top of page

# Automated IOC Checker v2.5
# Author: German Quezada
# Description: Detects signs of compromise using IOCs from iocs.json stored on a USB drive
Write-Host "--- 🔁 Enhanced Automated IOC Checker ---" -ForegroundColor Yellow

# --- Step 1: Locate USB Drive with \newerPowershell\iocs.json ---
$usbDrive = Get-Volume | Where-Object {
    $_.DriveLetter -and (Test-Path "$($_.DriveLetter):\newerPowershell\iocs.json")
} | Select-Object -ExpandProperty DriveLetter -First 1

if (-not $usbDrive) {
    Write-Error "❌ Could not find the USB drive containing '\newerPowershell\iocs.json'."
    exit 1
}

# --- Step 2: Build Path to iocs.json ---
$iocFile = "$usbDrive`:\newerPowershell\iocs.json"
Write-Host "Using IOC file at: $iocFile" -ForegroundColor DarkYellow

# --- Step 3: Create sample iocs.json if missing or empty ---
if (-not (Test-Path $iocFile) -or (Get-Content $iocFile -TotalCount 1).Trim() -eq '') {
    @"
{
    "file_hashes_sha256": [
        "3395856CE81F2B7382DEB72F4DAB7014DB542168586498A44924B270A5B4D2A6"
    ],
    "malicious_ips": [
        "198.51.100.5",
        "203.0.113.10",
        "45.77.11.222"
    ],
    "malicious_domains": [
        "malicious-domain.com",
        "evil-tracker.net",
        "sneaky-malware.org"
    ],
    "malicious_filenames": [
        "bad.exe",
        "totally_safe.js",
        "payload.bat"
    ],
    "malicious_registry_keys": [
        "HKCU:\\Software\\EvilCorp",
        "HKLM:\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run\\BadProcess"
    ],
    "malicious_processes": [
        "badproc.exe",
        "sneaky.exe"
    ],
    "malicious_services": [
        "EvilService",
        "BadUpdater",
        "FakeUpdater",
        "CryptSvcFake",
        "StealerBot"
    ],
    "malicious_schtasks": [
        "MaliciousTask",
        "BackdoorStartup",
        "UpdateService_Backdoor",
        "Windows_UpdateScheduler",
        "CryptoMiner_Task"
    ]
}
"@ | Out-File $iocFile -Encoding UTF8
    Write-Host "Sample 'iocs.json' created at: $iocFile"
    Write-Host "Please update it with real threat intel before running the scan."
    exit
}

# --- Step 4: Load and Validate JSON ---
try {
    $iocs = Get-Content $iocFile -Raw | ConvertFrom-Json
} catch {
    Write-Error "⚠️ Error: iocs.json is invalid. Fix the JSON syntax before running this script."
    exit 1
}

# --- Step 5: Begin IOC Scan ---
$iocsFound = $false
$scanPath = "$env:USERPROFILE"

# --- 1. Network Connections ---
Write-Host "`n[*] Checking active network connections..." -ForegroundColor Cyan
$connections = Get-NetTCPConnection
foreach ($ip in $iocs.malicious_ips) {
    $match = $connections | Where-Object { $_.RemoteAddress -eq $ip }
    if ($match) {
        Write-Warning "IOC HIT (IP): Active connection to $ip"
        $match | Format-Table
        $iocsFound = $true
    }
}

# --- 2. File Hash Scan ---
Write-Host "[*] Scanning files in $scanPath for malicious hashes..." -ForegroundColor Cyan
Get-ChildItem -Path $scanPath -Recurse -File -ErrorAction SilentlyContinue | ForEach-Object {
    try {
        $hash = (Get-FileHash $_.FullName -Algorithm SHA256).Hash
        if ($iocs.file_hashes_sha256 -contains $hash) {
            Write-Warning "IOC HIT (HASH): $($_.FullName)"
            $iocsFound = $true
        }
    } catch {}
}

# --- 3. Filename Search ---
Write-Host "[*] Searching for known bad filenames..." -ForegroundColor Cyan
foreach ($name in $iocs.malicious_filenames) {
    $results = Get-ChildItem -Path $scanPath -Recurse -Filter $name -ErrorAction SilentlyContinue
    foreach ($f in $results) {
        Write-Warning "IOC HIT (FILENAME): $($f.FullName)"
        $iocsFound = $true
    }
}

# --- 4. Registry Key Detection ---
Write-Host "[*] Checking for suspicious registry keys..." -ForegroundColor Cyan
foreach ($reg in $iocs.malicious_registry_keys) {
    if (Test-Path $reg) {
        Write-Warning "IOC HIT (REGISTRY): $reg exists"
        $iocsFound = $true
    }
}

# --- 5. Running Processes ---
Write-Host "[*] Checking running processes..." -ForegroundColor Cyan
$procs = Get-Process | Select-Object -ExpandProperty ProcessName
foreach ($proc in $iocs.malicious_processes) {
    if ($procs -contains ($proc -replace ".exe$", "")) {
        Write-Warning "IOC HIT (PROCESS): $proc is running"
        $iocsFound = $true
    }
}

# --- 6. Scheduled Tasks ---
Write-Host "[*] Scanning scheduled tasks..." -ForegroundColor Cyan
$schtasks = schtasks /Query /FO LIST /V 2>&1
foreach ($task in $iocs.malicious_schtasks) {
    if ($schtasks -match $task) {
        Write-Warning "IOC HIT (TASK): Scheduled task $task found"
        $iocsFound = $true
    }
}

# --- 7. Services ---
Write-Host "[*] Checking Windows services..." -ForegroundColor Cyan
$services = Get-Service | Select-Object -ExpandProperty Name
foreach ($svc in $iocs.malicious_services) {
    if ($services -contains $svc) {
        Write-Warning "IOC HIT (SERVICE): Malicious service $svc is running"
        $iocsFound = $true
    }
}

# --- 8. DNS Cache ---
Write-Host "[*] Checking DNS cache for known bad domains..." -ForegroundColor Cyan
$dnsCache = ipconfig /displaydns
foreach ($domain in $iocs.malicious_domains) {
    if ($dnsCache -match $domain) {
        Write-Warning "IOC HIT (DOMAIN): $domain found in DNS cache"
        $iocsFound = $true
    }
}

# --- Final Summary ---
Write-Host "`n--------------------------------------------------"
Write-Host "--- Final Summary ---"
if (-not $iocsFound) {
    Write-Host "[✓] SYSTEM CLEAN: No known IOCs were detected." -ForegroundColor Green
} else {
    Write-Warning "[!] IOC HITS DETECTED: Review details above immediately."
}
Write-Host "--- Scan Complete ---" -ForegroundColor Green
 

  • Facebook - Black Circle
  • Twitter - Black Circle

© 2023 by IT SERVICES.  Proudly created with Wix.com

bottom of page