Query to Determine if any lolbin files are installed outside the normal OS and Program Files dir's

AID2201232312.YAML

#####aid_begin
#description: file query - file query to determine if any lolbin files are installed outside the normal %systemdrive%\windows, %systemdrive%\program files*, directories
#id: aid2201232312
#processtype: query
#category: filesandfolders
#sourcelink: <na>
#tacticidlist: <na>
#techniqueidlist: <na>
#compatibleos: |-
#  windows 7
#  windows 8.*
#  windows 10
#  windows 11
#  windows server 2008 r2
#  windows server 2012
#  windows server 2012 r2
#  windows server 2016
#  windows server 2019
#compatibleengine: |-
#  powershell 2
#  powershell 3
#  powershell 4
#  powershell 5.*
#  powershell 7.*
#bgcommandlist: |-
#  invoke-loadallprofilehives
#  get-bgloadedreghives
#  get-bgmruactivityview
#  invoke-bgunloadallprofilehives
#notes: |-
#  file query to determine if any lolbin files are installed outside the normal %systemdrive%\windows, %systemdrive%\program files*, directories
#####aid_end
commands:
- |-
  $LolBins = @()
  $LolBins += 'ATBroker\.exe$'
  $LolBins += 'bash\.exe$'
  $LolBins += 'bitsadmin\.exe$'
  $LolBins += 'certutil\.exe$'
  $LolBins += 'cmdkey\.exe$'
  $LolBins += 'cmstp\.exe$'
  $LolBins += 'control\.exe$'
  $LolBins += 'csc\.exe$'
  $LolBins += 'cscript\.exe$'
  $LolBins += 'Dfsvc\.exe$'
  $LolBins += 'diskshadow\.exe$'
  $LolBins += 'dnscmd\.exe$'
  $LolBins += 'esentutl\.exe$'
  $LolBins += 'expand\.exe$'
  $LolBins += 'explorer\.exe$'
  $LolBins += 'Extexport\.exe$'
  $LolBins += 'extrac32\.exe$'
  $LolBins += 'findstr\.exe$'
  $LolBins += 'forfiles\.exe$'
  $LolBins += 'Gpscript\.exe$'
  $LolBins += 'HH\.exe$'
  $LolBins += 'ie4uinit\.exe$'
  $LolBins += 'ieexec\.exe$'
  $LolBins += 'InfDefaultInstall\.exe$'
  $LolBins += 'InstallUtil\.exe$'
  $LolBins += 'makecab\.exe$'
  $LolBins += 'MavInject\.exe$'
  $LolBins += 'msbuild\.exe$'
  $LolBins += 'Msconfig\.exe$'
  $LolBins += 'msdt\.exe$'
  $LolBins += 'mshta\.exe$'
  $LolBins += 'msiexec\.exe$'
  $LolBins += 'netsh\.exe$'
  $LolBins += 'nltest\.exe$'
  $LolBins += 'odbcconf\.exe$'
  $LolBins += 'OpenWith\.exe$'
  $LolBins += 'pcalua\.exe$' 
  $LolBins += 'Pcwrun\.exe$'
  $LolBins += 'Presentationhost\.exe$'
  $LolBins += 'print\.exe$'
  $LolBins += 'psr\.exe$'
  $LolBins += 'reg\.exe$'
  $LolBins += 'regasm\.exe$'
  $LolBins += 'regedit\.exe$'
  $LolBins += 'Register-cimprovider\.exe$'
  $LolBins += 'regsvcs\.exe$'
  $LolBins += 'regsvr32\.exe$'
  $LolBins += 'replace\.exe$'
  $LolBins += 'Robocopy\.exe$'
  $LolBins += 'rpcping\.exe$'
  $LolBins += 'rundll32\.exe$'
  $LolBins += 'Runonce\.exe$'
  $LolBins += 'runscripthelper\.exe$'
  $LolBins += 'sc\.exe$'
  $LolBins += 'Scriptrunner\.exe$'
  $LolBins += 'SyncAppvPublishingServer\.exe$'
  $LolBins += 'Wab\.exe$'
  $LolBins += 'wmic\.exe$'
  $LolBins += 'wscript\.exe$'
  $LolBins += 'xwizard\.exe$' 

  Get-BGChildItemList -SearchPath $('^(?!{0}\\Windows|{0}\\Program Files).*$' -f $Env:SystemDrive) -Pattern $($LolBins -join '|') -Recurse
PreviousQuery all users for their Powershell Profile content for Powershell, Powershell_ISE, and VS CodeNextNetwork Query

Last updated