This repository was archived by the owner on Jan 21, 2021. It is now read-only.
File tree Expand file tree Collapse file tree 1 file changed +3
-1
lines changed Expand file tree Collapse file tree 1 file changed +3
-1
lines changed Original file line number Diff line number Diff line change @@ -3047,7 +3047,9 @@ https://www.mandiant.com/blog/malware-persistence-windows-registry/
30473047 # the known DLL cache to exclude from our findings
30483048 # http://blogs.msdn.com/b/larryosterman/archive/2004/07/19/187752.aspx
30493049 $Keys = (Get-Item "HKLM:\System\CurrentControlSet\Control\Session Manager\KnownDLLs")
3050- $KnownDLLs = $(ForEach ($KeyName in $Keys.GetValueNames()) { $Keys.GetValue($KeyName) }) | Where-Object { $_.EndsWith(".dll") }
3050+ $KnownDLLs = $(ForEach ($KeyName in $Keys.GetValueNames()) { $Keys.GetValue($KeyName).tolower() }) | Where-Object { $_.EndsWith(".dll") }
3051+ $KnownDLLPaths = $(ForEach ($name in $Keys.GetValueNames()) { $Keys.GetValue($name).tolower() }) | Where-Object { -not $_.EndsWith(".dll") }
3052+ $KnownDLLs += ForEach ($path in $KnownDLLPaths) { ls -force $path\*.dll | Select-Object -ExpandProperty Name | ForEach-Object { $_.tolower() }}
30513053 $CurrentUser = [System.Security.Principal.WindowsIdentity]::GetCurrent().Name
30523054
30533055 # get the owners for all processes
You can’t perform that action at this time.
0 commit comments