Manual
  • BluSapphire Manuals
  • BluSapphire
    • Detections
      • Creating "Detections" Using BluSapphire Portal
    • Roles & Permissions
    • Knowledge Base
  • BluGenie
    • Full Function List
      • Add-BluGenieFirewallRule
      • Clear-BlugenieMemory
      • Connect-BluGenieToSystem
      • Convert-BluGenieSID2UserName
      • Convert-BluGenieSize
      • Convert-BluGenieUserName2SID
      • Convert-BluGenieUTCtoLocal
      • ConvertFrom-Yaml
      • ConvertTo-BluGenieDate
      • ConvertTo-Yaml
      • Disable-BluGenieAllFirewallRules
      • Disable-BluGenieFirewallRule
      • Enable-BluGenieAllFirewallRules
      • Enable-BluGenieFirewallRule
      • Enable-BluGenieWinRMoverWMI
      • Expand-BluGenieArchivePS2
      • Format-BluGenieEvent
      • Get-BluGenieADGroupMembers
      • Get-BluGenieADGroups
      • Get-BluGenieADMachineInfo
      • Get-BluGenieAuditProcessTracking
      • Get-BluGenieAutoRuns
      • Get-BluGenieChildItemList
      • Get-BluGenieCOMObjectInfo
      • Get-BluGenieCurrentSessionAliases
      • Get-BluGenieCurrentSessionFunctions
      • Get-BluGenieCurrentSessionVariables
      • Get-BluGenieErrorAction
      • Get-BluGenieFileADS
      • Get-BluGenieFilePermissions
      • Get-BluGenieFileSnapshot
      • Get-BluGenieFileStreams
      • Get-BluGenieFirewallRules
      • Get-BluGenieHashInfo
      • Get-BluGenieHelp
      • Get-BluGenieHostingVersion
      • Get-BluGenieIPrange
      • Get-BluGenieLiteralPath
      • Get-BluGenieLoadedRegHives
      • Get-BluGenieLockingProcess
      • Get-BluGenieMRUActivityView
      • Get-BluGenieProcessList
      • Get-BluGenieRegistry
      • Get-BluGenieRegistryProcessTracking
      • Get-BluGenieRegSnapshot
      • Get-BluGenieRunSpaceSessionAliases
      • Get-BluGenieRunSpaceSessionFunctions
      • Get-BluGenieRunSpaceSessionVariables
      • Get-BluGenieSchTaskInfo
      • Get-BluGenieScriptDirectory
      • Get-BluGenieServiceList
      • Get-BluGenieServiceStatus
      • Get-BluGenieSessionAliasList
      • Get-BluGenieSessionFunctionList
      • Get-BluGenieSessionVariableList
      • Get-BluGenieSettings
      • Get-BluGenieSignature
      • Get-BluGenieSystemInfo
      • Get-BluGenieToolsDirectory
      • Get-BluGenieTranscriptsDir
      • Get-BluGenieTranscriptsFile
      • Get-BluGenieTrapData
      • Get-BluGenieWindowsTitle
      • Get-BluGenieWindowsUpdates
      • Install-BluGenieHarvester
      • Install-BluGenieSysMon
      • Invoke-BluGenieAnalyzer
      • Invoke-BluGenieFileBrowser
      • Invoke-BluGenieLoadAllProfileHives
      • Invoke-BluGenieNetStat
      • Invoke-BluGenieParallel
      • Invoke-BluGenieProcess
      • Invoke-BluGenieProcessHash
      • Invoke-BluGeniePSQuery
      • Invoke-BluGeniePython
      • Invoke-BluGenieSQLLQuery
      • Invoke-BluGenieThreadLock
      • Invoke-BluGenieUnLoadAllProfileHives
      • Invoke-BluGenieWalkThrough
      • Invoke-BluGenieWipe
      • Invoke-BluGenieYara
      • Invoke-PSipcalc
      • Invoke-PSnmap
      • Invoke-SQLiteBulkCopy
      • Invoke-SqliteQuery
      • Invoke-WalkThrough
      • Join-BluGenieObjects
      • New-BluGenieCommand
      • New-BluGenieHelpMenu
      • New-BluGenieService
      • New-BluGenieSessionInfo
      • New-BluGenieTimeStamp
      • New-BluGenieUID
      • New-SQLiteConnection
      • Open-BluGenieLog
      • Open-BluGenieLogDir
      • Open-BluGenieScriptDir
      • Open-BluGenieToolDir
      • Open-BluGenieTransDir
      • Out-DataTable
      • Publish-BluGenieArtifact
      • Publish-BluGenieFirewallRules
      • Remove-BluGenieFile
      • Remove-BluGenieFirewallRule
      • Remove-BluGenieModule
      • Remove-BluGenieService
      • Resolve-BluGenieDnsName
      • Send-BluGenieItem
      • Set-BluGenieAuditProcessPol
      • Set-BluGenieCommands
      • Set-BluGenieCores
      • Set-BluGenieDebugger
      • Set-BluGenieFirewallGPOStatus
      • Set-BluGenieFirewallStatus
      • Set-BluGenieJobId
      • Set-BluGenieJobMemory
      • Set-BluGenieJobTimeout
      • Set-BluGenieNoBanner
      • Set-BluGenieNoExit
      • Set-BluGenieNoSetRes
      • Set-BluGenieParallelCommands
      • Set-BluGeniePostCommands
      • Set-BluGeniePrefetch
      • Set-BluGenieProcessCPUAffinity
      • Set-BluGenieProcessPriority
      • Set-BluGenieRange
      • Set-BluGenieRemoteDesktopProcess
      • Set-BluGenieScriptCredentials
      • Set-BluGenieServiceJob
      • Set-BluGenieSessionInfo
      • Set-BluGenieSettingsPriority
      • Set-BluGenieSystems
      • Set-BluGenieThreadCount
      • Set-BluGenieTrapping
      • Set-BluGenieUpdateMods
      • Set-BluGenieVerbose
      • Show-BluGenieGUI
      • Show-BluGenieMore
      • Start-BluGenieNewProcess
      • Start-BluGenieRunSpace
      • Stop-BluGenieService
      • Test-BluGenieIsFileLocked
      • Test-BluGenieIsMutexAvailable
      • Trace-BluGenieFireWallStatus
      • Update-BluGenieFirewallProfileStatus
      • Update-BluGenieSysinternals
      • Update-Sqlite
      • Write BluGenieVerboseMsg
    • Functions by Category
      • Discovery
        • Registry
        • File/Folder
        • Process
        • System
        • Network
        • ActiveDirectory
      • Execution
        • Registry
        • File/Folder
        • Process
        • System
        • Network
        • Tools
      • Support
    • Artifacts
      • Example Template
      • Tactical Artifacts by Category
        • Combination Query
          • Query Autorun locations for any item nested that is not digitally signed
        • EventLog Query
          • Query for Process execution from unusual directories
          • Query suspicious programs processed by the Task Scheduler using the Event Log
          • Query for unusual instances of rundll32.exe via the Event Log
          • Query for Unusual Instances of rundll32.exe making outbound network connections using SysMon Data
          • Query Suspicious Powershell Command Line Executions
          • Query the Windows System Log for 104, 517, 1102
        • File and Folder Query
          • Query for malicious file types in all users and system temp directories
          • Query Malicious file types from any directory not including the default OS and Install directories
          • Query all users for their Powershell Profile content for Powershell, Powershell_ISE, and VS Code
          • Query to Determine if any lolbin files are installed outside the normal OS and Program Files dir's
        • Network Query
          • Query for Unusual Windows Network Activity
        • Process Query
          • Query for all Processes not running from the Windows and Program Files.* Directories
        • Registry Query
          • Query Information from the Registry on Recentdocs, Recentapps
          • Query Registry for a list of mounted USB storage devices, including external memory cards
          • Query the Most Recently Used items from the Registry
          • Query the Most Recently Open and Saved File information from the Registry
          • Query all Run, RunOnce, and RunOnceEx Registry Keys
          • Query Command list from the MRU Registry List
          • Query Startup Services from the Registry
          • Query Map Network Drives from the Registry
          • Query Shell Folders and User Shell Folders from both the HKLM and HKU Registry Information
          • Query Typed Urls from the Registry
          • Query Current Control Set Services information from the Registry
          • Query Accessibility Features from Image File Execution Options from the Registry
          • Query the Registry for Commands that are automatically executed each time cmd.exe is run
          • Query the Registry for Mounted Device information
          • Query the Registry for Browser Helper Objects (BHO)
          • Query the Registry for Explore Run commands
          • Query the Registry for Winlogon Helper Dll's
          • Query the Registry for Active Setup information
          • Query the Registry for Bypassing UAC Mechanisms from the User-Accessible information
          • Query the Registry for User-Logon, and Startup Scripts
          • Query the Registry for the most common MRU information for All User Hives, including offline users
          • Query the Registry for any user, using the SysInternals Tools
Powered by GitBook
On this page
  • Invoke-BluGenieProcessHash
  • SYNOPSIS
  • SYNTAX
  • DESCRIPTION
  • EXAMPLES
  • PARAMETERS
  1. BluGenie
  2. Full Function List

Invoke-BluGenieProcessHash



Invoke-BluGenieProcessHash

SYNOPSIS

Suspend, Resume, Stop and Export processes or process information based on the Hash value. This function is setup to take one or many hash descriptors, locate the running item, and manage it by either Suspending it Resuming it, or Stopping / Killing it.

SYNTAX

Invoke-BluGenieProcessHash [[-Hash] <String[]>] [[-Managetype] <String>] [[-Algorithm] <String>] [-FilterType <String>] [-Pattern <String>] [-TimerLoop <Int32>] [-SleepTime <Int32>] [-Walkthrough] [-ReturnObject] 
[-OutUnEscapedJSON] [<CommonParameters>]

DESCRIPTION

Suspend, Resume, Stop and Export processes or process information based on the 'Process','Handle','Path', or 'Hash' This function is setup to take one or many descriptors, locate the running item(s), and manage it by either Suspending it Resuming it, or Stopping / Killing it.

EXAMPLES

EXAMPLE 1

Invoke-BluGenieProcessHash
Description: Display the hash information for all running Processes.
Notes: The default Algorithm is (MD5)

EXAMPLE 2

Command: Invoke-BluGenieProcessHash -Hash 80c6dd21910db50b90f0a5d00957ab6e011c43e23dfb4bf174c1448ce2863e0c81fbc8cc07e9b0bd4f4dbef2ada31c1dc7e676e9bc0b40bf7b85f2d052fdf5a9 -Algorithm SHA512
Description: Terminate the Process with the specific hash.
Notes: The Algorithm used is (SHA512)

EXAMPLE 3

Command: Invoke-BluGenieProcessHash -Hash 74b64b52a66c242fe8a3119fb8445295e0b8719187653cd08cedeeaa26e97452 -Algorithm SHA256 -ManageType Suspend
Description: Suspend the Process with the specific hash.
Notes: The Algorithm used is (SHA256)

EXAMPLE 4

Command: Invoke-BluGenieProcessHash -Hash 74b64b52a66c242fe8a3119fb8445295e0b8719187653cd08cedeeaa26e97452 -Algorithm SHA256 -ManageType Resume
Description: Resume the Process with the specific hash.
Notes: The Algorithm used is (SHA256)

EXAMPLE 5

Command: Invoke-BluGenieProcessHash -FilterType 'Process' -Pattern 'notepad'
Description: Filter all processes by Process name and look for any process that matches ( notepad ) in the name
Notes:

EXAMPLE 6

Command: Invoke-BluGenieProcessHash -FilterType 'Process' -Pattern '^notepad\.exe$'
Description: Filter all processes by Process name and look for the exact match of ( Notepad.exe )
Notes:

EXAMPLE 7

Command: Invoke-BluGenieProcessHash -FilterType 'Hash' -Pattern 'f1139811bbf61362915958806ad30211|88c998e5af2e07a81c35d34b6edd0006'
Description: Search for multiple items with Regex
Notes:

EXAMPLE 8

Command: Invoke-BluGenieProcessHash -FilterType 'Hash' -Pattern 'f1139811bbf61362915958806ad30211|88c998e5af2e07a81c35d34b6edd0006' -Managetype Stop
Description: Terminate multiple items with Regex
Notes:

EXAMPLE 9

Command: Invoke-BluGenieProcessHash -Help
Description: Call Help Information
Notes: If Help / WalkThrough is setup as a parameter, this script will be called to setup the Dynamic Help Menu if not the normal 
Get-Help will be called with the -Full parameter

EXAMPLE 10

Command: Invoke-BluGenieProcessHash -WalkThrough
Description: Call Help Information [2]
Notes: If Help / WalkThrough is setup as a parameter, this script will be called to setup the Dynamic Help Menu if not the normal 
Get-Help will be called with the -Full parameter

EXAMPLE 11

Command: Invoke-BluGenieProcessHash -OutUnEscapedJSON
Description: Display the hash information for all running Processes and Return Output as UnEscaped JSON format
Notes:  The OutUnEscapedJSON is used to beatify the JSON return and not Escape any Characters.  Normal return data is a Hash Table.

EXAMPLE 12

Command: Invoke-BluGenieProcessHash -ReturnObject
Description: Display the hash information for all running Processes and Return Output an Object
Notes:  The ReturnObject is used to return a PowerShell Object.  Normal return data is a Hash Table.

PARAMETERS

Hash

-Hash <String[]>
   Description: The Hash value for a specific process
   Notes:  
   Alias:
   ValidateSet:
   
   Required?                    false
   Position?                    1
   Default value                
   Accept pipeline input?       false
   Accept wildcard characters?  false

Managetype

-Managetype <String>
   Description: Manage the behavior of the process (Suspend, Resume, Stop)
   Notes:  
   Alias:
   ValidateSet: 'Report','Suspend','Resume','Stop'
   
   Required?                    false
   Position?                    2
   Default value                Report
   Accept pipeline input?       false
   Accept wildcard characters?  false

Algorithm

-Algorithm <String>
   Description:  Specifies the cryptographic hash to use for computing the hash value of the contents of the specified file. 
   Notes:  The acceptable values for this parameter are:
   
               - SHA1
               - SHA256
               - SHA384
               - SHA512
               - MACTripleDES
               - MD5 = (Default)
               - RIPEMD160
   Alias: 
   ValidateSet: 'MACTripleDES','MD5','RIPEMD160','SHA1','SHA256','SHA384','SHA512'
   
   Required?                    false
   Position?                    3
   Default value                MD5
   Accept pipeline input?       false
   Accept wildcard characters?  false

FilterType

-FilterType <String>
   Description:  Which property to filter by
         Notes:  
             Filter Option
   	•	"Process"
   			Process Name
   	•	"Handle"
   			Handle of the Process
             •	"Path"
   			Full path with extension of the executable
             •	"Hash"
   			Hash value based on 'MACTripleDES','MD5','RIPEMD160','SHA1','SHA256','SHA384','SHA512' which is controlled wit the 
   		-Algorithm parameter
   Alias:
   ValidateSet: 'Process','Handle','Path','Hash'
   
   Required?                    false
   Position?                    named
   Default value                Hash
   Accept pipeline input?       false
   Accept wildcard characters?  false

Pattern

-Pattern <String>
   Description:  RegEx supported Search patterns to help filter the returning criteria
   Notes:  
   Alias:
   ValidateSet:
   
   Required?                    false
   Position?                    named
   Default value                .*
   Accept pipeline input?       false
   Accept wildcard characters?  false

TimerLoop

-TimerLoop <Int32>
   Description: Set how many loops the terminate process checks for validation
   Notes:  
   Alias:
   ValidateSet:
   
   Required?                    false
   Position?                    named
   Default value                12
   Accept pipeline input?       false
   Accept wildcard characters?  false

SleepTime

-SleepTime <Int32>
   Description: Set the Sleep time between each loop
   Notes:  
   Alias:
   ValidateSet:
   
   Required?                    false
   Position?                    named
   Default value                5
   Accept pipeline input?       false
   Accept wildcard characters?  false

Walkthrough

-Walkthrough [<SwitchParameter>]
   Description:  Start the dynamic help menu system to help walk through the current command and all of the parameters
   Notes:  
   Alias: Help
   ValidateSet:
   
   Required?                    false
   Position?                    named
   Default value                False
   Accept pipeline input?       false
   Accept wildcard characters?  false

ReturnObject

-ReturnObject [<SwitchParameter>]
   Description: Return information as an Object
   Notes: By default the data is returned as a Hash Table
   Alias: 
   ValidateSet:
   
   Required?                    false
   Position?                    named
   Default value                True
   Accept pipeline input?       false
   Accept wildcard characters?  false

OutUnEscapedJSON

-OutUnEscapedJSON [<SwitchParameter>]
   Description: Remove UnEsacped Char from the JSON information.
   Notes: This will beautify json and clean up the formatting.
   Alias: 
   ValidateSet:
   
   Required?                    false
   Position?                    named
   Default value                False
   Accept pipeline input?       false
   Accept wildcard characters?  false

CommonParameters

PreviousInvoke-BluGenieProcessNextInvoke-BluGeniePSQuery

Last updated 3 years ago

This cmdlet supports the common parameters: -Debug, -ErrorAction, -ErrorVariable, -InformationAction, -InformationVariable, -OutVariable, -OutBuffer, -PipelineVariable, -Verbose, -WarningAction, and -WarningVariable. For more information, see .

about_CommonParameters