Tarrask Malware Quick Check (PS)
Microsoft Exposes Evasive Chinese Tarrask Malware Attacking Windows Computers.
Enumerate your Windows environment registry hives looking in the HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree registry hive and identify any scheduled tasks without SD (security descriptor) Value within the Task Key. Perform analysis on these tasks as needed.
Powershell Quick Check
<#
.SYNOPSIS
This Powershell script get the security descriptor for all or defined scheduled tasks.?
.DESCRIPTION
Windows uses the SD value on tasks under HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree to manage security.?
By default, this script will display the SDDL on all tasks.?
This script accepts 1 parameters.
-taskname??The name of a scheduled task.?
.EXAMPLE
./Detect-Tarrask-Malware.ps1 -taskname "My task"??
#>
param
([string]$taskname = "")
if ($taskname -eq ''") {
'No task name specified.'
'SDDL for all tasks will be displayed.'
}
$wmisdh = new-object system.management.ManagementClass Win32_SecurityDescriptorHelper?
$subkeys = Get-childitem "HKLM:\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree"
foreach ($key in $subkeys) {
if ($taskname -eq ''")?
{
$key.PSChildName
$task = Get-ItemProperty $($key.name).replace("HKEY_LOCAL_MACHINE","HKLM:")
$sddl = $wmisdh.BinarySDToSDDL( $task.SD )?
$sddl['SDDL']
if ($sddl['SDDL'] -ne $Null)
{
Write-Host -ForegroundColor DarkGreen -BackgroundColor White "Safe - SDDL Entry found"
} else {
Write-Host -ForegroundColor red -BackgroundColor White "Critical - Non SDDL Entry found"
}
}
else?
{
领英推荐
????if ($key.PSChildName -eq $taskname)?
{
??????""
??????$key.PSChildName
??????$task = Get-ItemProperty $($key.name).replace("HKEY_LOCAL_MACHINE","HKLM:")
??????$sddl = $wmisdh.BinarySDToSDDL( $task.SD )?
??????$sddl['SDDL']
?????? if ($sddl['SDDL'] -ne $Null)
{
Write-Host -ForegroundColor DarkGreen -BackgroundColor White "Safe - SDDL Entry found"
} else {
Write-Host -ForegroundColor red -BackgroundColor White "Critical - Non SDDL Entry found"
}
}
}
}
$EventId = 4698
$log = Get-WinEvent -FilterHashTable @{Logname = "Security" ; ID = $EventId} -ErrorAction SilentlyContinue
$val = $log.Count
??if ($val -eq 0)?
??{
????$Compliant = $true
??}
??if ($val -ne 0)
??{
????$Compliant = $false
??}
If ($Compliant -eq $true)
{
Write-Host -ForegroundColor DarkGreen -BackgroundColor White "Safe - Non Event ID 4698 found in Security Log"
}
else
{
Write-Host -ForegroundColor red -BackgroundColor White "Critical - Event ID 4698 found in Security Log"
}
Your Result should display Safe* for each Task...