From 627bf9cfe8ebcd483dc91cf78c89171689bdc277 Mon Sep 17 00:00:00 2001 From: tke Date: Thu, 12 May 2022 17:23:42 +0200 Subject: [PATCH] Adjusted start.sh to use new arguments of apthunter2 --- start.sh | 56 ++------------------------------------------------------ 1 file changed, 2 insertions(+), 54 deletions(-) diff --git a/start.sh b/start.sh index 385d317..5004e77 100644 --- a/start.sh +++ b/start.sh @@ -28,67 +28,15 @@ else fi fi -#find all suiteable logfiles in /data -log_security=$(find /data -iname "Security.evtx" 2>/dev/null | head -n 1) -log_system=$(find /data -iname "System.evtx" 2>/dev/null | head -n 1) -log_powershell=$(find /data -iname "Windows PowerShell.evtx" 2>/dev/null | head -n 1) -log_terminal=$(find /data -iname "Microsoft-Windows-TerminalServices-LocalSessionManager*Operational.evtx" 2>/dev/null | head -n 1) -log_defender=$(find /data -iname "Microsoft-Windows-Windows Defender*Operational.evtx" 2>/dev/null | head -n 1) -log_scheduler=$(find /data -iname "Microsoft-Windows-TaskScheduler*Operational.evtx" 2>/dev/null | head -n 1) -log_winrm=$(find /data -iname "Microsoft-Windows-WinRM*Operational.evtx" 2>/dev/null | head -n 1) -log_sysmon=$(find /data -iname "Microsoft-Windows-Sysmon*Operational.evtx" 2>/dev/null | head -n 1) -log_powershellop=$(find /data -iname "Microsoft-Windows-PowerShell*Operational.evtx" 2>/dev/null | head -n 1) - #base command for apthunter -cmd=(/usr/bin/python3 /APT-Hunter/APT-Hunter.py) +cmd=(/usr/bin/python3 /APT-Hunter/APT-Hunter.py -p /data) -#evtx mode -cmd+=(-t evtx) - -#list all found logfiles -echo "log_security : ${log_security}" -echo "log_system : ${log_system}" -echo "log_powershell : ${log_powershell}" -echo "log_terminal : ${log_terminal}" -echo "log_defender : ${log_defender}" -echo "log_scheduler : ${log_scheduler}" -echo "log_winrm : ${log_winrm}" -echo "log_sysmon : ${log_sysmon}" -echo "log_powershellop : ${log_powershellop}" #set output-destination output="${output}/apthunter_$(date +%s)" echo "output is goint to : ${output}" cmd+=(-o "${output}") -#enable processing for each found logfile by extending the command -if [[ ! -z "${log_security}" ]] ; then - cmd+=(--security "${log_security}") -fi -if [[ ! -z "${log_system}" ]] ; then - cmd+=(--system "${log_system}") -fi -if [[ ! -z "${log_powershell}" ]] ; then - cmd+=(--powershell "${log_powershell}") -fi -if [[ ! -z "${log_terminal}" ]] ; then - cmd+=(--terminal "${log_terminal}") -fi -if [[ ! -z "${log_defender}" ]] ; then - cmd+=(--defender "${log_defender}") -fi -if [[ ! -z "${log_scheduler}" ]] ; then - cmd+=(--scheduledtask "${log_scheduler}") -fi -if [[ ! -z "${log_winrm}" ]] ; then - cmd+=(--winrm "${log_winrm}") -fi -if [[ ! -z "${log_sysmon}" ]] ; then - cmd+=(--sysmon "${log_sysmon}") -fi -if [[ ! -z "${log_powershellop}" ]] ; then - cmd+=(--powershellop "${log_powershellop}") -fi #run the apthunter command -"${cmd[@]}" \ No newline at end of file +"${cmd[@]}"