<#
   .SYNOPSIS
   Helper script to investigate a Hafnium attack

   .DESCRIPTION
   Helper script to investigate a Hafnium attack

   .PARAMETER ReportPath
   Where to save the reports

   .EXAMPLE
   PS C:\> .\Get-HafniumReports.ps1

   .LINK
   https://discuss.elastic.co/t/detection-and-response-for-hafnium-activity/266289

   . LINK
   https://www.msxfaq.de/exchange/update/hafnium-nachbereitung.htm

   .NOTES
   This does NOT replace a Anti Virus scanner and also does NOT replace the Microsoft investigation scripts!
   You can use this to bring your ongoing security investigation(s) a step forward, not more but not less.
#>
[CmdletBinding(ConfirmImpact = 'None')]
param
(
    [Parameter(ValueFromPipeline,
        ValueFromPipelineByPropertyName)]
    [ValidateNotNullOrEmpty()]
    [ValidateNotNull()]
    [Alias('Path')]
    [string]
    $ReportPath = 'C:\scripts\PowerShell\reports\Hafnium\'
)

begin
{
    # Create the report directory, if needed
    if (-not (Test-Path -Path $ReportPath -ErrorAction SilentlyContinue))
    {
        $null = (New-Item -Path $ReportPath -ItemType Directory -Force -ErrorAction Stop)
    }

    # Create a Timestamp
    $TimeStamp = (Get-Date -Format 'yyyyMMdd_HHmmss')
}

process
{
    <#
      Look for commands like "Set-OABVirtualDirectory" - This is one of the known commands that the attackers used.
   #>

    # Get Exchange Event Logs
    $null = (Get-WinEvent -LogName 'MSExchange Management' -ErrorAction SilentlyContinue | Export-Csv -Path ($ReportPath + 'MSExchangeManagement_' + $TimeStamp + '.csv') -NoTypeInformation -Force -Encoding UTF8 -ErrorAction SilentlyContinue)

    <#
      Look for tasks that you don't know.
      "WwanSvcdcs" is one of the names that are known as related to Hafnium

      Please keep in mind: Windows itself use Scheduled Tasks a lot!
  #>

    # Get Scheduled Task info
    $null = (Get-ScheduledTask -ErrorAction SilentlyContinue | Select-Object -Property actions -ExpandProperty actions -ErrorAction SilentlyContinue | Export-Csv -Path ($ReportPath + 'ScheduledTaskInfo_' + $TimeStamp + '.csv') -NoTypeInformation -Force -Encoding UTF8 -ErrorAction SilentlyContinue)

    <#
      See above, and watch for tasks that are created since January 2021 that you can not identify.

      Please keep in mind: Windows itself use Scheduled Tasks a lot!
  #>

    # TaskScheduler info
    $null = (Get-WinEvent -LogName 'Microsoft-Windows-TaskScheduler/Operational' -ErrorAction SilentlyContinue | Export-Csv -Path ($ReportPath + 'TaskScheduler_' + $TimeStamp + '.csv') -NoTypeInformation -Force -Encoding UTF8 -ErrorAction SilentlyContinue)

    <#
      PowerShell keeps a history that will be saved into a plain ASC File. At least if the ReadLine Module is installed!
      A bit work, but you can at least try to identify something strange here!
  #>

    # Get all History Files from PowerShell
    $null = (Get-ChildItem -Path 'C:\Users' -Filter 'ConsoleHost_history.txt' -Recurse -ErrorAction SilentlyContinue -Force | ForEach-Object -Process {
            $null = (Get-Content -Path $_.FullName -ErrorAction SilentlyContinue | Out-File -FilePath ($ReportPath + 'PowerShell_History_' + $TimeStamp + '.txt') -Encoding utf8 -Append -ErrorAction SilentlyContinue)
        })
}

end
{
    # Open the directory in the File Explorer
    Invoke-Item -Path $ReportPath
}

#region LICENSE
<#
   BSD 3-Clause License
   Copyright (c) 2021, enabling Technology
   All rights reserved.
   Redistribution and use in source and binary forms, with or without modification, are permitted provided that the following conditions are met:
   1. Redistributions of source code must retain the above copyright notice, this list of conditions and the following disclaimer.
   2. Redistributions in binary form must reproduce the above copyright notice, this list of conditions and the following disclaimer in the documentation and/or other materials provided with the distribution.
   3. Neither the name of the copyright holder nor the names of its contributors may be used to endorse or promote products derived from this software without specific prior written permission.
   THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
#>
#endregion LICENSE

#region DISCLAIMER
<#
   DISCLAIMER:
   - Use at your own risk, etc.
   - This is open-source software, if you find an issue try to fix it yourself. There is no support and/or warranty in any kind
   - This is a third-party Software
   - The developer of this Software is NOT sponsored by or affiliated with Microsoft Corp (MSFT) or any of its subsidiaries in any way
   - The Software is not supported by Microsoft Corp (MSFT)
   - By using the Software, you agree to the License, Terms, and any Conditions declared and described above
   - If you disagree with any of the terms, and any conditions declared: Just delete it and build your own solution
#>
#endregion DISCLAIMER