Manual
Search…
⌃K

Invoke-BluGenieAnalyzer

Invoke-BluGenieAnalyzer

SYNOPSIS

BGAnalyzer is a C# project that performs a number of security oriented host-survey "safety checks" relevant from both offensive and defensive security perspectives.

SYNTAX

Invoke-BluGenieAnalyzer [[-FilterType] <String>] [[-FilterData] <String>] [-Full] [-AddException] [-LeaveException] [[-ToolPath] <String>] [-ClearGarbageCollecting] [-UseCache] [[-CachePath] <String>]
[-RemoveCache] [[-DBName] <String>] [[-DBPath] <String>] [-UpdateDB] [-ForceDBUpdate] [-NewDBTable] [-Walkthrough] [-ReturnObject] [-OutUnEscapedJSON] [-OutYaml] [[-FormatView] <String>] [<CommonParameters>]

DESCRIPTION

Invoke-BluGenieAnalyzer is a wrapper around the BGAnalyzer tool. BGAnalyzer is a C# project that performs a number of security oriented host-survey "safety checks" relevant from both offensive and defensive security perspectives.

EXAMPLES

EXAMPLE 1

Command: Invoke-BGAnalyzer -AddException
Description: Use this command to update the Windows Defender Exception list to allow for the BGAnalyzer .NET application to run
Notes: Some .NET code has been used in other open source projects and Microsoft has flagged any scans based on similar techniques
to be potentially malicious.

EXAMPLE 2

Command: Invoke-BGAnalyzer
Description: Use this BluGenie reference Alias to run BGAnalyzer and gather all security scan inventory
Notes:

EXAMPLE 3

Command: Invoke-BGAnalyzer -LeaveException
Description: Use this command to gather all security scan inventory and leave the Windows Defender exception for future scans
Notes: By default the exception is removed after each execution

EXAMPLE 4

Command: Invoke-BluGenieAnalyzer
Description: Use this command to run BGAnalyzer and gather all security scan inventory
Notes:

EXAMPLE 5

Command: Invoke-BGAnalyzer
Description: Use this BluGenie reference Alias to run BGAnalyzer and gather all security scan inventory
Notes:

EXAMPLE 6

Command: Invoke-Analyzer
Description: Use this Long-hand Alias to run BGAnalyzer and gather all security scan inventory
Notes:

EXAMPLE 7

Command: Invoke-Analyzer -Full
Description: Use this command to Expand on the Data returned for LocalGroups, Processes, ScheduledTasks, Services, and the WindowsFirewall
Notes: By default this option is not set

EXAMPLE 8

Command: Invoke-BGAnalyzer -FilterType 'Install|Update'
Description: Use this command to filter the Query type for Installed Products and Windows Updates
Notes: Check the filter parameter to see all the filter options. The filter uses Regex.

EXAMPLE 9

Command: Invoke-BGAnalyzer -FilterType 'Install' -FilterData 'Python'
Description: Use this command to filter for a specific product installation.
Notes: You can change the type and data filters to select specific information you need.

EXAMPLE 10

Command: Invoke-BGAnalyzer -FilterType 'Install' -FilterData 'Python' -UseCache -CachePath $Env:Temp
Description: Use the command to Cache the gathered information to a file on the current users Temp directory
Notes: By default the Cache location is %SystemDrive%\Windows\Temp

EXAMPLE 11

Command: Invoke-BGAnalyzer -Help
Description: Call Help Information
Notes: If Help / WalkThrough is setup as a parameter, this script will be called to setup the Dynamic Help Menu if not the normal
Get-Help will be called with the -Full parameter

EXAMPLE 12

Command: Invoke-BGAnalyzer -WalkThrough
Description: Call Help Information [2]
Notes: If Help / WalkThrough is setup as a parameter, this script will be called to setup the Dynamic Help Menu if not the normal
Get-Help will be called with the -Full parameter

EXAMPLE 13

Command: Invoke-Analyzer -OutUnEscapedJSON
Description: Use this command to Return a detailed report in an UnEscaped JSON format
Notes: The OutUnEscapedJSON is used to Beautify the JSON return and not Escape any Characters. Normal return data is a Hash Table.

EXAMPLE 14

Command: Invoke-Analyzer -OutYaml
Description: Use this command to Return a detailed report in YAML format
Notes: The OutUnEscapedJSON is used to Beautify the JSON return and not Escape any Characters. Normal return data is a Hash Table.

EXAMPLE 15

Command: $Info = Invoke-Analyzer -ReturnObject
Description: Use this command to capture the return data as a Powershell Object
Notes: The ReturnObject is used to return a PowerShell Object. Normal return data is a Hash Table.
This parameter is also used with the FormatView

EXAMPLE 16

Command: Invoke-Analyzer -FilterType 'install' -FilterData 'python' -ReturnObject -FormatView CSV
Description: Use this command to Output the return data in CSV format
Notes: Current formats supported by default are ('Table','Custom','CustomModified','None','JSON','OutUnEscapedJSON','CSV', 'Yaml')
Default is set to (None) and normal PSObject.

PARAMETERS

FilterType

-FilterType <String>
Description: Command Types (Filtered with RegEx)
Notes: Default is set to '.*'
** Other Types **
o AMSIProviders - Providers registered for AMSI
o AntiVirus - Registered antivirus (via WMI)
o AppLocker - AppLocker settings, if installed
o ARPTable - Lists the current ARP table and adapter information (equivalent to arp -a)
o AuditPolicies - Enumerates classic and advanced audit policy settings
o AuditPolicyRegistry - Audit settings via the registry
o AutoRuns - Auto run executables/scripts/programs
o ChromiumBookmarks - Parses any found Chrome/Edge/Brave/Opera bookmark files
o ChromiumHistory - Parses any found Chrome/Edge/Brave/Opera history files
o ChromiumPresence - Checks if interesting Chrome/Edge/Brave/Opera files exist
o CloudCredentials - AWS/Google/Azure/Bluemix cloud credential files
o CloudSyncProviders - All configured Office 365 endpoints (tenants and teamsites) which are synchronised by OneDrive.
o CredEnum - Enumerates the current user's saved credentials using CredEnumerate()
o CredGuard - CredentialGuard configuration
o Dir - Lists files/folders. By default, lists users' downloads, documents, and desktop folders
o DNSCache - DNS cache entries (via WMI)
o DotNet - DotNet versions
o DpapiMasterKeys - List DPAPI master keys
o EnvironmentPath - Current environment %PATH$ folders and SDDL information
o EnvironmentVariables - Current environment variables
o ExplicitLogonEvents - Explicit Logon events (Event ID 4648) from the security event log. Default of 7 days
o ExplorerMRUs - Explorer most recently used files (last 7 days)
o ExplorerRunCommands - Recent Explorer "run" commands
o FileZilla - FileZilla configuration files
o FirefoxHistory - Parses any found FireFox history files
o FirefoxPresence - Checks if interesting Firefox files exist
o Hotfixes - Installed hotfixes (via WMI)
o IdleTime - Returns the number of seconds since the current user's last input.
o IEFavorites - Internet Explorer favorites
o IETabs - Open Internet Explorer tabs
o IEUrls - Internet Explorer typed URLs (last 7 days)
o InstalledProducts - Installed products via the registry
o InterestingFiles - "Interesting" files matching various patterns in the user's folder. Note: takes non-trivial time.
o InterestingProcesses - "Interesting" processes - defensive products and admin tools
o InternetSettings - Internet settings including proxy configs and zones configuration
o KeePass - Finds KeePass configuration files
o LAPS - LAPS settings, if installed
o LastShutdown - Returns the DateTime of the last system shutdown (via the registry).
o LocalGPOs - Local Group Policy settings applied to the machine/local users
o LocalGroups - Local groups
o LocalUsers - Local users, whether they're active/disabled, and pwd last set
o LogonEvents - Logon events (Event ID 4624) from the security event log. Default of 10 days.
o LogonSessions - Windows logon sessions
o LOLBAS - Locates Living Off The Land Binaries and Scripts (LOLBAS) on the system. Note: takes non-trivial time.
o LSASettings - LSA settings (including auth packages)
o MappedDrives - Users' mapped drives (via WMI)
o McAfeeConfigs - Finds McAfee configuration files
o McAfeeSiteList - Decrypt any found McAfee SiteList.xml configuration files.
o MicrosoftUpdates - All Microsoft updates (via COM)
o NamedPipes - Named pipe names and any readable ACL information.
o NetworkProfiles - Windows network profiles
o NetworkShares - Network shares exposed by the machine (via WMI)
o NTLMSettings - NTLM authentication settings
o OfficeMRUs - Office most recently used file list (last 7 days)
o OracleSQLDeveloper - Finds Oracle SQLDeveloper connections.xml files
o OSInfo - Basic OS info (i.e. architecture, OS version, etc.)
o OutlookDownloads - List files downloaded by Outlook
o PoweredOnEvents - Reboot and sleep schedule based on the System event log EIDs 1, 12, 13, 42, and 6008. Default of 7 days
o PowerShell - PowerShell versions and security settings
o PowerShellEvents - PowerShell script block logs (4104) with sensitive data.
o PowerShellHistory - Searches PowerShell console history files for sensitive regex matches.
o Printers - Installed Printers (via WMI)
o ProcessCreationEvents - Process creation logs (4688) with sensitive data.
o Processes - Running processes with file info company names that don't contain 'Microsoft'
o ProcessOwners - Running non-session 0 process list with owners
o PSSessionSettings - Enumerates PS Session Settings from the registry
o PuttyHostKeys - Saved Putty SSH host keys
o PuttySessions - Saved Putty configuration (interesting fields) and SSH host keys
o RDCManFiles - Windows Remote Desktop Connection Manager settings files
o RDPSavedConnections - Saved RDP connections stored in the registry
o RDPSessions - Current incoming RDP sessions
o RDPsettings - Remote Desktop Server/Client Settings
o RecycleBin - Items in the Recycle Bin deleted in the last 30 days - only works from a user context!
o Reg - Registry key values (HKLM\Software)
o RPCMappedEndpoints - Current RPC endpoints mapped
o SCCM - System Center Configuration Manager (SCCM) settings, if applicable
o ScheduledTasks - Scheduled tasks (via WMI) that aren't authored by 'Microsoft'
o SearchIndex - Query results from the Windows Search Index, default term of 'passsword'.
o SecPackageCreds - Obtains credentials from security packages
o SecurityPackages - Enumerates the security packages currently available using EnumerateSecurityPackagesA()
o Services - Services with file info company names that don't contain 'Microsoft'
o SlackDownloads - Parses any found 'slack-downloads' files
o SlackPresence - Checks if interesting Slack files exist
o SlackWorkspaces - Parses any found 'slack-workspaces' files
o SuperPutty - SuperPutty configuration files
o Sysmon - Sysmon configuration from the registry
o SysmonEvents - Sysmon process creation logs (1) with sensitive data.
o TcpConnections - Current TCP connections and their associated processes and services
o TokenGroups - The current token's local and domain groups
o TokenPrivileges - Currently enabled token privileges (e.g. SeDebugPrivilege/etc.)
o UAC - UAC system policies via the registry
o UdpConnections - Current UDP connections and associated processes and services
o UserRightAssignments - Configured User Right Assignments (e.g. SeDenyNetworkLogonRight, SeShutdownPrivilege, etc.)
o WindowsAutoLogon - Registry autologon information
o WindowsCredentialFiles - Windows credential DPAPI blobs
o WindowsDefender - Windows Defender settings (including exclusion locations)
o WindowsEventForwarding - Windows Event Forwarding (WEF) settings via the registry
o WindowsFirewall - Firewall rules - (allow/deny/tcp/udp/in/out/domain/private/public)
o WindowsVault - Credentials saved in the Windows Vault (i.e. logins from Internet Explorer and Edge).
o WMIEventConsumer - Lists WMI Event Consumers
o WMIEventFilter - Lists WMI Event Filters
o WMIFilterBinding - Lists WMI Filter to Consumer Bindings
o WSUS - Windows Server Update Services (WSUS) settings, if applicable
Alias:
ValidateSet:
Required? false
Position? 1
Default value .*
Accept pipeline input? false
Accept wildcard characters? false

FilterData

-FilterData <String>
Description: Return Data (Filtered with RegEx)
Notes: Default is set to '.*'
Alias:
ValidateSet:
Required? false
Position? 2
Default value .*
Accept pipeline input? false
Accept wildcard characters? false

Full

-Full [<SwitchParameter>]
Description: Expand on the Data returned for (LocalGroups, Processes, ScheduledTasks, Services, and the WindowsFirewall)
Notes: o LocalGroups - "Full" displays all groups / Default: Non-empty local groups
o Processes - "Full" enumerates all processes / Default: Running processes with file info company names that don't
contain 'Microsoft'
o ScheduledTasks - "Full" dumps all Scheduled tasks / Default: Scheduled tasks (via WMI) that aren't authored by 'Microsoft'
o Services - "Full" dumps all processes / Default: Services with file info company names that don't contain 'Microsoft'
o WindowsFirewall - "Full" dumps all FireWall rules (allow/deny/tcp/udp/in/out/domain/private/public) / Default: Non-standard
rules
Alias:
ValidateSet:
Required? false
Position? named
Default value False
Accept pipeline input? false
Accept wildcard characters? false

AddException

-AddException [<SwitchParameter>]
Description: Add an Exception to Windows Defender to allow the .NET process to run
Notes: Windows Defender does not allow for adding an Exception and running the newly excluded process in the same runspace.
If you use the -AddException parameter (No other option will process) There is also no return. The script just adds the
exception and ends.
Running the command for a 2nd time without the -AddException parameter will execute the .NET process without issue.
The exception is removed by default.
Alias:
ValidateSet:
Required? false
Position? named
Default value False
Accept pipeline input? false
Accept wildcard characters? false

LeaveException

-LeaveException [<SwitchParameter>]
Description: Leave the Windows Defender Exception for continues runs at a later point
Notes: Windows Defender does not allow for adding an Exception and running the newly excluded process in the same runspace.
If you use the -AddException parameter (No other option will process) There is also no return. The script just adds the
exception and ends.
Running the command for a 2nd time without the -AddException parameter will execute the .NET process without issue.
The exception is removed by default. However if you use this parameter -LeaveException the Exception is not removed.
Alias:
ValidateSet:
Required? false
Position? named
Default value False
Accept pipeline input? false
Accept wildcard characters? false

ToolPath

-ToolPath <String>
Description: This is the path to the BGAnalyzer tool.
Notes: There are 2 subfolders.
.\3.5 which houses the .NET 3.5 version of the binary
.\4.0 wihch houses the .NET 4.0 version of the binary
This is automatically selected based on PowerShell's supported CRL Version.
Alias:
ValidateSet:
Required? false
Position? 3
Default value $(Resolve-Path -Path $ToolsDirectory | Select-Object -ExpandProperty Path)
Accept pipeline input? false
Accept wildcard characters? false

ClearGarbageCollecting

-ClearGarbageCollecting [<SwitchParameter>]
Description: Garbage Collection in Powershell to Speed up Scripts and help lower memory consumption
Notes: This is enabled by default. To disable use -ClearGarbageCollecting:$False
Alias:
ValidateSet:
Required? false
Position? named
Default value False
Accept pipeline input? false
Accept wildcard characters? false

UseCache

-UseCache [<SwitchParameter>]
Description: Cache found objects to disk. This is to not over tax Memory resources with found artifacts
Notes: By default the Cache location is %SystemDrive%\Windows\Temp
Alias:
ValidateSet:
Required? false
Position? named
Default value False
Accept pipeline input? false
Accept wildcard characters? false

CachePath

-CachePath <String>
Description: Path to store the Cache information
Notes: By default the Cache location is %SystemDrive%\Windows\Temp
Alias:
ValidateSet:
Required? false
Position? 4
Default value $('{0}\Windows\Temp\{1}.log' -f $env:SystemDrive, $(New-BluGenieUID))
Accept pipeline input? false
Accept wildcard characters? false

RemoveCache

-RemoveCache [<SwitchParameter>]
Description: Remove Cache data on completion
Notes: Cache information is removed right before the data is returned to the calling process
Alias:
ValidateSet:
Required? false
Position? named
Default value False
Accept pipeline input? false
Accept wildcard characters? false

DBName

-DBName <String>
Description: Database Name (Without extention)
Notes: The default name is set to 'BluGenie'
Alias:
ValidateSet:
Required? false
Position? 5
Default value BluGenie
Accept pipeline input? false
Accept wildcard characters? false

DBPath

-DBPath <String>
Description: Path to either Save or Update the Database
Notes: The default path is $('{0}\BluGenie' -f $env:ProgramFiles) Example: C:\Program Files\BluGenie
Alias:
ValidateSet:
Required? false
Position? 6
Default value $('{0}\BluGenie' -f $env:ProgramFiles)
Accept pipeline input? false
Accept wildcard characters? false

UpdateDB

-UpdateDB [<SwitchParameter>]
Description: Save return data to the Sqlite Database
Notes:
Alias:
ValidateSet:
Required? false
Position? named
Default value False
Accept pipeline input? false
Accept wildcard characters? false

ForceDBUpdate

-ForceDBUpdate [<SwitchParameter>]
Description: Force an update of the return data to the Sqlite Database
Notes: By default only new items are saved. The primary key is ( FullName )
Alias:
ValidateSet:
Required? false
Position? named
Default value False
Accept pipeline input? false
Accept wildcard characters? false

NewDBTable

-NewDBTable [<SwitchParameter>]
Description: Delete and Recreate the Database Table
Notes:
Alias:
ValidateSet:
Required? false
Position? named
Default value False
Accept pipeline input? false
Accept wildcard characters? false

Walkthrough

-Walkthrough [<SwitchParameter>]
Description: Start the dynamic help menu system to help walk through the current command and all of the parameters
Notes:
Alias: Help
ValidateSet:
Required? false
Position? named
Default value False
Accept pipeline input? false
Accept wildcard characters? false

ReturnObject

-ReturnObject [<SwitchParameter>]
Description: Return information as an Object
Notes: By default the data is returned as a Hash Table
Alias:
ValidateSet:
Required? false
Position? named
Default value False
Accept pipeline input? false
Accept wildcard characters? false

OutUnEscapedJSON

-OutUnEscapedJSON [<SwitchParameter>]
Description: Remove UnEsacped Char from the JSON information.
Notes: This will beautify json and clean up the formatting.
Alias:
ValidateSet:
Required? false
Position? named
Default value False
Accept pipeline input? false
Accept wildcard characters? false

OutYaml

-OutYaml [<SwitchParameter>]
Description: Return detailed information in Yaml Format
Notes: Only supported in Posh 3.0 and above
Alias:
ValidateSet:
Required? false
Position? named
Default value False
Accept pipeline input? false
Accept wildcard characters? false

FormatView

-FormatView <String>
Description: Automatically format the Return Object
Notes: Yaml is only supported in Posh 3.0 and above
Alias:
ValidateSet: 'Table','Custom','CustomModified','None','JSON','OutUnEscapedJSON','CSV', 'Yaml'
Required? false
Position? 7
Default value None
Accept pipeline input? false
Accept wildcard characters? false

CommonParameters

This cmdlet supports the common parameters: -Debug, -ErrorAction, -ErrorVariable, -InformationAction, -InformationVariable, -OutVariable, -OutBuffer, -PipelineVariable, -Verbose, -WarningAction, and -WarningVariable. For more information, see about_CommonParameters.