-
Notifications
You must be signed in to change notification settings - Fork 11
/
ShellCSV.ps1
84 lines (68 loc) · 3.29 KB
/
ShellCSV.ps1
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
<#
Script Name: ShellCSV.ps1
Author: Michael Haag
Version: 0.1
Description:
"ShellCSV" is a PowerShell tool designed to scan directories for potential webshells and report on their entropy and hash values. Like ShellSweep, it uses entropy as an indicator of potential webshell files.
How It Works:
The script calculates the entropy of the contents of each file in the specified directories and with the specified file extensions.
The entropy, full file path, hash, and date of the scan are stored in a PSObject and added to an array of results.
After the scan is complete, the results are exported to a CSV file.
Usage:
Provide the directory paths to be scanned in the $directoryPaths array.
Specify the file extensions to be scanned in the $fileExtensions array.
Run the script in PowerShell.
Output:
The script generates a CSV file that contains the full file path, entropy value, file hash, and scan date for each scanned file.
#>
function Get-Entropy {
param(
[Parameter(Mandatory = $true, Position = 0)] [string] $String
)
$length = $String.Length
$symbolFrequency = @{}
foreach ($symbol in $String.ToCharArray()) {
if ($symbolFrequency.ContainsKey($symbol)) {
$symbolFrequency[$symbol]++
}
else {
$symbolFrequency.Add($symbol, 1)
}
}
$entropy = 0
$symbolFrequency.Values | foreach {
$freq = $_ / $length
$entropy -= $freq * [Math]::Log($freq, 2)
}
return $entropy
}
# Define the directories and file extensions to scan
#$DirectoryPaths = @(
# 'C:\Program Files\Microsoft\Exchange Server\V15\FrontEnd\HttpProxy\oab',
# 'C:\Program Files\Microsoft\Exchange Server\V15\FrontEnd\HttpProxy\owa\auth',
# 'C:\inetpub\wwwroot'
#)
$directoryPaths = @('C:\Users\Administrator\Downloads\reGeorg-master\reGeorg-master', 'C:\Users\Administrator\Downloads\p0wny-shell-master', 'C:\Users\Administrator\Desktop\10684728197_human2_cisa_report', 'C:\Users\Administrator\Downloads\xl7dev\WebShell-master', 'C:\Users\Administrator\Downloads\webshells-master\webshells-master', 'C:\Users\Administrator\Downloads\webshell-master\webshell-master', 'C:\Users\Administrator\Desktop\10660311902')
$fileExtensions = @('.aspx', '.asp', '.js', '.jsp', '.php', '')
# Initialize an array to store the results
$results = @()
# Process each directory and file extension
foreach ($DirectoryPath in $DirectoryPaths) {
Get-ChildItem $DirectoryPath -Recurse -File | Where-Object { $_.Extension -in $fileExtensions } | foreach {
$content = [System.IO.File]::ReadAllText($_.FullName, [System.Text.Encoding]::UTF8)
$content = $content -replace "`r`n|`r", "`n"
$entropy = Get-Entropy -String $content
$hash = (Get-FileHash $_.FullName -Algorithm SHA256).Hash
$lastModified = $_.LastWriteTime
# Add the file's details to the results array
$results += New-Object PSObject -Property @{
Date = Get-Date -Format "MM/dd/yyyy"
FullName = $_.FullName
Entropy = $entropy
Hash = $hash
LastModified = $lastModified
}
}
}
# Export the results to a CSV file
$results | Export-Csv -Path "c:\temp\shellcsv.csv" -NoTypeInformation