log_scheduler}" ]] ; then
|
||||
cmd+=(--scheduledtask "${log_scheduler}")
|
||||
fi
|
||||
if [[ ! -z "${log_winrm}" ]] ; then
|
||||
cmd+=(--winrm "${log_winrm}")
|
||||
fi
|
||||
if [[ ! -z "${log_sysmon}" ]] ; then
|
||||
cmd+=(--sysmon "${log_sysmon}")
|
||||
fi
|
||||
if [[ ! -z "${log_powershellop}" ]] ; then
|
||||
cmd+=(--powershellop "${log_powershellop}")
|
||||
fi
|
||||
|
||||
#run the apthunter command
|
||||
"${cmd[@]}"
|
||||
Reference in New Issue
Block a user