forked from nsacyber/Mitigating-Web-Shells
-
Notifications
You must be signed in to change notification settings - Fork 0
/
dirChecker.ps1
63 lines (47 loc) · 1.95 KB
/
dirChecker.ps1
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
<#
.SYNOPSIS
Find new or changed files in a directory compared to a known-good image.
.DESCRIPTION
The script looks for file changes/additions between a production directory (target) with a known-good directory.
.PARAMETER knownGood
Path of the known-good directory.
.PARAMETER productionImage
Path of the production directory (target).
.INPUTS
System.String
.OUTPUTS
System.String
.EXAMPLE
.\dirChecker.ps1 -knownGood <PATH> -productionImage <PATH>
.\dirChecker.ps1 -knownGood .\knownGoodDir\ -productionImage .\targetDir\
.\dirChecker.ps1 -knownGood "D:\release3.0" -productionImage "C:\inetpub\wwwroot"
-- Input --
.\dirChecker.ps1 -knownGood "D:\Users\<user>\Documents\knownGoodDir" -productionImage "C:\Users\<user>\Documents\targetDir"
-- Output --
File analysis started.
Any file listed below is a new or changed file.
C:\Users\<user>\Documents\targetDir\index.html
C:\Users\<user>\Documents\targetDir\research.docx
C:\Users\<user>\Documents\targetDir\inventory.csv
C:\Users\<user>\Documents\targetDir\contactus.js
File analysis completed.
.LINK
https://github.com/nsacyber/MitigatingWebShells
#>
<#
#
# Execution begins.
#
#>
param (
[Parameter(Mandatory=$TRUE)][ValidateScript({Test-Path $_ -PathType 'Container'})][String] $knownGood,
[Parameter(Mandatory=$TRUE)][ValidateScript({Test-Path $_ -PathType 'Container'})][String] $productionImage
)
# Recursively get all files in both directories, for each file calculate hash.
$good = Get-ChildItem -Force -Recurse -Path $knownGood | ForEach-Object { Get-FileHash -Path $_.FullName }
$prod = Get-ChildItem -Force -Recurse -Path $productionImage | ForEach-Object { Get-FileHash -Path $_.FullName }
Write-Host "File analysis started."
Write-Host "Any file listed below is a new or changed file.`n"
# Compare files hashes, select new or changed files, and print the path+filename.
(Compare-Object $good $prod -Property hash -PassThru | Where-Object{$_.SideIndicator -eq '=>'}).Path
Write-Host "`nFile analysis completed."