Invoke-DetectItEasy

Invoke-DetectItEasy is a powershell module and wrapper for excellent tool called Detect-It-Easy. It is very useful for Threat Hunting and Forensics.

Guide: [YouTube]
Detect-It-Easy tool: https://github.com/horsicq/Detect-It-Easy

ABOUT

Author: Dump-GUY (@vinopaljiri)
Credits: @horsicq - Author of Detect-It-Easy tool
Required Version of Detect-It-Easy >= 3.03
Invoke-DetectItEasy is a wrapper for excellent tool called Detect-It-Easy. This PS module is very useful for Threat Hunting and Forensics.
It could be also used to simply sort your malware repo.
Sometimes we just need to find anything suspicious so we must to detect it on system or sort files offline on mounted acquired image.
This tool already served well in many forensic related cases/incidents.

DESCRIPTION

Invoke-DetectItEasy enables you to process any output further and pipe it to other command.
It enables you to scan folder-recursive or file. With all output you can work as with objects.
It is as good as DIE so it enables you to process files with whole output or you can select only specified Packer you want to detect.
You can also detect only Packed files based on their entropy.
Big feature is added - Detection of PE32/PE64 without VALID Digital signatures where the output will contain also reason (example. "HashMismatch", NotSigned)
Another advantage of detection VALID Digital signatures is that powershell is able to read also Catalog files.
Example: When we detect files packed with Themida and with Digital Signature result as "HashMismatch" it should be our point of interest.

PARAMETER PathToScan

Mandatory parameter.
Specifies the System Path to scan. It could be path to single File or Folder. Folder will be scanned recursively.

PARAMETER PathToDiec

Optional parameter.
System Path to diec.exe tool - console version of Detect-It-Easy.
If powershell is running from the location of diec.exe - this parameter could be ignored otherwise specify this parameter.

PARAMETER Detection

Optional parameter.
Specifies Packer or Protection etc.. We want to detect. All possible values are already set-predefined.
This parameter could be combined with others (example. with DetectNotValidSignature)

PARAMETER DetectNotValidSignature

Optional parameter.
This parameter detects only PE32/PE64 without VALID Digital signatures where the output containing also reason (example. "HashMismatch", NotSigned) will be returned.
This parameter could be combined with others.

PARAMETER DeepScan

This parameter enables to scan files with DeepScan feature of Detect-It-Easy.
This parameter could be combined with others.

PARAMETER DetectPacked

Optional parameter.
This parameter specifies that only detected Packed files based on their entropy will be returned.
This parameter can NOT be combined with others.
Returned objects contains filepath, status, entropy

EXAMPLE

PS> Import-Module .\Invoke-DetectItEasy.ps1
PS> Invoke-DetectItEasy -PathToScan 'C:\testfiles' -Detection VMProtect -PathToDiec "C:\die_win64_portable\diec.exe" -DetectNotValidSignature -DeepScan
PS> Invoke-DetectItEasy -PathToScan 'C:\testfiles\malware.exe' -DetectNotValidSignature
PS> Invoke-DetectItEasy -PathToScan 'C:\testfiles' -PathToDiec "C:\die_win64_portable\diec.exe" -DetectPacked
PS> Invoke-DetectItEasy -PathToScan 'C:\testfiles' -PathToDiec "C:\die_win64_portable\diec.exe"
PS> Invoke-DetectItEasy -PathToScan 'C:\PEs ccc' -PathToDiec "C:\die_win64_portable\diec.exe" -Detection VMProtect -DetectNotValidSignature | Select-Object -Property filepath, SignatureStatus
PS> Invoke-DetectItEasy -PathToScan 'C:\PEs ccc' -PathToDiec "C:\die_win64_portable\diec.exe" -DetectPacked | ?{$.total -ge 7}
PS> (Invoke-DetectItEasy -PathToScan "C:\PEs ccc" -DetectNotValidSignature -PathToDiec "C:\die_win64_portable\diec.exe").filepath | %{Invoke-DetectItEasy -PathToScan $ -PathToDiec "C:\die_win64_portable\diec.exe" -DetectPacked}