收集用于收集威胁情报信息的工具
收集或处理我迄今为止开发的威胁情报活动的信息的工具。以下是每个工具的简要说明和用法。
隔离区-Download.ps1
这是一个 powershell 工具,用于使用 ExchangeOnlineManagement 模块中的 Get-QuarantineMessage 和 Export-QuarantineMessage cmdlet 从 Office365 下载隔离的电子邮件,并将它们保存在指定的文件夹中以供进一步分析。
注意:要安装 ExchangeOnlineManagmente 模块,请使用以下命令:
Install-Module -Name ExchangeOnlineManagement然后使用以下命令创建远程会话:
Connect-ExchangeOnline -UserPrincipalName user@tenant.com -ShowProgress $truehttps://github.com/b1naryxx/Threat-Intel-Tools
######################################################################################################
# #
# Name: Quarantine-Download.ps1 #
# #
# Version: 1.0 #
# #
# Description: Searches the previous X days for quarantined messages date range and download the eml #
# #
# Limitations: Search query is limited to 1,000,000 entries. #
# #
# Requires: Remote PowerShell Connection to Exchange Online #
# #
# Author: Tomas Suescun #
# #
# Usage: .\Quarantine-Download.ps1 -Days 30 -OutputDir C:\QuarantineFiles\ #
# #
# #
# Disclaimer: This script is provided AS IS without any support. Please test in a lab environment #
# prior to production use. #
# #
######################################################################################################
#Use this script after creating a new Exchange Online Management session:
# Import-Module ExchangeOnlineManagement
# Connect-ExchangeOnline -UserPrincipalName username@tenant.com -ShowProgress $true
# To-do: - Add asyncronous jobs to speed the process
# - Handle different encodings
# - Add params to handle custom dates to workaround 1 millon cap
<#
.PARAMETER Days
Number of days back to search.
.PARAMETER TypeQuarantine
Filter by quarantine type. Can be one or multiple of the following values separeted by commas: Bulk,HighConfPhish,Malware,Phish,Spam,SPOMalware,TransportRule.
If none is specified, all will be selected.
.PARAMETER OutputDir
Full path of the output directory to store the eml files.
.PARAMETER Direction
Filter by direction of the emails, can be Inbound or Outbound. If not defined both are selected.
#>
Param(
[Parameter(Mandatory=$True)]
[int]$Days,
[Parameter(Mandatory=$False)]
$TypeQuarantine,
[Parameter(Mandatory=$True)]
[string]$OutputDir,
[Parameter(Mandatory=$False)]
$Direction
)
[DateTime]$DateEnd = Get-Date -format g
[DateTime]$DateStart = $DateEnd.AddDays($Days * -1)
$FoundCount = 0
For($i = 1; $i -le 1000; $i++) # Maximum allowed pages is 1000
{
$Command = 'Get-QuarantineMessage -PageSize 1000 -Page $i -StartReceivedDate $DateStart -EndReceivedDate $DateEnd '
if ($PSBoundParameters.ContainsKey('TypeQuarantine') = $True){
$Command += '-QuarantineTypes $TypeQuarantine '
}
if ($PSBoundParameters.ContainsKey('Direction') = $True){
$Command += '-Direction $Direction '
}
$Messages = Invoke-Expression $Command
If($Messages.count -gt 0)
{
Foreach ($Message in $Messages) #Download messages using Export-QuarantineMessage
{
#Progress information
$Status = $Messages[-1].ReceivedTime.ToString("MM/dd/yyyy HH:mm") + " - " + $Messages[0].ReceivedTime.ToString("MM/dd/yyyy HH:mm") + " [" + ("{0:N0}" -f ($i*1000)) + " Searched | " + $FoundCount + " Donwloaded]"
Write-Progress -activity "Checking Messages (Up to 1 Million)..." -status $Status
#Export message to file
$e = Export-QuarantineMessage -Identity $Message.Identity
if ($e.BodyEncoding -eq "Base64")
{
$bytes = [Convert]::FromBase64String($e.eml)
[IO.File]::WriteAllBytes($OutputDir+"\"+$FoundCount+".eml", $bytes)
}
else
{
Write-Host "Message with Identity: "+$e.Identity+" found with a different bodyEncoding, unable to handle it"
}
$FoundCount += 1
}
}
Else
{
Break
}
}
Write-Host $FoundCount "Entries Found & Logged In"本文系转载,前往查看
如有侵权,请联系 cloudcommunity@tencent.com 删除。
本文系转载,前往查看
如有侵权,请联系 cloudcommunity@tencent.com 删除。
评论
登录后参与评论
推荐阅读
腾讯云开发者
