Part 4 Write a Powershell script Situation: You are on the server team at the Ac
ID: 2246335 • Letter: P
Question
Part 4 Write a Powershell script
Situation: You are on the server team at the Acme company. Acme has hundreds of Windows servers located in many facilities around the world. A piece of malware infiltrates the Windows environment that you support. This incident has alarmed the infrastructure team and the IT Security group decides it will use a new tool to identify any servers with the malware. The tool looks for events in the server log files. Your boss comes to you and asks if you can develop a solution for identifying the malware that compliments the IT Security tool.
Description of the malware:
The malware runs a process named Microsoft.ActiveDirectory.Webservices in the hopes that it goes unnoticed. This is the name of a process that an Active Directory domain controller runs. Consequently a server that contains the malware is a normal application server, (not an active directory server), that has the following process running “Microsoft.ActiveDirectory.Webservices”.
Each site has one Active Directory server. The naming standard for Active Directory servers at Acme is
sss-ADC001 where sss is a three letter site code.
These Powershell commands and CmdLets may also help you with this lab exercise:
If
Select-String including the –quiet parameter
Write-output
Using the = sign to assign values to environment variables.
1. (35 points) Write a Powershell script that runs on a Windows server that will do the following:
a. Detects if a server is a legitimate Active Directory server
b. If it is not a legitimate Active Directory server, write an event type “Error” into the application log indicating the following message, “MalwareAD imposter detected”
c. If it is a legitimate Active Directory server, write an event type “Information” into the application log indicating the following message, “MalwareAD imposter checked”
2. (5 points) Describe the mechanism you used to differentiate an AD server from all other servers?
3. (10 points) Think and describe a possible way that the mechanism described in the previous question could break as new releases of software are installed on the server.
Explanation / Answer
#Get Wmi Information into Array $objTopProcessMem = Get-Process | Sort-Object WorkingSet -Descending | select -First 10 #Set the Table and first header $objHTML+= "" $objHTML+= "" $objHTML+= "" $objHTML+= " Top 10 Processes by Memory " $objHTML+= "" #Set Headers $objHTML+= "" $objHTML+= " ProcessName " $objHTML+= " SessionId " $objHTML+= " WorkingSet " $objHTML+= " VirtualMemorySize " $objHTML+= " PagedMemorySize " $objHTML+= " PrivateMemorySize " $objHTML+= " PagedSystemMemorySize " $objHTML+= " NonpagedSystemMemorySize " #Loop for each item in Array Foreach ( $objProc in $objTopProcessMem) { $objHTML+= "" $objHTML+= "" + $objProc.ProcessName + "" $objHTML+= "" + $objProc.SessionId + "" $objHTML+= "" + [math]::Round($objProc.WorkingSet64/1024/1024,2) + "MB" $objHTML+= "" + [math]::Round($objProc.VirtualMemorySize64/1024/1024,2) + "MB" $objHTML+= "" + [math]::Round($objProc.PagedMemorySize/1024/1024,2) + "MB" $objHTML+= "" + [math]::Round($objProc.PrivateMemorySize/1024/1024,2) + "MB" $objHTML+= "" + [math]::Round($objProc.PagedSystemMemorySize/1024/1024,2) + "MB" $objHTML+= "" + [math]::Round($objProc.NonpagedSystemMemorySize/1024/1024,2)+ "MB" $objHTML+= "" } $objHTML+= "" #END Process Information -> Memory