/cve-2021-27065

Quick One Line Powershell scripts to detect for webshells, possible zips, and logs.

Primary LanguagePowerShellMIT LicenseMIT

CVE-2021-27065

Quick One Line Powershell scripts to detect for webshells, possible zips, and logs. Each of the scripts after running will ouput to a CSV located in the temp drive at the root of C:

Quick Code Explination:

CompedFiles.ps1

  1. This will start at the path specified
  2. Work it's way through each folder and find the files inside of it.
  3. Each file that it hits it will then start checking the file for the pattern "\w*://\w/<\w*\s.<.>"
  4. Every match that it gets it will select the path to the file and the line in the file that it found
  5. After selection it will write that to the CSV located int he temp folder at the root of C:

LogChecker

  1. This will start at the path specified
  2. Work it's way through each folder and find the files inside of it.
  3. Each file that it hits it will then start checking the file for the pattern "Set-OabVirtualDirectory"
    1. This may pick up more than what we want -- but its the best way I have at the moment
  4. Every match that it gets it will select the path to the file and the line in the file that it found
  5. After selection it will write that to the CSV located int he temp folder at the root of C:

PossibleExfil

  1. Starting at the root of C:
  2. This will look through every directory for any thing with the file extention zip or tar or gzip or 7z or rar or dmp
    1. zip -- for any files that would have been zipped and pulled off the server
    2. tar -- for any folder that would have been tar'ed and pulled off the server
    3. gzip -- for any files that would have been gziped and pulled off teh server
    4. 7z -- for any files that would have been 7z and pulled off teh server
    5. rar -- for any files that would have been rar and pulled off teh server
    6. dmp -- any possible process dumps
  3. This will of course pull way more than you will ever need to lookt through
  4. This will be output to a CSV in the temp folder at the root of C:
    1. The great thing is that since its in a csv file we can sort by date
      1. our checks included anything that was back to septemeber of last year -- since there has been reports back to octber of last year