Defense/SuspiciousURLs.ps1

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
function Get-CSTypedURL {
<#
.SYNOPSIS
 
Lists URLs typed into the Internet Explorer URL bar.
 
Author: Matthew Graeber (@mattifestation)
License: BSD 3-Clause
 
.DESCRIPTION
 
Get-CSTypedURL retrieves URLs that were typed into the Internet Explorer URL bar.
 
.PARAMETER NoProgressBar
 
Do not display a progress bar. This parameter is designed to be used with wrapper functions.
 
.PARAMETER CimSession
 
Specifies the CIM session to use for this cmdlet. Enter a variable that contains the CIM session or a command that creates or gets the CIM session, such as the New-CimSession or Get-CimSession cmdlets. For more information, see about_CimSessions.
 
.PARAMETER OperationTimeoutSec
 
Specifies the amount of time that the cmdlet waits for a response from the computer.
 
By default, the value of this parameter is 0, which means that the cmdlet uses the default timeout value for the server.
 
If the OperationTimeoutSec parameter is set to a value less than the robust connection retry timeout of 3 minutes, network failures that last more than the value of the OperationTimeoutSec parameter are not recoverable, because the operation on the server times out before the client can reconnect.
 
.EXAMPLE
 
Get-CSTypedURL
 
Returns all URLs typed into the Internet Explorer URL bar on a local system.
 
.EXAMPLE
 
Get-CSTypedURL -CimSession $CimSession
 
Returns all URLs typed into the Internet Explorer URL bar on a remote system.
 
.OUTPUTS
 
CimSweep.RegistryValue
 
Outputs the registry values consisting of typed IE URLs.
#>


    [CmdletBinding()]
    [OutputType('CimSweep.RegistryValue')]
    param(
        [Switch]
        $NoProgressBar,

        [Alias('Session')]
        [ValidateNotNullOrEmpty()]
        [Microsoft.Management.Infrastructure.CimSession[]]
        $CimSession,

        [UInt32]
        [Alias('OT')]
        $OperationTimeoutSec
    )

    BEGIN {
        # If a CIM session is not provided, trick the function into thinking there is one.
        if (-not $PSBoundParameters['CimSession']) {
            $CimSession = ''
            $CIMSessionCount = 1
        } else {
            $CIMSessionCount = $CimSession.Count
        }

        $CurrentCIMSession = 0

        $Timeout = @{}
        if ($PSBoundParameters['OperationTimeoutSec']) { $Timeout['OperationTimeoutSec'] = $OperationTimeoutSec }
    }

    PROCESS {
        foreach ($Session in $CimSession) {
            $ComputerName = $Session.ComputerName
            if (-not $Session.ComputerName) { $ComputerName = 'localhost' }

            if (-not $PSBoundParameters['NoProgressBar']) {
                # Display a progress activity for each CIM session
                Write-Progress -Id 1 -Activity 'CimSweep - Internet Explorer typed URL sweep' -Status "($($CurrentCIMSession+1)/$($CIMSessionCount)) Current computer: $ComputerName" -PercentComplete (($CurrentCIMSession / $CIMSessionCount) * 100)
                $CurrentCIMSession++
            }

            $CommonArgs = @{}

            if ($Session.Id) { $CommonArgs['CimSession'] = $Session }

            $TypedURLs = 'SOFTWARE\Microsoft\Internet Explorer\TypedURLs'

            # Get the SIDS for each user in the registry
            $HKUSIDs = Get-HKUSID @CommonArgs

            # Iterate over each local user hive
            foreach ($SID in $HKUSIDs) {
                Get-CSRegistryValue -Hive HKU -SubKey "$SID\$TypedURLs" @CommonArgs @Timeout
            }
        }
    }
}