Check_ioc is a script to check for various, selectable indicators of compromise on Windows systems via PowerShell and Event Logs. It was primarily written to be run on a schedule from a monitoring engine such as Nagios, however, it may also be run from a command-line (for incident response).
Check_ioc script attempts to locate indicators of compromise on Windows systems. Much of the legwork was performed by the National Security Agency (NSA) in the white paper, “Spotting the Adversary with Windows Event Log Monitoring” (16Dec2013) so a huge thank you to them. The various checks below are notated with the corresponding section from the white paper wherever valid. Example: (4.1) ties to section 4.1 Application Whitelisting in the NSA white paperoject mmLoader-shellcode-generator then run it, collect the generated header file. Include the header file in your project
git clone https://github.com/oneoffdallas/check_ioc && cd check_ioc
.\check_ioc.ps1 30 -- this line would search for the "selected" indicators of compromise (below) in the last 30 minutes
.\check_ioc.ps1 30 > output.txt -- this line would do the same the above but send the output to an output file
.\check_ioc.ps1 (60*24) -- would search for the "selected" indicators of compromise (below) in the last 24 hours (too lazy for math)