BGAnalyzer is a C# project that performs a number of security oriented host-survey "safety checks" relevant from both offensive and defensive security perspectives.
Invoke-BluGenieAnalyzer is a wrapper around the BGAnalyzer tool. BGAnalyzer is a C# project that performs a number of security oriented host-survey "safety checks" relevant from both offensive and defensive security perspectives.
EXAMPLES
EXAMPLE 1
Command: Invoke-BGAnalyzer -AddException
Description: Use this command to update the Windows Defender Exception list to allow for the BGAnalyzer .NET application to run
Notes: Some .NET code has been used in other open source projects and Microsoft has flagged any scans based on similar techniques
to be potentially malicious.
EXAMPLE 2
EXAMPLE 3
EXAMPLE 4
EXAMPLE 5
EXAMPLE 6
EXAMPLE 7
EXAMPLE 8
EXAMPLE 9
EXAMPLE 10
EXAMPLE 11
EXAMPLE 12
EXAMPLE 13
EXAMPLE 14
EXAMPLE 15
EXAMPLE 16
PARAMETERS
FilterType
FilterData
Full
AddException
LeaveException
ToolPath
ClearGarbageCollecting
UseCache
CachePath
RemoveCache
DBName
DBPath
UpdateDB
ForceDBUpdate
NewDBTable
Walkthrough
ReturnObject
OutUnEscapedJSON
OutYaml
FormatView
CommonParameters
This cmdlet supports the common parameters: -Debug, -ErrorAction, -ErrorVariable, -InformationAction, -InformationVariable, -OutVariable, -OutBuffer, -PipelineVariable, -Verbose, -WarningAction, and -WarningVariable. For more information, see about_CommonParameters.
Description: Use this BluGenie reference Alias to run BGAnalyzer and gather all security scan inventory
Notes:
Command: Invoke-BGAnalyzer -LeaveException
Description: Use this command to gather all security scan inventory and leave the Windows Defender exception for future scans
Notes: By default the exception is removed after each execution
Command: Invoke-BluGenieAnalyzer
Description: Use this command to run BGAnalyzer and gather all security scan inventory
Notes:
Command: Invoke-BGAnalyzer
Description: Use this BluGenie reference Alias to run BGAnalyzer and gather all security scan inventory
Notes:
Command: Invoke-Analyzer
Description: Use this Long-hand Alias to run BGAnalyzer and gather all security scan inventory
Notes:
Command: Invoke-Analyzer -Full
Description: Use this command to Expand on the Data returned for LocalGroups, Processes, ScheduledTasks, Services, and the WindowsFirewall
Notes: By default this option is not set
Description: Use this command to filter the Query type for Installed Products and Windows Updates
Notes: Check the filter parameter to see all the filter options. The filter uses Regex.
Description: Use this command to filter for a specific product installation.
Notes: You can change the type and data filters to select specific information you need.
Description: Use the command to Cache the gathered information to a file on the current users Temp directory
Notes: By default the Cache location is %SystemDrive%\Windows\Temp
Command: Invoke-BGAnalyzer -Help
Description: Call Help Information
Notes: If Help / WalkThrough is setup as a parameter, this script will be called to setup the Dynamic Help Menu if not the normal
Get-Help will be called with the -Full parameter
Command: Invoke-BGAnalyzer -WalkThrough
Description: Call Help Information [2]
Notes: If Help / WalkThrough is setup as a parameter, this script will be called to setup the Dynamic Help Menu if not the normal
Get-Help will be called with the -Full parameter
Command: Invoke-Analyzer -OutUnEscapedJSON
Description: Use this command to Return a detailed report in an UnEscaped JSON format
Notes: The OutUnEscapedJSON is used to Beautify the JSON return and not Escape any Characters. Normal return data is a Hash Table.
Command: Invoke-Analyzer -OutYaml
Description: Use this command to Return a detailed report in YAML format
Notes: The OutUnEscapedJSON is used to Beautify the JSON return and not Escape any Characters. Normal return data is a Hash Table.
Command: $Info = Invoke-Analyzer -ReturnObject
Description: Use this command to capture the return data as a Powershell Object
Notes: The ReturnObject is used to return a PowerShell Object. Normal return data is a Hash Table.
This parameter is also used with the FormatView
Description: Use this command to Output the return data in CSV format
Notes: Current formats supported by default are ('Table','Custom','CustomModified','None','JSON','OutUnEscapedJSON','CSV', 'Yaml')
Default is set to (None) and normal PSObject.
-FilterType <String>
Description: Command Types (Filtered with RegEx)
Notes: Default is set to '.*'
** Other Types **
o AMSIProviders - Providers registered for AMSI
o AntiVirus - Registered antivirus (via WMI)
o AppLocker - AppLocker settings, if installed
o ARPTable - Lists the current ARP table and adapter information (equivalent to arp -a)
o AuditPolicies - Enumerates classic and advanced audit policy settings
o AuditPolicyRegistry - Audit settings via the registry
o AutoRuns - Auto run executables/scripts/programs
o ChromiumBookmarks - Parses any found Chrome/Edge/Brave/Opera bookmark files
o ChromiumHistory - Parses any found Chrome/Edge/Brave/Opera history files
o ChromiumPresence - Checks if interesting Chrome/Edge/Brave/Opera files exist
o CloudCredentials - AWS/Google/Azure/Bluemix cloud credential files
o CloudSyncProviders - All configured Office 365 endpoints (tenants and teamsites) which are synchronised by OneDrive.
o CredEnum - Enumerates the current user's saved credentials using CredEnumerate()
o CredGuard - CredentialGuard configuration
o Dir - Lists files/folders. By default, lists users' downloads, documents, and desktop folders
o DNSCache - DNS cache entries (via WMI)
o DotNet - DotNet versions
o DpapiMasterKeys - List DPAPI master keys
o EnvironmentPath - Current environment %PATH$ folders and SDDL information
o EnvironmentVariables - Current environment variables
o ExplicitLogonEvents - Explicit Logon events (Event ID 4648) from the security event log. Default of 7 days
o ExplorerMRUs - Explorer most recently used files (last 7 days)
o ExplorerRunCommands - Recent Explorer "run" commands
o FileZilla - FileZilla configuration files
o FirefoxHistory - Parses any found FireFox history files
o FirefoxPresence - Checks if interesting Firefox files exist
o Hotfixes - Installed hotfixes (via WMI)
o IdleTime - Returns the number of seconds since the current user's last input.
o IEFavorites - Internet Explorer favorites
o IETabs - Open Internet Explorer tabs
o IEUrls - Internet Explorer typed URLs (last 7 days)
o InstalledProducts - Installed products via the registry
o InterestingFiles - "Interesting" files matching various patterns in the user's folder. Note: takes non-trivial time.
o InterestingProcesses - "Interesting" processes - defensive products and admin tools
o InternetSettings - Internet settings including proxy configs and zones configuration
o KeePass - Finds KeePass configuration files
o LAPS - LAPS settings, if installed
o LastShutdown - Returns the DateTime of the last system shutdown (via the registry).
o LocalGPOs - Local Group Policy settings applied to the machine/local users
o LocalGroups - Local groups
o LocalUsers - Local users, whether they're active/disabled, and pwd last set
o LogonEvents - Logon events (Event ID 4624) from the security event log. Default of 10 days.
o LogonSessions - Windows logon sessions
o LOLBAS - Locates Living Off The Land Binaries and Scripts (LOLBAS) on the system. Note: takes non-trivial time.
o LSASettings - LSA settings (including auth packages)
o MappedDrives - Users' mapped drives (via WMI)
o McAfeeConfigs - Finds McAfee configuration files
o McAfeeSiteList - Decrypt any found McAfee SiteList.xml configuration files.
o MicrosoftUpdates - All Microsoft updates (via COM)
o NamedPipes - Named pipe names and any readable ACL information.
o NetworkProfiles - Windows network profiles
o NetworkShares - Network shares exposed by the machine (via WMI)
o NTLMSettings - NTLM authentication settings
o OfficeMRUs - Office most recently used file list (last 7 days)
o OracleSQLDeveloper - Finds Oracle SQLDeveloper connections.xml files
o OSInfo - Basic OS info (i.e. architecture, OS version, etc.)
o OutlookDownloads - List files downloaded by Outlook
o PoweredOnEvents - Reboot and sleep schedule based on the System event log EIDs 1, 12, 13, 42, and 6008. Default of 7 days
o PowerShell - PowerShell versions and security settings
o PowerShellEvents - PowerShell script block logs (4104) with sensitive data.
o PowerShellHistory - Searches PowerShell console history files for sensitive regex matches.
o Printers - Installed Printers (via WMI)
o ProcessCreationEvents - Process creation logs (4688) with sensitive data.
o Processes - Running processes with file info company names that don't contain 'Microsoft'
o ProcessOwners - Running non-session 0 process list with owners
o PSSessionSettings - Enumerates PS Session Settings from the registry
o PuttyHostKeys - Saved Putty SSH host keys
o PuttySessions - Saved Putty configuration (interesting fields) and SSH host keys
o RDCManFiles - Windows Remote Desktop Connection Manager settings files
o RDPSavedConnections - Saved RDP connections stored in the registry
o RDPSessions - Current incoming RDP sessions
o RDPsettings - Remote Desktop Server/Client Settings
o RecycleBin - Items in the Recycle Bin deleted in the last 30 days - only works from a user context!
o Reg - Registry key values (HKLM\Software)
o RPCMappedEndpoints - Current RPC endpoints mapped
o SCCM - System Center Configuration Manager (SCCM) settings, if applicable
o ScheduledTasks - Scheduled tasks (via WMI) that aren't authored by 'Microsoft'
o SearchIndex - Query results from the Windows Search Index, default term of 'passsword'.
o SecPackageCreds - Obtains credentials from security packages
o SecurityPackages - Enumerates the security packages currently available using EnumerateSecurityPackagesA()
o Services - Services with file info company names that don't contain 'Microsoft'
o SlackDownloads - Parses any found 'slack-downloads' files
o SlackPresence - Checks if interesting Slack files exist
o SlackWorkspaces - Parses any found 'slack-workspaces' files
o SuperPutty - SuperPutty configuration files
o Sysmon - Sysmon configuration from the registry
o SysmonEvents - Sysmon process creation logs (1) with sensitive data.
o TcpConnections - Current TCP connections and their associated processes and services
o TokenGroups - The current token's local and domain groups
o TokenPrivileges - Currently enabled token privileges (e.g. SeDebugPrivilege/etc.)
o UAC - UAC system policies via the registry
o UdpConnections - Current UDP connections and associated processes and services
o UserRightAssignments - Configured User Right Assignments (e.g. SeDenyNetworkLogonRight, SeShutdownPrivilege, etc.)
o WindowsAutoLogon - Registry autologon information
o WindowsCredentialFiles - Windows credential DPAPI blobs
o WindowsDefender - Windows Defender settings (including exclusion locations)
o WindowsEventForwarding - Windows Event Forwarding (WEF) settings via the registry
o WindowsFirewall - Firewall rules - (allow/deny/tcp/udp/in/out/domain/private/public)
o WindowsVault - Credentials saved in the Windows Vault (i.e. logins from Internet Explorer and Edge).
o WMIEventConsumer - Lists WMI Event Consumers
o WMIEventFilter - Lists WMI Event Filters
o WMIFilterBinding - Lists WMI Filter to Consumer Bindings
o WSUS - Windows Server Update Services (WSUS) settings, if applicable
Alias:
ValidateSet:
Required? false
Position? 1
Default value .*
Accept pipeline input? false
Accept wildcard characters? false
-FilterData <String>
Description: Return Data (Filtered with RegEx)
Notes: Default is set to '.*'
Alias:
ValidateSet:
Required? false
Position? 2
Default value .*
Accept pipeline input? false
Accept wildcard characters? false
-Full [<SwitchParameter>]
Description: Expand on the Data returned for (LocalGroups, Processes, ScheduledTasks, Services, and the WindowsFirewall)
Notes: o LocalGroups - "Full" displays all groups / Default: Non-empty local groups
o Processes - "Full" enumerates all processes / Default: Running processes with file info company names that don't
contain 'Microsoft'
o ScheduledTasks - "Full" dumps all Scheduled tasks / Default: Scheduled tasks (via WMI) that aren't authored by 'Microsoft'
o Services - "Full" dumps all processes / Default: Services with file info company names that don't contain 'Microsoft'
o WindowsFirewall - "Full" dumps all FireWall rules (allow/deny/tcp/udp/in/out/domain/private/public) / Default: Non-standard
rules
Alias:
ValidateSet:
Required? false
Position? named
Default value False
Accept pipeline input? false
Accept wildcard characters? false
-AddException [<SwitchParameter>]
Description: Add an Exception to Windows Defender to allow the .NET process to run
Notes: Windows Defender does not allow for adding an Exception and running the newly excluded process in the same runspace.
If you use the -AddException parameter (No other option will process) There is also no return. The script just adds the
exception and ends.
Running the command for a 2nd time without the -AddException parameter will execute the .NET process without issue.
The exception is removed by default.
Alias:
ValidateSet:
Required? false
Position? named
Default value False
Accept pipeline input? false
Accept wildcard characters? false
-LeaveException [<SwitchParameter>]
Description: Leave the Windows Defender Exception for continues runs at a later point
Notes: Windows Defender does not allow for adding an Exception and running the newly excluded process in the same runspace.
If you use the -AddException parameter (No other option will process) There is also no return. The script just adds the
exception and ends.
Running the command for a 2nd time without the -AddException parameter will execute the .NET process without issue.
The exception is removed by default. However if you use this parameter -LeaveException the Exception is not removed.
Alias:
ValidateSet:
Required? false
Position? named
Default value False
Accept pipeline input? false
Accept wildcard characters? false
-ToolPath <String>
Description: This is the path to the BGAnalyzer tool.
Notes: There are 2 subfolders.
.\3.5 which houses the .NET 3.5 version of the binary
.\4.0 wihch houses the .NET 4.0 version of the binary
This is automatically selected based on PowerShell's supported CRL Version.
Alias:
ValidateSet:
Required? false
Position? 3
Default value $(Resolve-Path -Path $ToolsDirectory | Select-Object -ExpandProperty Path)
Accept pipeline input? false
Accept wildcard characters? false
-ClearGarbageCollecting [<SwitchParameter>]
Description: Garbage Collection in Powershell to Speed up Scripts and help lower memory consumption
Notes: This is enabled by default. To disable use -ClearGarbageCollecting:$False
Alias:
ValidateSet:
Required? false
Position? named
Default value False
Accept pipeline input? false
Accept wildcard characters? false
-UseCache [<SwitchParameter>]
Description: Cache found objects to disk. This is to not over tax Memory resources with found artifacts
Notes: By default the Cache location is %SystemDrive%\Windows\Temp
Alias:
ValidateSet:
Required? false
Position? named
Default value False
Accept pipeline input? false
Accept wildcard characters? false
-CachePath <String>
Description: Path to store the Cache information
Notes: By default the Cache location is %SystemDrive%\Windows\Temp
Alias:
ValidateSet:
Required? false
Position? 4
Default value $('{0}\Windows\Temp\{1}.log' -f $env:SystemDrive, $(New-BluGenieUID))
Accept pipeline input? false
Accept wildcard characters? false
-RemoveCache [<SwitchParameter>]
Description: Remove Cache data on completion
Notes: Cache information is removed right before the data is returned to the calling process
Alias:
ValidateSet:
Required? false
Position? named
Default value False
Accept pipeline input? false
Accept wildcard characters? false
-DBName <String>
Description: Database Name (Without extention)
Notes: The default name is set to 'BluGenie'
Alias:
ValidateSet:
Required? false
Position? 5
Default value BluGenie
Accept pipeline input? false
Accept wildcard characters? false
-DBPath <String>
Description: Path to either Save or Update the Database
Notes: The default path is $('{0}\BluGenie' -f $env:ProgramFiles) Example: C:\Program Files\BluGenie
Alias:
ValidateSet:
Required? false
Position? 6
Default value $('{0}\BluGenie' -f $env:ProgramFiles)
Accept pipeline input? false
Accept wildcard characters? false
-UpdateDB [<SwitchParameter>]
Description: Save return data to the Sqlite Database
Notes:
Alias:
ValidateSet:
Required? false
Position? named
Default value False
Accept pipeline input? false
Accept wildcard characters? false
-ForceDBUpdate [<SwitchParameter>]
Description: Force an update of the return data to the Sqlite Database
Notes: By default only new items are saved. The primary key is ( FullName )
Alias:
ValidateSet:
Required? false
Position? named
Default value False
Accept pipeline input? false
Accept wildcard characters? false
-NewDBTable [<SwitchParameter>]
Description: Delete and Recreate the Database Table
Notes:
Alias:
ValidateSet:
Required? false
Position? named
Default value False
Accept pipeline input? false
Accept wildcard characters? false
-Walkthrough [<SwitchParameter>]
Description: Start the dynamic help menu system to help walk through the current command and all of the parameters
Notes:
Alias: Help
ValidateSet:
Required? false
Position? named
Default value False
Accept pipeline input? false
Accept wildcard characters? false
-ReturnObject [<SwitchParameter>]
Description: Return information as an Object
Notes: By default the data is returned as a Hash Table
Alias:
ValidateSet:
Required? false
Position? named
Default value False
Accept pipeline input? false
Accept wildcard characters? false
-OutUnEscapedJSON [<SwitchParameter>]
Description: Remove UnEsacped Char from the JSON information.
Notes: This will beautify json and clean up the formatting.
Alias:
ValidateSet:
Required? false
Position? named
Default value False
Accept pipeline input? false
Accept wildcard characters? false
-OutYaml [<SwitchParameter>]
Description: Return detailed information in Yaml Format
Notes: Only supported in Posh 3.0 and above
Alias:
ValidateSet:
Required? false
Position? named
Default value False
Accept pipeline input? false
Accept wildcard characters? false
-FormatView <String>
Description: Automatically format the Return Object
Notes: Yaml is only supported in Posh 3.0 and above
Alias:
ValidateSet: 'Table','Custom','CustomModified','None','JSON','OutUnEscapedJSON','CSV', 'Yaml'
Required? false
Position? 7
Default value None
Accept pipeline input? false
Accept wildcard characters? false
