[{"item":{"catalogVersion":3,"dbVersion":0,"id":null,"name":"HostEntries","description":"Shows the IP Address and Hostname from hosts file on Windows and Linux Systems","type":"BUILTIN","contents":[{"platform":{"catalogVersion":0,"dbVersion":0,"id":null,"name":"linux","topic":null},"capability":{"catalogVersion":0,"dbVersion":0,"id":null,"name":"Bash Script","description":null,"module":null,"function":null,"contentEnabled":false,"arguments":null,"outputs":null,"formatArgs":null,"format":null,"platforms":null,"platformSettings":null,"itemType":null,"catalogItems":null},"content":"#!/bin/bash\n# Copyright (C) 2016 McAfee, Inc., 2821 Mission College Boulevard, Santa Clara, CA 95054, 1.888.847.8766, www.intelsecurity.com\n#\n# Purpose: Shows the IP Address and Hostname from hosts file on Windows and Linux Systems\n#\n# Version: 1.0\ncat /etc/hosts | grep -vE ^\\# | awk '\\\n { for (i = 2; i <= NF; i++)\n print $1\",\"$i\n }'","arguments":[],"utf8Sensitive":false},{"platform":{"catalogVersion":0,"dbVersion":0,"id":null,"name":"windows","topic":null},"capability":{"catalogVersion":0,"dbVersion":0,"id":null,"name":"Visual Basic Script","description":null,"module":null,"function":null,"contentEnabled":false,"arguments":null,"outputs":null,"formatArgs":null,"format":null,"platforms":null,"platformSettings":null,"itemType":null,"catalogItems":null},"content":"' Copyright (C) 2016 McAfee, Inc., 2821 Mission College Boulevard, Santa Clara, CA 95054, 1.888.847.8766, www.intelsecurity.com\n'\n' Purpose: Read IP Address and Hostname from hosts file on Windows Systems\n' (NT, 2000, XP, 2003, Vista, 2008, 7, 2012, 8)\n'\n' Version: 1.0\n'\n'\nOption Explicit\n\n'Declare variables\nDim fso\nDim wshShell\nDim winDir\nDim hostsFile\nDim objFSO\nDim ObjFile\n\nDim inputString\nDim inputArray\nDim ipAddress\nDim hostname1\n\nSet fso = CreateObject(\"Scripting.FileSystemObject\")\nSet wshShell = CreateObject(\"WScript.Shell\")\n\n'Detect the Windows directory\nwinDir = WshShell.ExpandEnvironmentStrings(\"%WinDir%\")\n\n'Path to hosts file\nhostsFile = winDir & \"\\System32\\Drivers\\etc\\hosts\"\n\n'Check if hosts file exists\nIf (fso.FileExists(hostsFile)) Then\n\n'Open hosts file for reading, do not create one if it does not exist\n Const ForReading = 1\n Set objFSO = CreateObject(\"Scripting.FileSystemObject\")\n Set objFile = objFSO.OpenTextFile(hostsFile, ForReading, False)\n\n'Read from hosts file line by line\nDo Until objFile.AtEndOfStream\n inputString = objFile.ReadLine\n\n 'Ignore comment lines and empty lines\n If (Left (inputString, 1) <> \"#\" And Len (inputString) <> 0) Then\n ipAddress = \"\"\n hostname1 = \"\"\n\n 'Replace Tabs with Spaces\n Do Until InStr (inputString, Chr(9)) = 0\n inputString = Replace(inputString, Chr(9), Chr(32))\n Loop\n\n 'Replace double Spaces with Space\n Do Until InStr (inputString, Chr(32) & Chr(32)) = 0\n inputString = Replace(inputString, Chr(32) & Chr(32), Chr(32))\n Loop\n\n 'Convert string to an array, values separated by space\n inputArray = Split(Trim (inputString), Chr(32))\n\n 'Read output values from array, only first hostname per line\n ipAddress = inputArray(0)\n hostname1 = inputArray(1)\n\n 'Write output separated by comma\n WScript.Echo ipAddress & \",\" & hostname1\n End If\nLoop\n\n'Close hosts file\nobjFile.Close\nEnd If","arguments":[],"utf8Sensitive":true}],"outputs":[{"name":"ipaddress","type":"IPV4IPV6","byDefault":false,"sequence":0},{"name":"hostname","type":"STRING","byDefault":false,"sequence":0}]},"type":"com.intel.mar.model.collector.Collector"},{"item":{"catalogVersion":3,"dbVersion":0,"id":null,"name":"HostInfo","description":"Shows Hostname, 1st IP Address and OS version","type":"BUILTIN","contents":[{"platform":{"catalogVersion":0,"dbVersion":0,"id":null,"name":"linux","topic":null},"capability":{"catalogVersion":0,"dbVersion":0,"id":null,"name":"Bash Script","description":null,"module":null,"function":null,"contentEnabled":false,"arguments":null,"outputs":null,"formatArgs":null,"format":null,"platforms":null,"platformSettings":null,"itemType":null,"catalogItems":null},"content":"name=`hostname | awk -F'.' '{ print $1 }'`\nif [[ -e /usr/bin/lsb_release ]]; then\n os=`lsb_release -d | cut -d \":\" -f2- | sed -e 's/^[[:space:]]*//'`\nelif [[ -f /etc/redhat-release ]]; then\n os=`cat /etc/redhat-release`\nelif [[ -f /etc/centos-release ]]; then\n os=`cat /etc/centos-release`\nelif [[ -f /etc/system-release ]]; then\n os=`cat /etc/system-release`\nelif [[ -f /etc/os-release ]]; then\n os=`cat /etc/os-release | grep \"PRETTY_NAME=\" | cut -d \"=\" -f2 | sed -e 's/^\"//' -e 's/\"$//'`\nfi\nphysical_interfaces=`ls -l /sys/class/net/ | grep -v virtual | grep -v total | grep -o \"[^/]*$\"`\ni=0\nwhile read -r interface; do\n ips[$i]=`ifconfig $interface | grep -oE \"\\b([0-9]{1,3}\\.){3}[0-9]{1,3}\\b\" | grep -vE \"^2[2-5]\" | head -n 1`\n ((i++))\ndone <<< \"$physical_interfaces\"\nipaddress=${ips[0]}\n\necho -e $name,$ipaddress,$os","arguments":[],"utf8Sensitive":false},{"platform":{"catalogVersion":0,"dbVersion":0,"id":null,"name":"windows","topic":null},"capability":{"catalogVersion":0,"dbVersion":0,"id":null,"name":"Visual Basic Script","description":null,"module":null,"function":null,"contentEnabled":false,"arguments":null,"outputs":null,"formatArgs":null,"format":null,"platforms":null,"platformSettings":null,"itemType":null,"catalogItems":null},"content":"strComputer = \".\"\r\nFirstIP=\"\"\r\nCurrentMac=\"\"\r\nSet objWMIService=GetObject(\"winmgmts:\" & \"{impersonationLevel=impersonate}!\\\\\" & strComputer & \"\\root\\cimv2\")\r\n\r\nSet NetAdapters = objWMIService.ExecQuery(\"Select * From Win32_NetworkAdapter Where NOT PNPDeviceID LIKE 'ROOT\\\\%'\")\r\nFor Each NetAdapter in NetAdapters\r\n CurrentMac = NetAdapter.MACAddress\r\n Set IPConfigSet = objWMIService.ExecQuery(\"Select * from Win32_NetworkAdapterConfiguration Where IPEnabled=TRUE AND MacAddress = '\" & CurrentMac & \"'\")\r\n For Each IPConfig in IPConfigSet\r\n If Not IsNull(IPConfig.IPAddress) Then\r\n For i=LBound(IPConfig.IPAddress) to UBound(IPConfig.IPAddress)\r\n FirstIP=IPConfig.IPAddress(i)\r\n Exit For\r\n Next\r\n End If\r\n Next\r\nNext\r\n\r\nSet objNet = CreateObject(\"WScript.Network\")\r\nstrCompName = objNet.ComputerName\r\n\r\nSet shell = CreateObject(\"WScript.Shell\")\r\nSet getOSVersion = shell.exec(\"%comspec% /c ver\")\r\ngetOSVersion.stdout.readLine\r\nversion = getOSVersion.stdout.readLine\r\nWScript.Echo strCompName & \",\" & FirstIP & \",\" & version","arguments":[],"utf8Sensitive":false}],"outputs":[{"name":"hostname","type":"STRING","byDefault":false,"sequence":0},{"name":"ip_address","type":"IPV4IPV6","byDefault":false,"sequence":0},{"name":"os","type":"STRING","byDefault":false,"sequence":0}]},"type":"com.intel.mar.model.collector.Collector"},{"item":{"catalogVersion":3,"dbVersion":0,"id":null,"name":"InstalledUpdates","description":"Shows all installed updates, hot fixes and security updates","type":"BUILTIN","contents":[{"platform":{"catalogVersion":0,"dbVersion":0,"id":null,"name":"windows","topic":null},"capability":{"catalogVersion":0,"dbVersion":0,"id":null,"name":"Execute PowerShell Script","description":null,"module":null,"function":null,"contentEnabled":false,"arguments":null,"outputs":null,"formatArgs":null,"format":null,"platforms":null,"platformSettings":null,"itemType":null,"catalogItems":null},"content":"# Copyright (C) 2016 McAfee, Inc., 2821 Mission College Boulevard, Santa Clara, CA 95054, 1.888.847.8766, www.intelsecurity.com\n#\n# Purpose: Shows all installed updates, hot fixes and security updates\n#\n# Version: 1.0\n[Console]::OutputEncoding = [System.Text.Encoding]::UTF8\n$pshost = get-host\n$pswindow = $pshost.ui.rawui\n$newsize = $pswindow.buffersize\n$newsize.height = 3000\n$newsize.width = 3000\n$pswindow.buffersize = $newsize\n\n\n$objQuickFixes= Get-WmiObject Win32_QuickFixEngineering;\nforeach ($objQuickFix in $objQuickFixes){\n $date=\"\"; \n if($objQuickFix.InstalledOn){\n $date= $objQuickFix.InstalledOn.ToString(\"yyyy-MM-dd HH:mm:ss\")\n }\n [Console]::WriteLine($objQuickFix.Description+ \",\" +$objQuickFix.HotFixID +\",\" +$date + \",\" +($objQuickFix.InstalledBy -replace '\\\\','/'))\n}","arguments":[],"utf8Sensitive":false}],"outputs":[{"name":"description","type":"STRING","byDefault":false,"sequence":0},{"name":"hotfix_id","type":"STRING","byDefault":false,"sequence":0},{"name":"install_date","type":"DATE","byDefault":false,"sequence":0},{"name":"installed_by","type":"STRING","byDefault":false,"sequence":0}]},"type":"com.intel.mar.model.collector.Collector"},{"item":{"catalogVersion":4,"dbVersion":0,"id":null,"name":"LocalGroups","description":"Shows the local groups on a host along with domain, description, and SID","type":"BUILTIN","contents":[{"platform":{"catalogVersion":0,"dbVersion":0,"id":null,"name":"linux","topic":null},"capability":{"catalogVersion":0,"dbVersion":0,"id":null,"name":"Bash Script","description":null,"module":null,"function":null,"contentEnabled":false,"arguments":null,"outputs":null,"formatArgs":null,"format":null,"platforms":null,"platformSettings":null,"itemType":null,"catalogItems":null},"content":"#!/bin/sh\n# Copyright (C) 2016 McAfee, Inc., 2821 Mission College Boulevard, Santa Clara, CA 95054, 1.888.847.8766, www.intelsecurity.com\n#\n# Purpose: Shows the local groups on a host along with domain, description, and SID\n#\n# Version: 1.0\n#\n# Copyright C 2015 McAfee, Inc. All Rights Reserved.\n#\n\ncatProgram=/bin/cat\nif [ -f /bin/awk ]\nthen\n awkProgram=/bin/awk\nelse\n awkProgram=/usr/bin/awk\nfi\nechoProgram=/bin/echo\n\nfor groupLine in `$catProgram /etc/group`\ndo\n groupName=`$echoProgram $groupLine | $awkProgram -F: '{ print $1; }'`\n groupId=`$echoProgram $groupLine | $awkProgram -F: '{ print $3; }'`\n $echoProgram \"$groupName, , ,true,$groupId\"\ndone\n","arguments":[],"utf8Sensitive":false},{"platform":{"catalogVersion":0,"dbVersion":0,"id":null,"name":"windows","topic":null},"capability":{"catalogVersion":0,"dbVersion":0,"id":null,"name":"Execute PowerShell Script","description":null,"module":null,"function":null,"contentEnabled":false,"arguments":null,"outputs":null,"formatArgs":null,"format":null,"platforms":null,"platformSettings":null,"itemType":null,"catalogItems":null},"content":"# Copyright (C) 2016 McAfee, Inc., 2821 Mission College Boulevard, Santa Clara, CA 95054, 1.888.847.8766, www.intelsecurity.com\r\n#\r\n# Purpose: Shows the local groups on a host along with domain, description, and SID.\r\n#\r\n# Version: 2.0\r\n\r\n$pshost = get-host\r\n$pswindow = $pshost.ui.rawui\r\n$newsize = $pswindow.buffersize\r\n$newsize.height = 3000\r\n$newsize.width = 3000\r\n$pswindow.buffersize = $newsize\r\n\r\n[Console]::OutputEncoding = [System.Text.Encoding]::UTF8\r\n\r\n$groups = Get-WmiObject Win32_Group -Filter \"LocalAccount=True\";\r\n\r\nforeach ($group in $groups) {\r\n $result = [string](\"`\"\" + $group.Name + \"`\",`\"\" + $group.Domain + \"`\",`\"\" + $group.Description + \"`\",`\"\" + $group.LocalAccount + \"`\",`\"\" + $group.SID + \"`\"\");\r\n [Console]::WriteLine($result);\r\n}","arguments":[],"utf8Sensitive":false}],"outputs":[{"name":"groupname","type":"STRING","byDefault":false,"sequence":0},{"name":"groupdomain","type":"STRING","byDefault":false,"sequence":0},{"name":"groupdescription","type":"STRING","byDefault":false,"sequence":0},{"name":"islocal","type":"STRING","byDefault":false,"sequence":0},{"name":"sid","type":"STRING","byDefault":false,"sequence":0}]},"type":"com.intel.mar.model.collector.Collector"},{"item":{"catalogVersion":5,"dbVersion":0,"id":null,"name":"UserProfiles","description":"Shows all local user information, to include group memberships.","type":"BUILTIN","contents":[{"platform":{"catalogVersion":0,"dbVersion":0,"id":null,"name":"windows","topic":null},"capability":{"catalogVersion":0,"dbVersion":0,"id":null,"name":"Execute PowerShell Script","description":null,"module":null,"function":null,"contentEnabled":false,"arguments":null,"outputs":null,"formatArgs":null,"format":null,"platforms":null,"platformSettings":null,"itemType":null,"catalogItems":null},"content":"# Copyright (C) 2016 McAfee, Inc., 2821 Mission College Boulevard, Santa Clara, CA 95054, 1.888.847.8766, www.intelsecurity.com\r\n#\r\n# Purpose: Shows all local user information, to include group memberships.\r\n#\r\n# Version: 1.0\r\n\r\n$pshost = get-host\r\n$pswindow = $pshost.ui.rawui\r\n$newsize = $pswindow.buffersize\r\n$newsize.height = 3000\r\n$newsize.width = 3000\r\n$pswindow.buffersize = $newsize\r\n\r\n[Console]::OutputEncoding = [System.Text.Encoding]::UTF8\r\n\r\n$user_objects = @();\r\n$user_objects = Get-WmiObject Win32_UserAccount -Filter \"LocalAccount=True\";\r\n\r\n$hku= New-PSDrive -PSProvider Registry -Name HKU -Root 'HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\ProfileList';\r\n\r\n$loggedUserAccounts= @(Get-ChildItem -Path \"HKU:\\\");\r\n\r\nforeach ($user in $loggedUserAccounts){\r\n $exist = $false;\r\n if(([string]$user.PSChildName -ne \"S-1-5-18\") -and ([string]$user.PSChildName -ne \"S-1-5-19\") -and ([string]$user.PSChildName -ne \"S-1-5-20\")) {\r\n for($i=0; ($i -lt $user_objects.Count) -and -not $exist; $i++) {\r\n if($user.PSChildName -eq $user_objects[$i].SID) {$exist = $true;}\r\n }\r\n if(-not $exist) {\r\n $disabled = \"\"\r\n $domain = \"\"\r\n $fullname = \"\"\r\n $path = $user.Name;\r\n $folder = \"\"\r\n $name = \"\"\r\n $sid = \"\"\r\n if (Test-Path((\"HKU:/\"+$path))){\r\n $folder=(Get-Item -Path (\"HKU:/\"+$path)).GetValue(\"ProfileImagePath\");\r\n $name = [string]($folder -split \"\\\\\")[2];\r\n $sid = $user.PSChildName\r\n }\r\n if ((Test-Path ($folder)) -and ($folder -ne \"\")) {\r\n Try { $installdate = [string](((Get-Item $folder).CreationTime).ToString(\"yyyy-MM-dd hh:mm:ss\")); } Catch { $installdate = \"\";}\r\n } else {\r\n $installdate = \"\";\r\n }\r\n $localaccount = \"False\"\r\n $lockout = \"\"\r\n $passwordexpires = \"\"\r\n $groups = \"\"\r\n\r\n $result = \"`\"\" + $disabled + \"`\",`\"\" + $domain + \"`\",`\"\" + $fullname + \"`\",`\"\" + $installdate + \"`\",`\"\" + $localaccount + \"`\",`\"\" + $lockout + \"`\",`\"\" + $name + \"`\",`\"\" + $sid + \"`\",`\"\" + $passwordexpires + \"`\",`\"\" + $groups + \"`\"\";\r\n [Console]::WriteLine($result);\r\n }\r\n }\r\n}\r\n\r\nforeach ($user in $user_objects) {\r\n Try { $disabled = [string]$user.Disabled; } Catch { $disabled = \"\"; }\r\n Try { $domain = [string]$user.Domain; } Catch { $domain = \"\"; }\r\n Try { $fullname = [string]$user.FullName; } Catch { $fullname = \"\"; }\r\n Try { $name = [string]$user.Name; } Catch { $name = \"\"; }\r\n Try { $path = (\"C:\\Users\\\"+$name); } Catch { $path = \"\"; }\r\n if ((Test-Path ($path)) -and ($path -ne \"\")) {\r\n Try { $installdate = [string](((Get-Item $path).CreationTime).ToString(\"yyyy-MM-dd hh:mm:ss\")); } Catch { $installdate = \"\";}\r\n } else {\r\n $installdate = \"\";\r\n }\r\n Try { $localaccount = [string]$user.LocalAccount; } Catch { $localaccount = \"\"; }\r\n Try { $lockout = [string]$user.Lockout; } Catch { $lockout = \"\"; }\r\n Try { $sid = [string]$user.SID; } Catch { $sid = \"\"; }\r\n Try { $passwordexpires = [string]$user.PasswordExpires; } Catch { $passwordexpires = \"\"; }\r\n $groups = \"\"\r\n\r\n $result = \"`\"\" + $disabled + \"`\",`\"\" + $domain + \"`\",`\"\" + $fullname + \"`\",`\"\" + $installdate + \"`\",`\"\" + $localaccount + \"`\",`\"\" + $lockout + \"`\",`\"\" + $name + \"`\",`\"\" + $sid + \"`\",`\"\" + $passwordexpires + \"`\",`\"\" + $groups + \"`\"\";\r\n [Console]::WriteLine($result);\r\n}","arguments":[],"utf8Sensitive":false}],"outputs":[{"name":"accountdisabled","type":"STRING","byDefault":false,"sequence":0},{"name":"domain","type":"STRING","byDefault":false,"sequence":0},{"name":"fullname","type":"STRING","byDefault":false,"sequence":0},{"name":"installdate","type":"DATE","byDefault":false,"sequence":0},{"name":"localaccount","type":"STRING","byDefault":false,"sequence":0},{"name":"lockedout","type":"STRING","byDefault":false,"sequence":0},{"name":"accountname","type":"STRING","byDefault":false,"sequence":0},{"name":"sid","type":"STRING","byDefault":false,"sequence":0},{"name":"passwordexpires","type":"STRING","byDefault":false,"sequence":0},{"name":"groups","type":"STRING","byDefault":false,"sequence":0}]},"type":"com.intel.mar.model.collector.Collector"},{"item":{"catalogVersion":1,"dbVersion":0,"id":null,"name":"Services","description":"List of services","type":"BUILTIN","contents":[{"platform":{"catalogVersion":0,"dbVersion":0,"id":null,"name":"linux","topic":null},"capability":{"catalogVersion":0,"dbVersion":0,"id":null,"name":"Bash Script","description":null,"module":null,"function":null,"contentEnabled":false,"arguments":null,"outputs":null,"formatArgs":null,"format":null,"platforms":null,"platformSettings":null,"itemType":null,"catalogItems":null},"content":"#!/bin/bash\n# Copyright (C) 2016 McAfee, Inc., 2821 Mission College Boulevard, Santa Clara, CA 95054, 1.888.847.8766, www.intelsecurity.com\n#\n# Purpose: List of services\n#\n# Version: 1.0\n\n\npid2User () {\n\techo `ps axo pid,user | tr -s ' ' | sed 's/^ //' | egrep \"^$1 \" | cut -d ' ' -f2` \n}\n\nparseSystemCtlLine () {\n\tname=`echo $line | cut -d' ' -f1`\n\tstatus=`echo $line | cut -d' ' -f4`\n\tuser=\"\"\n\tif [ \"$status\" == \"running\" ]; then\n\t\tstatus=\"Running\"\t\n\telse\t\n\t\tstatus=\"Stopped\"\t\n\tfi\n\tif [ \"$status\" == \"Running\" ]; then\n\t\tpid=`systemctl status $name | grep \"Main PID\" | cut -d ' ' -f4`\n\t\tuser=$(pid2User $pid)\n\tfi\n\n\tdescription=`echo $line | cut -d' ' -f5-`\n echo \"\\\"$description\\\",\\\"$name\\\",systemd,\\\"$status\\\",\\\"$user\\\"\"\n}\n\nparseInitCtlLine () {\n\n\tif [[ $line == *','* ]]; then\n\t\tnamePart=$(echo $line | cut -d',' -f1)\n\telse\n\t\tnamePart=\"$line\"\n\tfi\n\n\t# the name part could be like this: \"network-interface (eth0) start/running\"\n\t# fullName will be \"network-interface (eth0)\"\n\t# name will be \"network-interface\"\n\tfullName=$(echo $namePart | sed 's/ [^ ]*$//')\n\tname=$(echo $namePart | awk '{print $1}')\n\n\tstatus=`echo $namePart | awk '{print $NF}'`\n\n\tif [ \"$status\" == \"start/running\" ]; then\n\t\tstatus=\"Running\"\n\telse\n\t\tstatus=\"Stopped\"\n\tfi\n\n\tdescription=$(grep description /etc/init/$name.conf 2>/dev/null | egrep -o \"\\\".*\\\"\" | tr -d \"\\\"\")\n\tif [ -z \"$description\" ]; then\n\t\tdescription=$fullName\n\tfi\n\n\tuser=\"\"\n\tpid=`echo $line | grep -o \", process [0-9]*\" | cut -d ' ' -f3`\n\t\n\tif [ -n \"$pid\" ]; then\n\t\tuser=$(pid2User $pid)\n\tfi\n\techo \"\\\"$description\\\",\\\"$name\\\",upstart,\\\"$status\\\",\\\"$user\\\"\"\n}\n\nparseServiceLine () {\n\n\tif [[ $line == *'('*')'* ]]; then\n\t\tname=`echo $line | cut -d' ' -f1`\n\t\tdescription=$name\n\t\tstatus=`echo $line | cut -d' ' -f5`\n\telif [[ $line == 'McAfee'* ]]; then\n\t\tnamePart1=`echo $line | cut -d' ' -f1`\n\t\tnamePart2=`echo $line | cut -d' ' -f2`\n\t\tname=$namePart1\" \"$namePart2\n\t\tdescription=$name\n\t\tstatus=`echo $line | cut -d' ' -f6`\n\telif [[ `echo $line | egrep 'iptables|ip6tables'` ]]; then\n\t\tname=`echo $line | egrep \"iptables|ip6tables\" | sed 's/.://' | cut -d' ' -f1`\n\t\tname=$name\" \"`echo $line | egrep \"iptables|ip6tables\" | cut -d' ' -f2`\n\t\tdescription=$name\n\t\tstatusPart1=`echo $line | cut -d' ' -f4`\n\t\tstatusPart2=`echo $line | cut -d' ' -f5`\n\t\tstatus=$statusPart1\" \"$statusPart2\n\t\tif [[ $status == 'not'* ]]; then\n\t\t\tstatus='stopped'\n\t\telse\n\t\t\tstatus='running'\n\t\tfi\n\telif [[ $line != *':'* ]]; then\n\t\tname=`echo $line | cut -d' ' -f1`\n\t\tdescription=$name\n\t\tstatus=`echo $line | cut -d' ' -f3`\n\tfi\n\n\tuser=\"\"\n\tpid=`echo $line | grep -o \"pid [0-9]*\" | cut -d ' ' -f2`\n\tif [ -n \"$pid\" ]; then\n\t\tuser=$(pid2User $pid)\n\tfi\n\n\tif [[ \"$status\" == 'running'* ]]; then\n\t\tstatus=\"Running\"\n\telif [[ \"$status\" == 'stopped' ]]; then\n\t\tstatus=\"Stopped\"\n\telse\n\t\tcontinue\n\tfi\n\n \techo \"\\\"$description\\\",\\\"$name\\\",sysv,\\\"$status\\\",\\\"$user\\\"\"\n}\n\n(IFS=$'\\n'\nif command -v initctl >/dev/null 2>&1; then\n for line in $(initctl list 2>/dev/null | egrep -v \"^[[:blank:]]\"); do\n\t\tparseInitCtlLine $line\n done\nfi\n\nif command -v systemctl > /dev/null 2>&1; then\n for line in $(systemctl 2>/dev/null | tr -s ' ' | egrep \"\\.service \" | sed 's/\\.service//'); do\n\t\tparseSystemCtlLine $line\n\t\tdone\nfi\n\nif command -v service >/dev/null 2>&1; then\n for line in $(service --status-all 2>&1 | tr -s ' '); do\n\t\tparseServiceLine $line\n done\nfi\n\n)\n","arguments":[],"utf8Sensitive":false},{"platform":{"catalogVersion":0,"dbVersion":0,"id":null,"name":"windows","topic":null},"capability":{"catalogVersion":0,"dbVersion":0,"id":null,"name":"Windows Services","description":null,"module":null,"function":null,"contentEnabled":false,"arguments":null,"outputs":null,"formatArgs":null,"format":null,"platforms":null,"platformSettings":null,"itemType":null,"catalogItems":null},"content":null,"arguments":[],"utf8Sensitive":false}],"outputs":[{"name":"description","type":"STRING","byDefault":true,"sequence":0},{"name":"name","type":"STRING","byDefault":true,"sequence":0},{"name":"startuptype","type":"STRING","byDefault":true,"sequence":0},{"name":"status","type":"STRING","byDefault":true,"sequence":0},{"name":"user","type":"STRING","byDefault":true,"sequence":0}]},"type":"com.intel.mar.model.collector.Collector"},{"item":{"catalogVersion":1,"dbVersion":0,"id":null,"name":"Startup","description":"Shows information about start-up programs on endpoint systems.","type":"BUILTIN","contents":[{"platform":{"catalogVersion":0,"dbVersion":0,"id":null,"name":"windows","topic":null},"capability":{"catalogVersion":0,"dbVersion":0,"id":null,"name":"Visual Basic Script","description":null,"module":null,"function":null,"contentEnabled":false,"arguments":null,"outputs":null,"formatArgs":null,"format":null,"platforms":null,"platformSettings":null,"itemType":null,"catalogItems":null},"content":"' Copyright (C) 2016 McAfee, Inc., 2821 Mission College Boulevard, Santa Clara, CA 95054, 1.888.847.8766, www.intelsecurity.com\n'\n' Purpose: Shows information about start-up programs on endpoint systems.\n'\n' Version: 1.0\ndim strComputer , colStartup , objStartup , colUser , c , c1\n\nstrComputer = \".\"\n\nSet objWMIService=GetObject(\"winmgmts:\" _\n & \"{impersonationLevel=impersonate}!\\\\\" & strComputer & \"\\root\\cimv2\")\n\nSet colStartup = objWMIService.ExecQuery _\n (\"Select * from Win32_StartupCommand\")\n\nIf colStartup.Count = 0 Then \n\t WScript.Quit(0)\nElse \nFor Each objStartup in colStartup\n\t c=Replace(objStartup.Command,\"\\\",\"\\\\\")\n\t ' c1=Replace(c, \"/\",\"\\\\/\")\t\n\t\tWScript.Echo objStartup.Caption & \",\" & c & \",\" & objStartup.Description & \",\" & objStartup.Name & \",\" & Replace(objStartup.User,\"\\\",\"\\\\\") \n\tNext\nEnd If","arguments":[],"utf8Sensitive":true}],"outputs":[{"name":"caption","type":"STRING","byDefault":true,"sequence":0},{"name":"command","type":"STRING","byDefault":true,"sequence":0},{"name":"description","type":"STRING","byDefault":true,"sequence":0},{"name":"name","type":"STRING","byDefault":true,"sequence":0},{"name":"user","type":"STRING","byDefault":true,"sequence":0}]},"type":"com.intel.mar.model.collector.Collector"},{"item":{"catalogVersion":6,"dbVersion":0,"id":null,"name":"InteractiveSessions","description":"Shows information about live interactive sessions on endpoint systems.","type":"BUILTIN","contents":[{"platform":{"catalogVersion":0,"dbVersion":0,"id":null,"name":"linux","topic":null},"capability":{"catalogVersion":0,"dbVersion":0,"id":null,"name":"Bash Script","description":null,"module":null,"function":null,"contentEnabled":false,"arguments":null,"outputs":null,"formatArgs":null,"format":null,"platforms":null,"platformSettings":null,"itemType":null,"catalogItems":null},"content":"#!/bin/bash\n# Copyright (C) 2016 McAfee, Inc., 2821 Mission College Boulevard, Santa Clara, CA 95054, 1.888.847.8766, www.intelsecurity.com\n#\n# Purpose: Shows information about live interactive sessions on endpoint systems.\n#\n# Version: 3.0\nwho=`who | cut -d \" \" -f1`\nfor line in $who; do\n username=$line\n gethead=`getent passwd $username | cut -d: -f5`\n userfullname=`head -n 1 <<< $gethead`\n echo \"\\\"$username\\\"\",\"\\\"$userfullname\\\"\"\ndone","arguments":[],"utf8Sensitive":false},{"platform":{"catalogVersion":0,"dbVersion":0,"id":null,"name":"windows","topic":null},"capability":{"catalogVersion":0,"dbVersion":0,"id":null,"name":"Execute PowerShell Script","description":null,"module":null,"function":null,"contentEnabled":false,"arguments":null,"outputs":null,"formatArgs":null,"format":null,"platforms":null,"platformSettings":null,"itemType":null,"catalogItems":null},"content":"# Copyright (C) 2016 McAfee, Inc., 2821 Mission College Boulevard, Santa Clara, CA 95054, 1.888.847.8766, www.intelsecurity.com\n#\n# Purpose: Shows information about live interactive sessions on endpoint systems.\n#\n# Version: 1.0\n\n$pshost = get-host\n$pswindow = $pshost.ui.rawui\n$newsize = $pswindow.buffersize\n$newsize.height = 3000\n$newsize.width = 3000\n$pswindow.buffersize = $newsize\n\n[Console]::OutputEncoding = [System.Text.Encoding]::UTF8\nif(-not ($PSCULTURE -like \"en-US\")){\n chcp 437 | Out-Null;\n}\n$ErrorActionPreference = \"SilentlyContinue\";\n\nfunction get-interactive-sessions ($computername){\n $sessions_filter = \"LogonType=2 or LogonType=10 or LogonType=11 or LogonType=12\"\n $regexa = '.+Domain=\"(.+)\",Name=\"(.+)\"$'\n $regexd = '.+LogonId=\"(\\d+)\"$'\n\n $logon_sessions = @(gwmi win32_logonsession -ComputerName $computername -Filter $sessions_filter)\n $logon_users = @(gwmi win32_loggedonuser -ComputerName $computername)\n\n $session_user = @{}\n $logon_users | %{\n $_.antecedent -match $regexa > $nul\n $username = $matches[1] + \"\\\" + $matches[2]\n $_.dependent -match $regexd > $nul\n $session = $matches[1]\n $session_user[$session] += $username\n }\n\n $logon_sessions | %{\n $loggedonuser = New-Object -TypeName psobject\n $loggedonuser | Add-Member -MemberType NoteProperty -Name \"User\" -Value $session_user[$_.logonid]\n\n $loggedonuser\n }\n}\n\n$interactive_sesions = get-interactive-sessions (\"localhost\")\n\n$active_sesions_users = @()\nforeach ($interactive in $interactive_sesions) {\n $user = [string]($interactive.User -split \"\\\\\")[1];\n $query = query session $user 2> $null\n Try {\n foreach ($user_query in $query) {\n if (($user_query -match \"Active\") -and ($active_sesions_users -notcontains $interactive.User)) {\n $active_sesions_users += $interactive.User;\n }\n }\n } Catch { }\n}\n\n$user_objects = Get-WmiObject Win32_UserAccount -Filter \"LocalAccount=True\";\n$computername = (Get-WmiObject -Class Win32_ComputerSystem -Property Name).Name;\n\nforeach ($user in $active_sesions_users) {\n $domain_userid = $user -split \"\\\\\";\n $domain = $domain_userid[0];\n $userid = $domain_userid[1];\n\n if ($domain -eq $computername) {\n for($i=0; $i -lt $user_objects.Count; $i++) {\n if($userid -eq $user_objects[$i].name) {\n $result = [string](\"`\"\" + $userid + \"`\",`\"\" + $user_objects[$i].FullName + \"`\"\");\n [Console]::WriteLine($result);\n }\n }\n } else {\n $result = [string](\"`\"\" + $userid + \"`\",`\"\" + \"`\"\");\n [Console]::WriteLine($result);\n }\n}\nexit 0;","arguments":[],"utf8Sensitive":false}],"outputs":[{"name":"userid","type":"STRING","byDefault":true,"sequence":0},{"name":"name","type":"STRING","byDefault":true,"sequence":0}]},"type":"com.intel.mar.model.collector.Collector"},{"item":{"catalogVersion":3,"dbVersion":0,"id":null,"name":"InstalledDrivers","description":"Shows details about drivers installed on endpoint systems.","type":"BUILTIN","contents":[{"platform":{"catalogVersion":0,"dbVersion":0,"id":null,"name":"linux","topic":null},"capability":{"catalogVersion":0,"dbVersion":0,"id":null,"name":"Bash Script","description":null,"module":null,"function":null,"contentEnabled":false,"arguments":null,"outputs":null,"formatArgs":null,"format":null,"platforms":null,"platformSettings":null,"itemType":null,"catalogItems":null},"content":"#!/bin/sh\n# Copyright (C) 2016 McAfee, Inc., 2821 Mission College Boulevard, Santa Clara, CA 95054, 1.888.847.8766, www.intelsecurity.com\n#\n# Purpose: Shows details about drivers installed on endpoint systems.\n#\n# Version: 1.0\n\n\nb=`cat /proc/modules | cut -f 1 -d \" \" `\n\nfor i in $b; do\n d=`modinfo -d $i`\n p=`modinfo -n $i`\n echo $i,$d,,,,,,$p\ndone\n","arguments":[],"utf8Sensitive":false},{"platform":{"catalogVersion":0,"dbVersion":0,"id":null,"name":"windows","topic":null},"capability":{"catalogVersion":0,"dbVersion":0,"id":null,"name":"Execute PowerShell Script","description":null,"module":null,"function":null,"contentEnabled":false,"arguments":null,"outputs":null,"formatArgs":null,"format":null,"platforms":null,"platformSettings":null,"itemType":null,"catalogItems":null},"content":"# Copyright (C) 2016 McAfee, Inc., 2821 Mission College Boulevard, Santa Clara, CA 95054, 1.888.847.8766, www.intelsecurity.com\n#\n# Purpose: Shows details about drivers installed on endpoint systems.\n#\n# Version: 1.0\n[Console]::OutputEncoding = [System.Text.Encoding]::UTF8\r\n# resize PS buffer size in order to avoid undesired line endings or trims in the output\r\n$pshost = get-host\r\n$pswindow = $pshost.ui.rawui\r\n$newsize = $pswindow.buffersize\r\n$newsize.height = 3000\r\n$newsize.width = 3000\r\n$pswindow.buffersize = $newsize\r\n\r\n$drivers= Get-WmiObject Win32_SystemDriver;\r\n\r\nforeach ($driver in $drivers){\r\n $name = $driver.Name;\r\n if ($driver.PathName -match '[A-Z]:'){\r\n $drive= $matches[0];\r\n $path= $driver.PathName -replace '^.*[A-Z]:','';\r\n $path= $drive+$path;\r\n }\r\n \r\n $date=\"\";\r\n Try{\r\n $driverFile= Get-Item -Path $path\r\n if($driverFile.CreationTime -lt $driverFile.LastWriteTime){\r\n $date=$driverFile.LastWriteTime.ToString(\"yyyy-MM-dd HH:mm:ss\");\r\n }\r\n else{\r\n $date=$driverFile.CreationTime.ToString(\"yyyy-MM-dd HH:mm:ss\");\r\n }\r\n }\r\n Catch{\r\n $date=\"\";\r\n }\r\n \r\n [Console]::WriteLine($driver.DisplayName + \",\" + $driver.Description + \",\" + $date + \",\" + $driver.Name + \",\" + $driver.ServiceType + \",\" + $driver.StartMode + \",\" + $driver.State + \",\" + ($driver.PathName -replace '\\\\','/'))\r\n\r\n}","arguments":[],"utf8Sensitive":false}],"outputs":[{"name":"displayname","type":"STRING","byDefault":true,"sequence":0},{"name":"description","type":"STRING","byDefault":true,"sequence":0},{"name":"last_modified_date","type":"DATE","byDefault":true,"sequence":0},{"name":"name","type":"STRING","byDefault":true,"sequence":0},{"name":"servicetype","type":"STRING","byDefault":true,"sequence":0},{"name":"startmode","type":"STRING","byDefault":true,"sequence":0},{"name":"state","type":"STRING","byDefault":true,"sequence":0},{"name":"path","type":"STRING","byDefault":true,"sequence":0}]},"type":"com.intel.mar.model.collector.Collector"},{"item":{"catalogVersion":3,"dbVersion":0,"id":null,"name":"DNSCache","description":"Shows information about the local DNS Cache on endpoint systems.","type":"BUILTIN","contents":[{"platform":{"catalogVersion":0,"dbVersion":0,"id":null,"name":"windows","topic":null},"capability":{"catalogVersion":0,"dbVersion":0,"id":null,"name":"Execute PowerShell Script","description":null,"module":null,"function":null,"contentEnabled":false,"arguments":null,"outputs":null,"formatArgs":null,"format":null,"platforms":null,"platformSettings":null,"itemType":null,"catalogItems":null},"content":"# Copyright (C) 2016 McAfee, Inc., 2821 Mission College Boulevard, Santa Clara, CA 95054, 1.888.847.8766, www.intelsecurity.com\r\n#\r\n# Purpose: Shows information about the local DNS Cache on endpoint systems.\r\n#\r\n# Version: 1.0\r\n\r\n$pshost = get-host\r\n$pswindow = $pshost.ui.rawui\r\n$newsize = $pswindow.buffersize\r\n$newsize.height = 3000\r\n$newsize.width = 3000\r\n$pswindow.buffersize = $newsize\r\n\r\n[Console]::OutputEncoding = [System.Text.Encoding]::UTF8\r\nif(-not ($PSCULTURE -like \"en-US\")){\r\n chcp 437 | Out-Null; \r\n}\r\n$cache= ipconfig /displaydns;\r\n\r\n$cache -split \"`n\" | ForEach-Object {\r\n if($_ -like '*Record Name*'){\r\n $hostname = $_.Split(':')[1];\r\n $i=1;\r\n }\r\n if($_ -like '*A (Host) Record*'){\r\n $ipaddr = $_.Split(':')[1];\r\n $i=2;\r\n }\r\n if($i -eq 2){\r\n $i=0;\r\n [Console]::WriteLine($hostname+\",\"+$ipaddr);\r\n }\r\n};\r\n","arguments":[],"utf8Sensitive":false}],"outputs":[{"name":"hostname","type":"STRING","byDefault":true,"sequence":0},{"name":"ipaddress","type":"STRING","byDefault":true,"sequence":0}]},"type":"com.intel.mar.model.collector.Collector"},{"item":{"catalogVersion":1,"dbVersion":0,"id":null,"name":"UsbConnectedStorageDevices","description":"Learn which users have used USB mass storage devices on managed endpoints. Get details on last usage and device details.","type":"BUILTIN","contents":[{"platform":{"catalogVersion":0,"dbVersion":0,"id":null,"name":"linux","topic":null},"capability":{"catalogVersion":0,"dbVersion":0,"id":null,"name":"Bash Script","description":null,"module":null,"function":null,"contentEnabled":false,"arguments":null,"outputs":null,"formatArgs":null,"format":null,"platforms":null,"platformSettings":null,"itemType":null,"catalogItems":null},"content":"#!/bin/sh\n# Copyright (C) 2016 McAfee, Inc., 2821 Mission College Boulevard, Santa Clara, CA 95054, 1.888.847.8766, www.intelsecurity.com\n#\n# Purpose: Learn which users have used USB mass storage devices on managed endpoints. Get details on last usage and device details.\n#\n# Version: 1.0\n\nfor KMSJ in `find /var/log/ -maxdepth 1 -name messages* -type f`\ndo\n if [ -r \"$KMSJ\" ]; then\n #If it's compressed\n RES0=\"a\"\n if [[ \"$KMSJ\" == *.gz ]]; then\n RES0=`zcat \"$KMSJ\" | tac | \\\n grep -iA10 -E '\\busb\\W+(\\w+\\W+){1,5}storage\\b'`\n\n else\n RES0=`tac \"$KMSJ\" | \\\n grep -iA10 -E '\\busb\\W+(\\w+\\W+){1,5}storage\\b'`\n fi\n if [ -n \"$RES0\" ]; then\n RES0=$RES0'\\n''\\0'\n echo -e \"${RES0//--/\\0}\" | while read -r -d $'\\0' FUSB; do\n # Serial Number\n SERIALNUMBER=`echo -e \"$FUSB\" | grep -i \"SerialNumber:\" \\\n | awk NR==1 | awk '{ print $NF }' `\n # Manufacturer\n MANUFACTURER=`echo -e \"$FUSB\" | grep -io -E 'Manufacturer: (*\\w* |*\\w*)+' \\\n | awk NR==1 | awk '{ $1=\"\"; print}'`\n MANUFACTURER=${MANUFACTURER# }\n # Product\n PRODUCT=`echo -e \"$FUSB\" | grep -io -E 'Product: (*\\w* |*\\w*)+' \\\n | awk NR==1 | awk '{ $1=\"\"; print}'`\n PRODUCT=${PRODUCT# }\n\n #IdVendor\n IDvendor=`echo -e \"$FUSB\" | grep -io -E \"idVendor=*\\w*\"`\n IDvendor=${IDvendor#idVendor=}\n\n #Idproduct\n IDprod=`echo -e \"$FUSB\" | grep -io -E \"idProduct=*\\w*\"`\n IDprod=${IDprod#idProduct=}\n\n # date\n USBDATE=`echo -e \"$FUSB\" | \\\n grep -io -E '[a-zA-Z]{3} [0-9]{2} [0-9]{2}:[0-9]{2}:[0-9]{2}' | \\\n awk NR==1`\n ANO=\"${KMSJ/\\var\\/log\\/messages/}\"\n ANO=\"${ANO/.gz/}\"\n ANO=${ANO%[0-9][0-9][0-9][0-9]}\n ANO=${ANO/\\-/}\n ANO=${ANO/\\//}\n ANO=`echo $ANO | grep -o -E '[0-9]{4}'`\n USBDATE=`date -d\"$USBDATE\" \"+%F %T\"`\n if [[ -n $ANO ]]; then\n NOW=`date \"+%Y\"`\n USBDATE=${USBDATE/\"$NOW\"/\"$ANO\"}\n fi\n\n # build output\n COLECTOR=\"\"\n if [[ -n $MANUFACTURER ]]; then\n COLECTOR=$COLECTOR\"\\\"$MANUFACTURER\\\",\"\n else\n COLECTOR=$COLECTOR\"\\\"$IDvendor\\\",\"\n fi\n\n if [[ -n $PRODUCT ]]; then\n COLECTOR=$COLECTOR\"\\\"$PRODUCT\\\",\"\n else\n COLECTOR=$COLECTOR\"\\\"$IDprod\\\",\"\n fi\n\n COLECTOR=$COLECTOR\"\\\"$SERIALNUMBER\\\",\\\"Mass storage\\\",\\\"\\\",\\\"\\\",\\\"\\\",\\\"$USBDATE\\\"\"\n echo $COLECTOR\n done\n fi\n fi\ndone\n","arguments":null,"utf8Sensitive":false},{"platform":{"catalogVersion":0,"dbVersion":0,"id":null,"name":"windows","topic":null},"capability":{"catalogVersion":0,"dbVersion":0,"id":null,"name":"Execute PowerShell Script","description":null,"module":null,"function":null,"contentEnabled":false,"arguments":null,"outputs":null,"formatArgs":null,"format":null,"platforms":null,"platformSettings":null,"itemType":null,"catalogItems":null},"content":"# Copyright (C) 2016 McAfee, Inc., 2821 Mission College Boulevard, Santa Clara, CA 95054, 1.888.847.8766, www.intelsecurity.com\n#\n# Purpose: Learn which users have used USB mass storage devices on managed endpoints. Get details on last usage and device details.\n#\n# Version: 1.0\n# Custom shift class, -shl couldn't be used because powershell 2.0 doesn't support it\r\nAdd-Type @\"\r\npublic class Shift{\r\n public static int Left(int x, int count) { return x << count; }\r\n public static uint Left(uint x, int count) { return x << count; }\r\n public static long Left(long x, int count) { return x << count; }\r\n public static ulong Left(ulong x, int count) { return x << count; }\r\n}\r\n\"@\r\n\r\nfunction Shift-Left {\r\nPARAM( $x=1, $y )\r\nBEGIN {\r\n if($y) {\r\n [Shift]::Left( $x, $y )\r\n }\r\n}\r\nPROCESS {\r\n if($_){\r\n [Shift]::Left($_, $x)\r\n }\r\n}\r\n}\r\n\r\n#Class advapi contains RegQueryInfoKey method used to get registries last modified time supported for Powershell Version >= V3.0\r\n$Namespace = \"MAR\"\r\n\r\nAdd-Type @\"\r\n\r\n using System;\r\n\r\n using System.Text;\r\n\r\n using System.Runtime.InteropServices; \r\n\r\n $($Namespace | ForEach-Object {\r\n\r\n \"namespace $_ {\"\r\n\r\n })\r\n\r\n public class advapi32 {\r\n\r\n [DllImport(\"advapi32.dll\", CharSet = CharSet.Auto)]\r\n\r\n public static extern Int32 RegQueryInfoKey(\r\n\r\n IntPtr hKey,\r\n \r\n StringBuilder lpClass,\r\n\r\n [In, Out] ref UInt32 lpcbClass,\r\n\r\n UInt32 lpReserved,\r\n\r\n out UInt32 lpcSubKeys,\r\n\r\n out UInt32 lpcbMaxSubKeyLen,\r\n\r\n out UInt32 lpcbMaxClassLen,\r\n\r\n out UInt32 lpcValues,\r\n\r\n out UInt32 lpcbMaxValueNameLen,\r\n\r\n out UInt32 lpcbMaxValueLen,\r\n\r\n out UInt32 lpcbSecurityDescriptor, \r\n\r\n out System.Runtime.InteropServices.ComTypes.FILETIME lpftLastWriteTime\r\n\r\n );\r\n\r\n }\r\n\r\n $($Namespace | ForEach-Object {\r\n\r\n \"}\"\r\n\r\n })\r\n\r\n\"@\r\n\r\nfunction GetKeyLastWriteDate ($RegKey){\r\n Try{\r\n $RegTools = (\"{0}.advapi32\" -f ($Namespace -join \".\")) -as [type]\r\n $LastWrite = New-Object System.Runtime.InteropServices.ComTypes.FILETIME;\r\n # Call function:\r\n $result=$RegTools::RegQueryInfoKey($RegKey.Handle.DangerousGetHandle(), $null, [ref] $null, $null, [ref] $null, [ref] $null, [ref] $null, [ref] $null, [ref] $null, [ref] $null, [ref] $null, [ref] $LastWrite);\r\n \r\n # Convert to DateTime object:\r\n $UnsignedLow = [System.BitConverter]::ToUInt32([System.BitConverter]::GetBytes($LastWrite.dwLowDateTime), 0);\r\n $UnsignedHigh = [System.BitConverter]::ToUInt32([System.BitConverter]::GetBytes($LastWrite.dwHighDateTime), 0); \r\n # Shift high part so it is most significant 32 bits, then copy low part into 64-bit int:\r\n $FileTimeInt64 = [Int64] $UnsignedHigh;\r\n $FileTimeInt64 = Shift-Left $FileTimeInt64 32;\r\n $FileTimeInt64 = $FileTimeInt64 -bor $UnsignedLow;\r\n # Create datetime object\r\n return(([datetime]::FromFileTime($FileTimeInt64)).ToString(\"yyyy-MM-dd HH:mm:ss\"));\r\n }\r\n Catch{return \" \"}\r\n}\r\n\r\nfunction GetDeviceType ($Code){\r\n\r\nswitch ($Code) \r\n { \r\n \"00\" {$result=\"Unspecified\";break;} \r\n \"01\" {$result=\"Audio\";break;} \r\n \"02\" {$result=\"Communications and CDC Control\";break;} \r\n \"03\" {$result=\"Human interface device (HID)\";break;} \r\n \"05\" {$result=\"Physical Interface Device (PID)\";break;} \r\n \"06\" {$result=\"Image\";break;}\r\n \"07\" {$result=\"Printer\";break;} \r\n \"08\" {$result=\"Mass storage\";break;} \r\n \"09\" {$result=\"USB hub\";break;} \r\n \"0A\" {$result=\"CDC-Data\";break;} \r\n \"0B\" {$result=\"Smart Card\";break;} \r\n \"0D\" {$result=\"Content security\";break;} \r\n \"0E\" {$result=\"Video\";break;} \r\n \"0F\" {$result=\"Personal healthcare device class (PHDC)\";break;} \r\n \"10\" {$result=\"Audio/Video (AV)\";break;} \r\n \"11\" {$result=\"Billboard\";break;} \r\n \"DC\" {$result=\"Diagnostic Device\";break;} \r\n \"E0\" {$result=\"Wireless Controller\";break;} \r\n \"EF\" {$result=\"Miscellaneous\";break;} \r\n \"FE\" {$result=\"Application-specific\";break;} \r\n \"FF\" {$result=\"Vendor-specific\";break;} \r\n default {$result=\"\";break;}\r\n }\r\n return $result;\r\n}\r\n\r\n[Console]::OutputEncoding = [System.Text.Encoding]::UTF8\r\n # resize PS buffer size in order to avoid undesired line endings or trims in the output\r\n $pshost = get-host\r\n $pswindow = $pshost.ui.rawui\r\n $newsize = $pswindow.buffersize\r\n $newsize.height = 3000\r\n $newsize.width = 3000\r\n $pswindow.buffersize = $newsize\r\n \r\n #Declares the path of some registry keys of interest\r\n $usb_stor_key=\"HKLM:\\SYSTEM\\CurrentControlSet\\Enum\\USBSTOR\";\r\n $usb_key=\"HKLM:\\SYSTEM\\CurrentControlSet\\Enum\\USB\";\r\n \r\n #Creates the \"HKU:\\\" Drive\r\n $hku= New-PSDrive -PSProvider Registry -Name HKU -Root HKEY_USERS;\r\n \r\n #Creates a new WMI object\r\n\r\n $output=@();\r\n \r\n $usb_stor_key_exists=Test-Path($usb_stor_key);\r\n $usb_key_exists=Test-Path($usb_key);\r\n if($usb_stor_key_exists -and $usb_key_exists){\r\n $usb_device_class_id=@(Get-ChildItem -Path $usb_stor_key -Name);\r\n $usb_device_name=@((Get-ItemProperty -Path ($usb_stor_key+\"\\*\\*\") | select FriendlyName).FriendlyName);\r\n $usb_ids= (Get-ChildItem -Path ($usb_key+\"\\*\\*\"));\r\n $usb_device_last_conn_time= @();\r\n $usb_device_type= @(0)*$usb_device_class_id.Count;\r\n $usb_device_vendor_id=@(0)*$usb_device_class_id.Count;\r\n $usb_device_prod_id=@(0)*$usb_device_class_id.Count;\r\n for ($i=0;$i -lt $usb_device_class_id.Count; $i++){\r\n $usb_device_serial+=@(Get-ChildItem -Path ($usb_stor_key+\"\\\\\"+$usb_device_class_id[$i]) -Name); \r\n $usb_device_vendor_id[$i]= $usb_device_class_id[$i].split('&')[1];\r\n $usb_device_prod_id[$i]= $usb_device_class_id[$i].split('&')[2];\r\n foreach ($usb_id in $usb_ids){\r\n $key_name = Split-Path $usb_id.Name -Leaf;\r\n $usb_device_id= $usb_device_serial[$i].split('&')[0];\r\n if($usb_device_id -eq $key_name){\r\n $UsbRegKey = Get-Item ($usb_key + \"\\\"+(Split-Path(Split-Path $usb_id.Name -Parent) -Leaf) +\"\\\"+ $key_name);\r\n Try{\r\n $type_code=(($usb_id.GetValue(\"CompatibleIDs\") | select -Last 1));\r\n $type_code=$type_code.substring($type_code.length - 2, 2);\r\n }\r\n Catch{\r\n $type_code=\"\";\r\n }\r\n $usb_device_type[$i]=GetDeviceType($type_code);\r\n $conn_time= GetKeyLastWriteDate($UsbRegKey);\r\n $usb_device_last_conn_time+= $conn_time;\r\n }\r\n }\r\n };\r\n } \r\n \r\n $usb_device_guids=@(\"\")*$usb_device_serial.Count;\r\n if(Test-Path(\"HKLM:\\SYSTEM\\MountedDevices\")){\r\n $mounted_devices_reg_key=Get-Item -Path \"HKLM:\\SYSTEM\\MountedDevices\";\r\n for ($i=0; $i -lt $mounted_devices_reg_key.Property.Count; $i++){\r\n $mounted_devices= $mounted_devices_reg_key.GetValue($mounted_devices_reg_key.Property[$i]);\r\n $serial_number_mounted_device= (([Text.Encoding]::Unicode.GetString($mounted_devices).split('#')[2]));\r\n \r\n for ($j=0;$j -lt $usb_device_serial.Count; $j++){\r\n if($usb_device_serial[$j] -eq $serial_number_mounted_device){\r\n if($mounted_devices_reg_key.Property[$i] -like \"*Volume{*\" ){\r\n $usb_device_guids[$j]= \"{\"+($mounted_devices_reg_key.Property[$i].split(\"{\")[1]);\r\n }\r\n }\r\n }\r\n }\r\n }\r\n \r\n $loggedUserAccounts= @(Get-ChildItem -Path \"HKU:\\\");\r\n foreach ($user in $loggedUserAccounts){\r\n $user_sid=$user.Name; \r\n for($j=0;$j -lt $usb_device_guids.Count; $j++){\r\n $path=(\"HKU:\\\"+$user_sid+\"\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\MountPoints2\\\"+$usb_device_guids[$j]);\r\n if(Test-Path ($path)){\r\n $UserRegKey= Get-Item -Path ($path);\r\n $user_conn_time= GetKeyLastWriteDate($UserRegKey);\r\n $user_device_connection_time = $user_conn_time;\r\n if (Test-Path((\"HKU:/\"+$user_sid+\"/Volatile Environment\"))){\r\n $user_name=(Get-Item -Path (\"HKU:/\"+$user_sid+\"/Volatile Environment\")).GetValue(\"USERNAME\");\r\n }\r\n $output+=($usb_device_vendor_id[$j]+\",\"+$usb_device_name[$j]+\",\"+$usb_device_serial[$j]+\",\"+$usb_device_type[$j]+\",\"+$usb_device_guids[$j]+\",\"+$usb_device_last_conn_time[$j]+\",\"+$user_name+\",\"+$user_device_connection_time);\r\n }\r\n }\r\n }\r\n \r\n $localUserAccounts=@(Get-ChildItem -Path \"C:\\Users\");\r\n \r\n foreach ($user in $localUserAccounts){\r\n $user_name= $user.Name\r\n $user_path_valid= Test-Path (\"C:\\Users\\\"+$user_name+\"\\NTUSER.DAT\");\r\n if($user_path_valid){\r\n $load= REG LOAD (\"HKU\\\"+$user_name) (\"C:\\Users\\\"+$user_name+\"\\NTUSER.DAT\") 2>&1 | Out-Null\r\n $loaded= $?;\r\n\r\n for($j=0;$j -lt $usb_device_guids.Count; $j++){\r\n $path=(\"HKU:\\\"+$user_name+\"\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\MountPoints2\\\"+$usb_device_guids[$j]);\r\n if(Test-Path ($path)){\r\n $UserRegKey= Get-Item -Path ($path);\r\n $user_conn_time= GetKeyLastWriteDate($UserRegKey);\r\n $user_device_connection_time = $user_conn_time;\r\n $output+=($usb_device_vendor_id[$j]+\",\"+$usb_device_name[$j]+\",\"+$usb_device_serial[$j]+\",\"+$usb_device_type[$j]+\",\"+$usb_device_guids[$j]+\",\"+$usb_device_last_conn_time[$j]+\",\"+$user_name+\",\"+$user_device_connection_time);\r\n $UserRegKey.Close(); \r\n }\r\n }\r\n if($loaded){\r\n $unloaded = $false\r\n $attempts = 0\r\n while (!$unloaded -and ($attempts -le 5)) { \r\n [gc]::Collect() # This is necessary to allow the unload of registry hive\r\n $unload= & REG UNLOAD (\"HKU\\\"+$user_name)\r\n $unloaded = $?\r\n $attempts += 1\r\n }\r\n if (!$unloaded) {\r\n Write-Warning (\"Unable to dismount registry hive at HKLM\\\"+$user_sid)\r\n }\r\n }\r\n }\r\n }\r\n \r\n #Checks if all usb devices were added to $output, if not then appends the device into output without the user info\r\n for ($i=0; $i -lt $usb_device_serial.Count; $i++){\r\n $flag=0;\r\n foreach ($output_entry in $output){\r\n if($output_entry -like (\"*\"+$usb_device_serial[$i]+\"*\")){\r\n $flag=1;\r\n break;\r\n }\r\n }\r\n if($flag -eq 0){\r\n $output+=($usb_device_vendor_id[$i]+\",\"+$usb_device_name[$i]+\",\"+$usb_device_serial[$i]+\",\"+$usb_device_type[$i]+\",\"+$usb_device_guids[$i]+\",\"+$usb_device_last_conn_time[$i]+\", , \");\r\n }\r\n }\r\n \r\n \r\n for($i=0; $i -lt $output.Count; $i++){\r\n [Console]::WriteLine($output[$i]);\r\n }","arguments":null,"utf8Sensitive":false}],"outputs":[{"name":"vendor_id","type":"STRING","byDefault":true,"sequence":0},{"name":"product_id","type":"STRING","byDefault":true,"sequence":0},{"name":"serial_number","type":"STRING","byDefault":true,"sequence":0},{"name":"device_type","type":"STRING","byDefault":true,"sequence":0},{"name":"guid","type":"STRING","byDefault":true,"sequence":0},{"name":"last_connection_time","type":"DATE","byDefault":true,"sequence":0},{"name":"user_name","type":"STRING","byDefault":true,"sequence":0},{"name":"last_time_used_by_user","type":"DATE","byDefault":true,"sequence":0}]},"type":"com.intel.mar.model.collector.Collector"},{"item":{"catalogVersion":2,"dbVersion":0,"id":null,"name":"NetworkShares","description":"Find the network shared paths accessible from each managed endpoint.","type":"BUILTIN","contents":[{"platform":{"catalogVersion":0,"dbVersion":0,"id":null,"name":"linux","topic":null},"capability":{"catalogVersion":0,"dbVersion":0,"id":null,"name":"Bash Script","description":null,"module":null,"function":null,"contentEnabled":false,"arguments":null,"outputs":null,"formatArgs":null,"format":null,"platforms":null,"platformSettings":null,"itemType":null,"catalogItems":null},"content":"#!/bin/bash\n# Copyright (C) 2016 McAfee, Inc., 2821 Mission College Boulevard, Santa Clara, CA 95054, 1.888.847.8766, www.intelsecurity.com\n#\n# Purpose: Find the network shared paths accessible from each managed endpoint.\n#\n# Version: 2.0\n\noldIFS=\"$IFS\"\n\n# NFS\nNFS=$(which showmount 2>/dev/null)\nif [ -n \"$NFS\" ]\nthen\n\n IFS='\n'\n IFS=${IFS:0:1}\n arrayDir=( $(showmount -e localhost 2>/dev/null | egrep ^/ 2>/dev/null | awk '{print $1}' 2>/dev/null) )\n IFS=\"$oldIFS\"\n for (( i=0; i<${#arrayDir[*]}; i=i+1 ))\n do\n echo \"\\\"\\\",\\\"NFS server\\\",\\\"${arrayDir[$i]}\\\"\"\n done\nfi\n\n# Samba\nsmb=$(service smb status 2> /dev/null)\nif [ -n \"$smb\" ];\nthen\n\n SECTIONSALL=$(testparm -s /etc/samba/smb.conf 2>/dev/null | grep -E '\\[(\\w)+' | grep -v \"\\[global\\]\")\n SECTIONSALL=${SECTIONSALL//\\[/\\\"}\n SECTIONSALL=${SECTIONSALL//\\]/\\\"}\n\n IFS='\n'\n aSection=( $SECTIONSALL )\n IFS=\"$oldIFS\"\n\n for element in \"${aSection[@]}\"\n do\n cmd=\"testparm -s /etc/samba/smb.conf --section-name $element 2>/dev/null | tail -n+2\"\n comment=$(eval \"$cmd | grep -i -E \\\"^\\s*comment\\s*=\\s*\\\" \")\n pathS=$(eval \"$cmd | grep -i -E \\\"^\\s*path\\s*=\\s*\\\" \")\n comment=${comment//\\\"/\\\\\\\"}\n pathS=${pathS//\\\"/\\\\\\\"}\n\n pos=$(eval \"expr \\\"$comment\\\" : '^\\s*comment\\s*=\\s*'\")\n comment=${comment:$pos}\n pos=$(eval \"expr \\\"$pathS\\\" : '^\\s*path\\s*=\\s*'\")\n pathS=${pathS:$pos}\n pathS=${pathS//\\\\\\\"/}\n pathS=\"\\\"$pathS\\\"\"\n\n echo -e \"$element,\\\"$comment\\\",$pathS\"\n done\nfi\n","arguments":null,"utf8Sensitive":false},{"platform":{"catalogVersion":0,"dbVersion":0,"id":null,"name":"windows","topic":null},"capability":{"catalogVersion":0,"dbVersion":0,"id":null,"name":"Visual Basic Script","description":null,"module":null,"function":null,"contentEnabled":false,"arguments":null,"outputs":null,"formatArgs":null,"format":null,"platforms":null,"platformSettings":null,"itemType":null,"catalogItems":null},"content":"' Copyright (C) 2016 McAfee, Inc., 2821 Mission College Boulevard, Santa Clara, CA 95054, 1.888.847.8766, www.intelsecurity.com\n'\n' Purpose: Find the network shared paths accessible from each managed endpoint.\n'\n' Version: 1.0\ndim strComputer , colShare , objShare\r\n\r\nstrComputer = \".\"\r\n\r\nSet objWMIService=GetObject(\"winmgmts:\" _\r\n & \"{impersonationLevel=impersonate}!\\\\\" & strComputer & \"\\root\\cimv2\")\r\n\r\nSet colShare = objWMIService.ExecQuery _\r\n (\"Select * from Win32_Share\")\r\n\r\nIf colShare.Count = 0 Then \r\n WScript.Quit(0)\r\nElse \r\nFor Each objShare in colShare\r\n WScript.Echo objShare.Name & \",\" & objShare.Description & \",\" & Replace(objShare.Path,\"\\\",\"\\\\\")\r\nNext\r\nEnd If","arguments":null,"utf8Sensitive":false}],"outputs":[{"name":"name","type":"STRING","byDefault":false,"sequence":0},{"name":"description","type":"STRING","byDefault":false,"sequence":0},{"name":"path","type":"STRING","byDefault":false,"sequence":0}]},"type":"com.intel.mar.model.collector.Collector"},{"item":{"catalogVersion":1,"dbVersion":0,"id":null,"name":"NetworkSessions","description":"Gets information of currently open network sessions on the endpoint.","type":"BUILTIN","contents":[{"platform":{"catalogVersion":0,"dbVersion":0,"id":null,"name":"linux","topic":null},"capability":{"catalogVersion":0,"dbVersion":0,"id":null,"name":"Bash Script","description":null,"module":null,"function":null,"contentEnabled":false,"arguments":null,"outputs":null,"formatArgs":null,"format":null,"platforms":null,"platformSettings":null,"itemType":null,"catalogItems":null},"content":"# Copyright (C) 2016 McAfee, Inc., 2821 Mission College Boulevard, Santa Clara, CA 95054, 1.888.847.8766, www.intelsecurity.com\n#\n# Purpose: Gets information of currently open network sessions on the endpoint.\n#\n# Version: 1.0\nnet status sessions 2>/dev/null | grep -A999999 '\\-\\-\\-\\-' | tail -n+2 | awk '{print $4 $5\",\"$2\",,,,\"}'","arguments":null,"utf8Sensitive":false},{"platform":{"catalogVersion":0,"dbVersion":0,"id":null,"name":"windows","topic":null},"capability":{"catalogVersion":0,"dbVersion":0,"id":null,"name":"Execute PowerShell Script","description":null,"module":null,"function":null,"contentEnabled":false,"arguments":null,"outputs":null,"formatArgs":null,"format":null,"platforms":null,"platformSettings":null,"itemType":null,"catalogItems":null},"content":"# Copyright (C) 2016 McAfee, Inc., 2821 Mission College Boulevard, Santa Clara, CA 95054, 1.888.847.8766, www.intelsecurity.com\n#\n# Purpose: Gets information of currently open network sessions on the endpoint.\n#\n# Version: 1.0\n\n[Console]::OutputEncoding = [System.Text.Encoding]::UTF8\r\n# resize PS buffer size in order to avoid undesired line endings or trims in the output\r\n$pshost = get-host\r\n$pswindow = $pshost.ui.rawui\r\n$newsize = $pswindow.buffersize\r\n$newsize.height = 3000\r\n$newsize.width = 3000\r\n$pswindow.buffersize = $newsize\r\n\r\n$networkSessions = Get-WmiObject -class Win32_ServerConnection \r\n\r\nforeach ($networkSession in $networkSessions)\r\n{\r\n if ($networkSession.ComputerName){\r\n $stringSession= net session (\"\\\\\"+$networkSession.ComputerName)\r\n $idleTime= ($stringSession | Select-String \"Idle\").ToString();\r\n $splittedIdleTime= $idleTime.split(\" \");\r\n $idleTime= $splittedIdleTime[-1]\r\n $clientType= ($stringSession | Select-String \"Client\").ToString();\r\n $splittedClientType= $clientType.split(\" \");\r\n $clientType= $splittedClientType[-1]\r\n [Console]::WriteLine($networkSession.ComputerName+\",\"+$networkSession.UserName+\",\"+$clientType+\",\"+$networkSession.ShareName+\",\"+$idleTime);\r\n }\r\n\r\n} ","arguments":null,"utf8Sensitive":false}],"outputs":[{"name":"computer","type":"STRING","byDefault":false,"sequence":0},{"name":"user","type":"STRING","byDefault":false,"sequence":0},{"name":"client","type":"STRING","byDefault":false,"sequence":0},{"name":"file","type":"STRING","byDefault":false,"sequence":0},{"name":"idletime","type":"STRING","byDefault":false,"sequence":0}]},"type":"com.intel.mar.model.collector.Collector"},{"item":{"catalogVersion":1,"dbVersion":0,"id":null,"name":"EnvironmentVariables","description":"On Windows endpoints, EnvironmentVariables shows system, current user, volatile and processes variables. On Linux endpoints, EnvironmentVariables shows information from virtual files located in /proc/$PROCESSID/environ, where $PROCESSID is the process id number.","type":"BUILTIN","contents":[{"platform":{"catalogVersion":0,"dbVersion":0,"id":null,"name":"linux","topic":null},"capability":{"catalogVersion":0,"dbVersion":0,"id":null,"name":"Bash Script","description":null,"module":null,"function":null,"contentEnabled":false,"arguments":null,"outputs":null,"formatArgs":null,"format":null,"platforms":null,"platformSettings":null,"itemType":null,"catalogItems":null},"content":"#!/bin/sh\n# Copyright (C) 2016 McAfee, Inc., 2821 Mission College Boulevard, Santa Clara, CA 95054, 1.888.847.8766, www.intelsecurity.com\n#\n# Purpose: On Windows endpoints, EnvironmentVariables shows system, current user, volatile and processes variables. On Linux endpoints, EnvironmentVariables shows information from virtual files located in /proc/$PROCESSID/environ, where $PROCESSID is the process id number.\n#\n# Version: 1.0\n\nspecialChar=$'\\0'\nfor D in `find /proc/ -maxdepth 1 -name \\[^a-zA-Z]* -type d`\ndo\n envFile=\"$D/environ\"\n #echo \"$envFile\";\n if [ -r \"$envFile\" ]; then\n pid=${D#/proc/};\n user=$( ps up $pid | tail -n 1 | awk '{print $1}');\n pname=$( ps up $pid | tail -n 1 | awk '{print $11}')\n cat $envFile | while read -r -d $'\\0' X; do\n X=${X/\\0/}\n X=${X//\\\"/\\\\\\\"}\n if [[ $X == *\"=\"* ]]\n then\n echo \"\\\"$user\\\",$pid,\\\"${X/=/\",\"}\\\"\"\n fi\n done\n\n fi\ndone","arguments":[],"utf8Sensitive":false},{"platform":{"catalogVersion":0,"dbVersion":0,"id":null,"name":"windows","topic":null},"capability":{"catalogVersion":0,"dbVersion":0,"id":null,"name":"Execute PowerShell Script","description":null,"module":null,"function":null,"contentEnabled":false,"arguments":null,"outputs":null,"formatArgs":null,"format":null,"platforms":null,"platformSettings":null,"itemType":null,"catalogItems":null},"content":"# Copyright (C) 2016 McAfee, Inc., 2821 Mission College Boulevard, Santa Clara, CA 95054, 1.888.847.8766, www.intelsecurity.com\n#\n# Purpose: On Windows endpoints, EnvironmentVariables shows system, current user, volatile and processes variables. On Linux endpoints, EnvironmentVariables shows information from virtual files located in /proc/$PROCESSID/environ, where $PROCESSID is the process id number.\n#\n# Version: 1.0\n\n[Console]::OutputEncoding = [System.Text.Encoding]::UTF8\r\n$pshost = get-host\n$pswindow = $pshost.ui.rawui\n$newsize = $pswindow.buffersize\n$newsize.height = 3000\n$newsize.width = 3000\n$pswindow.buffersize = $newsize\n\n$strComputer = \".\"\n$result = \"\"\n\n$colItems = get-wmiobject -class \"Win32_Environment\" -namespace \"root\\cimv2\" -computername $strComputer\nforeach ($objItem in $colItems) {\n $result += (\"`\"\" + $objItem.UserName + \"`\",`\" `\",`\"\" + $objItem.Name + \"`\",`\"\" + $objItem.VariableValue + \"`\"\" + \"||||\")\n}\n$result = ([string]$result).Split(\"||||\",[System.StringSplitOptions]::RemoveEmptyEntries);\nfor($i=0; $i -lt $result.Count; $i++){$result[$i] = [string]($result[$i] -replace \"\\\\\",\"\\\\\")};\n\n#Creates the \"HKU:\\\" Drive\n$hku= New-PSDrive -PSProvider Registry -Name HKU -Root HKEY_USERS;\n \n#Creates a new WMI object\n$user_accounts= @(Get-ChildItem -Path \"HKU:\\\")\n\nforeach ($user in $user_accounts){\n $user_sid= $user.Name;\n $path=(\"HKU:\\\"+$user_sid+\"\\Volatile*\");\n if(Test-Path ($path)){\n $user_name=(Get-Item -Path $path).GetValue(\"USERNAME\");\n $variables = (Get-ItemProperty -Path $path | Select-Object $output | ConvertTo-Csv -NoTypeInformation -Delimiter \"|\");\n $names = $variables[0].Split(\"|\")\n $values = $variables[1].Split(\"|\")\n for($i=0; $i -lt $names.Count; $i++){$result += (\"`\"\" + $user_name + \"`\",`\"\" + \" \" + \"`\",\" + [string]($names[$i] -replace \"\\\\\",\"\\\\\") + \",\" + [string]($values[$i] -replace \"\\\\\",\"\\\\\"))}\n }\n}\n\n$processes = @();\nTry{\n $processes = Get-CimInstance Win32_Process\n} Catch {\n $processes = $null\n}\n\nif ($processes -ne $null) {\n $processesNames1 = Get-Process | Select-Object name\n $processesNames2 = @();\n for($i=0; $i -lt $processesNames1.Count; $i++){\n $processesNames2 += (([string]$processesNames1[$i]).Split((\"@{Name=\",\"}\"),[System.StringSplitOptions]::RemoveEmptyEntries))\n }\n\n foreach ($process in $processes) {\n $userName = ([string](Invoke-CimMethod -InputObject $process -MethodName GetOwner | Select-Object User)).Split((\"@{User=\",\"}\"),[System.StringSplitOptions]::RemoveEmptyEntries)\n $name = $process.Name\n $id = $process.ProcessId\n\n if($name -match \"idle\") {$name = \"Idle\"}\n if ($processesNames2 -contains ([string]($name).Split(\".\")[0])) {\n $processEnv = Get-Process -Name ([string]($name).Split(\".\")[0] -replace \" \",\"\\ \")\n $tabla = $processEnv.StartInfo.EnvironmentVariables.GetEnumerator() | foreach {\n New-Object PSObject -Property ([ordered]@{Name = $_.Name;Value = $_.Value})\n }\n $processEnvCSV = $tabla | ConvertTo-Csv -NoTypeInformation\n \n for($i=1; $i -lt $processEnvCSV.Count; $i++){$result += (\"`\"\" + $userName + \"`\",`\"\" + $id + \"`\",\" + [string]($processEnvCSV[$i] -replace \"\\\\\",\"\\\\\"))}\n }\n }\n}\n\nfor($i=0; $i -lt $result.Count; $i++) { \n [Console]::WriteLine($result[$i]);\n}","arguments":[],"utf8Sensitive":false}],"outputs":[{"name":"username","type":"STRING","byDefault":true,"sequence":0},{"name":"process_id","type":"NUMBER","byDefault":true,"sequence":0},{"name":"name","type":"STRING","byDefault":true,"sequence":0},{"name":"value","type":"STRING","byDefault":true,"sequence":0}]},"type":"com.intel.mar.model.collector.Collector"},{"item":{"catalogVersion":1,"dbVersion":0,"id":null,"name":"CommandLineHistory","description":"Shows the command line history executed on Linux endpoints. By default it gets updated when closing the terminal, this behaviour depends on Linux user configuration.","type":"BUILTIN","contents":[{"platform":{"catalogVersion":0,"dbVersion":0,"id":null,"name":"linux","topic":null},"capability":{"catalogVersion":0,"dbVersion":0,"id":null,"name":"Bash Script","description":null,"module":null,"function":null,"contentEnabled":false,"arguments":null,"outputs":null,"formatArgs":null,"format":null,"platforms":null,"platformSettings":null,"itemType":null,"catalogItems":null},"content":"#!/bin/sh\n# Copyright (C) 2016 McAfee, Inc., 2821 Mission College Boulevard, Santa Clara, CA 95054, 1.888.847.8766, www.intelsecurity.com\n#\n# Purpose: Shows the command line history executed on Linux endpoints. By default it gets updated when closing the terminal, this behaviour depends on Linux user configuration.\n#\n# Version: 1.0\n\nRES=$(grep -i -E \"bin/bash$\" /etc/passwd 2>/dev/null)\nDIR=$(echo -e \"$RES\" | cut -d \":\" -f6)\nDIR=${DIR// /\\\\ }\nUSER=$(echo -e \"$RES\" | cut -d \":\" -f1)\n\noldIFS=\"$IFS\"\nIFS='\n'\nIFS=${IFS:0:1}\narrayDir=( $DIR )\narrayUser=( $USER )\n#IFS=\"$oldIFS\"\n\nfor (( i=0; i<${#arrayDir[*]}; i=i+1 ))\ndo\n histFile=\"${arrayDir[$i]}/.bash_history\"\n if [ -r \"$histFile\" ]\n then\n COUNT=0\n cat \"$histFile\" | while read -r cmd\n do\n let COUNT++\n cmd=${cmd//\\\\/\\\\\\\\}\n cmd=${cmd//\\\"/\\\\\\\"}\n echo \"\\\"${arrayUser[$i]}\\\",\\\"$COUNT\\\",\\\"$cmd\\\"\"\n done\n fi\ndone\nIFS=\"$oldIFS\"","arguments":null,"utf8Sensitive":false}],"outputs":[{"name":"user","type":"STRING","byDefault":true,"sequence":0},{"name":"id","type":"STRING","byDefault":true,"sequence":0},{"name":"command_line","type":"STRING","byDefault":true,"sequence":0}]},"type":"com.intel.mar.model.collector.Collector"},{"item":{"catalogVersion":1,"dbVersion":0,"id":null,"name":"InstalledCertificates","description":"Shows a list of installed certificates on Windows and Linux endpoints. Details the issuer, expiration date and purposes of the certificates.","type":"BUILTIN","contents":[{"platform":{"catalogVersion":0,"dbVersion":0,"id":null,"name":"linux","topic":null},"capability":{"catalogVersion":0,"dbVersion":0,"id":null,"name":"Bash Script","description":null,"module":null,"function":null,"contentEnabled":false,"arguments":null,"outputs":null,"formatArgs":null,"format":null,"platforms":null,"platformSettings":null,"itemType":null,"catalogItems":null},"content":"#!/bin/sh\n# Copyright (C) 2016 McAfee, Inc., 2821 Mission College Boulevard, Santa Clara, CA 95054, 1.888.847.8766, www.intelsecurity.com\n#\n# Purpose: Shows a list of installed certificates on Windows and Linux endpoints. Details the issuer, expiration date and purposes of the certificates.\n#\n# Version: 1.0\n\nTODAY=$(date +\"%Y%m%d%k%M%S\")\nFILECRT=$(cat /etc/pki/tls/certs/ca-bundle.crt 2>/dev/null)\nFILECRTT=$(cat /etc/pki/tls/certs/ca-bundle.trust.crt 2>/dev/null)\noldIFS=\"$IFS\"\nIFS='\n'\nIFS=${IFS:0:1}\n\nCERT=\"\"\necho -e \"$FILECRT\\n$FILECRTT\" | while read -r line\ndo\n if [[ \"$line\" != \"-----END CERTIFICATE-----\" && \"$line\" != \"-----END TRUSTED CERTIFICATE-----\" ]]\n\n then\n CERT=\"$CERT\\n$line\"\n else\n\n #ISSUER\n ISSUER=$(echo -e \"$CERT\" | grep -i -E \"^(\\s|\\t)*Issuer:\" | sed -r 's/^(\\s|\\t)*Issuer:(\\s|\\t)*//g')\n ISSUER=${ISSUER//\\\\/\\\\\\\\}\n ISSUER=${ISSUER//\\\"/\\\\\\\"}\n\n\n #DATE\n EXPDATE=$(echo -e \"$CERT\" | grep -i -E \"^(\\s|\\t)*Not After(\\s|\\t)*:(\\s|\\t)*\" | sed -r 's/^(\\s|\\t)*Not After(\\s|\\t)*:(\\s|\\t)*//g' | head -n 1)\n #Fix date on 32bit OS\n EXPY=$(echo -e \"$EXPDATE\" | grep -o -E '[[:digit:]]{4}')\n EXPDATE=${EXPDATE/$EXPY/2000}\n EXPDATE=$(date -d \"$EXPDATE\" \"+%F %T\")\n #STATUS\n EXP=$(date -d \"$EXPDATE\" +\"%Y%m%d%H%M%S\")\n EXP=${EXP/2000/$EXPY}\n EXPDATE=${EXPDATE/2000/$EXPY} #Fix date 32 bit\n\n #Key Usage\n KEYUSAGE=`echo -e \"$CERT\" | grep -iA1 -E \"(\\s|\\t)*(\\w)*\\s*Key Usage:\" | tail -n 1 | sed -r 's/^(\\s|\\t)*//g'`\n KEYUSAGE=${KEYUSAGE//\\\\/\\\\\\\\}\n KEYUSAGE=${KEYUSAGE//\\\"/\\\\\\\"}\n\n #Extend\n KEYUSAGEEXT=`echo -e \"$CERT\" | grep -iA1 -E \"(\\s|\\t)*(\\w)*\\s*Extended Key Usage:\" | tail -n 1 | sed -r 's/^(\\s|\\t)*//g'`\n KEYUSAGEEXT=${KEYUSAGEEXT//\\\\/\\\\\\\\}\n KEYUSAGEEXT=${KEYUSAGEEXT//\\\"/\\\\\\\"}\n\n #SUBJECT\n SUBJECT=`echo -e \"$CERT\" | grep -i -E \"^(\\s|\\t)*Subject:\" | sed -r 's/^(\\s|\\t)*Subject:(\\s|\\t)*//g'`\n SUBJECT=${SUBJECT//\\\\/\\\\\\\\}\n SUBJECT=${SUBJECT//\\\"/\\\\\\\"}\n\n echo -e \"\\\"$SUBJECT\\\",\\\"$ISSUER\\\",\\\"$EXPDATE\\\",\\\"$KEYUSAGE\\\",\\\"$KEYUSAGEEXT\\\",\\\"\\\"\"\n CERT=\"\"\n fi\ndone\nIFS=\"$oldIFS\"","arguments":null,"utf8Sensitive":false},{"platform":{"catalogVersion":0,"dbVersion":0,"id":null,"name":"windows","topic":null},"capability":{"catalogVersion":0,"dbVersion":0,"id":null,"name":"Execute PowerShell Script","description":null,"module":null,"function":null,"contentEnabled":false,"arguments":null,"outputs":null,"formatArgs":null,"format":null,"platforms":null,"platformSettings":null,"itemType":null,"catalogItems":null},"content":"# Copyright (C) 2016 McAfee, Inc., 2821 Mission College Boulevard, Santa Clara, CA 95054, 1.888.847.8766, www.intelsecurity.com\n#\n# Purpose: Shows a list of installed certificates on Windows and Linux endpoints. Details the issuer, expiration date and purposes of the certificates.\n#\n# Version: 1.0\n\n $pshost = get-host\n$pswindow = $pshost.ui.rawui\n$newsize = $pswindow.buffersize\n$newsize.height = 5000\n$newsize.width = 5000\n$pswindow.buffersize = $newsize\n[Console]::OutputEncoding = [System.Text.Encoding]::UTF8\n\nFunction ParseIntendedPurposes ($ip){\n $fields = $ip | % {$_.FriendlyName}\n $res = \"\"\n if($fields.Count -eq 1) {\n $res = [string]$fields\n } else {\n for($i=0; $i -lt $fields.Count; $i++) { \n $res += [string]$fields[$i]\n if($i+1 -lt $fields.Count){ $res += \" , \" }\n }\n }\n return $res\n}\n\n$result = @()\nforeach( $cert in Get-ChildItem -Recurse Cert:) {\n \n Try {\n $issued_to = ([string]$cert.Subject) -replace \"\\\\\",\"\\\\\";\n $issued_to = ([string]$issued_to) -replace \"`\"\",\"`\\`\"\";\n } Catch {\n $issued_to = \"\";\n }\n Try {\n $issued_by = ([string]$cert.Issuer) -replace \"\\\\\",\"\\\\\";\n $issued_by = ([string]$issued_by) -replace \"`\"\",\"`\\`\"\";\n } Catch {\n $issued_by = \"\";\n }\n Try {\n $expiration_date = [string]$cert.NotAfter.Year + \"-\" + [string]$cert.NotAfter.Month + \"-\" + [string]$cert.NotAfter.Day + \" \" + [string]$cert.NotAfter.Hour + \":\" + [string]$cert.NotAfter.Minute + \":\" + [string]$cert.NotAfter.Second;\n } Catch {\n $expiration_date = \"-- ::\";\n }\n Try {\n $key_usages = \"\";\n foreach( $ext in $cert.Extensions) {\n foreach( $eku in $ext.KeyUsages) {\n $key_usages += [string]$eku;\n }\n }\n } Catch {\n $key_usages = \"\";\n }\n Try {\n $enhanced_key_usages = ParseIntendedPurposes(($cert | Select-Object EnhancedKeyUsageList).EnhancedKeyUsageList);\n } Catch {\n $enhanced_key_usages = \"\";\n }\n Try {\n $friendly_name = ([string]$cert.FriendlyName);\n } Catch {\n $friendly_name = \"\";\n }\n\n if(!(([string]$issued_to -eq \"\") -and ([string]$issued_by -eq \"\") -and ([string]$expiration_date -eq \"-- ::\") -and ([string]$key_usages -eq \"\") -and ([string]$enhanced_key_usages -eq \"\") -and ([string]$friendly_name -eq \"\"))) {\n $result += \"`\"\" + $issued_to + \"`\",`\"\" + $issued_by + \"`\",`\"\" + $expiration_date + \"`\",`\"\" + $key_usages + \"`\",`\"\" + $enhanced_key_usages + \"`\",`\"\" + $friendly_name + \"`\"\";\n }\n}\n\nfor($i=0; $i -lt $result.Count; $i++) { \n [Console]::WriteLine($result[$i]);\n}","arguments":null,"utf8Sensitive":false}],"outputs":[{"name":"issued_to","type":"STRING","byDefault":true,"sequence":0},{"name":"issued_by","type":"STRING","byDefault":true,"sequence":0},{"name":"expiration_date","type":"DATE","byDefault":true,"sequence":0},{"name":"purposes","type":"STRING","byDefault":true,"sequence":0},{"name":"purposes_extended","type":"STRING","byDefault":false,"sequence":0},{"name":"friendly_name","type":"STRING","byDefault":true,"sequence":0}]},"type":"com.intel.mar.model.collector.Collector"},{"item":{"catalogVersion":3,"dbVersion":0,"id":null,"name":"ScheduledTasks","description":"Shows the status of scheduled tasks on endpoints, and also when it is scheduled to run next.","type":"BUILTIN","contents":[{"platform":{"catalogVersion":0,"dbVersion":0,"id":null,"name":"linux","topic":null},"capability":{"catalogVersion":0,"dbVersion":0,"id":null,"name":"Bash Script","description":null,"module":null,"function":null,"contentEnabled":false,"arguments":null,"outputs":null,"formatArgs":null,"format":null,"platforms":null,"platformSettings":null,"itemType":null,"catalogItems":null},"content":"#!/bin/bash\n# Copyright (C) 2016 McAfee, Inc., 2821 Mission College Boulevard, Santa Clara, CA 95054, 1.888.847.8766, www.intelsecurity.com\n#\n# Purpose: Shows the status of scheduled tasks, and also when it is scheduled to run next.\n#\n# Version: 2.0\n\nDIRCRON4USER=\"/var/spool/cron/\";\n\noldIFS=\"$IFS\";\nnewIFS='\n';\nNOW=$(date +\"%F %R\");\n\n\n# Estimate the next run\n# Args: Full Line Task but only uses the first 5 fields, which contain the frequency\nfunction timeCalc(){\n\n local _fullLine=\"$1\";\n #Next run\n local _nextRun=( $(eval \"date +\\\"%M %H %d %m %Y\\\"\") );\n\n # RAW frequency\n local _fullMin=$(echo \"$_fullLine\" | awk '{ print $1}'); # 0-59\n local _fullHour=$(echo \"$_fullLine\" | awk '{ print $2}'); # 0-23\n local _fullDayOfMonth=$(echo \"$_fullLine\" | awk '{ print $3}'); # 1-31\n local _fullMonth=$(echo \"$_fullLine\" | awk '{ print $4}'); # 1-12 or the short name\n local _fullDayOfWeek=$(echo \"$_fullLine\" | awk '{ print $5}'); # 0-7 (0=7=Sunday) or the short name\n #FIX Short month name to Num\n _fullMont=$(eval \"echo \\\"$_fullMont\\\" | sed 's/jan/1/gI'\");\n _fullMont=$(eval \"echo \\\"$_fullMont\\\" | sed 's/feb/2/gI'\");\n _fullMont=$(eval \"echo \\\"$_fullMont\\\" | sed 's/mar/3/gI'\");\n _fullMont=$(eval \"echo \\\"$_fullMont\\\" | sed 's/Apr/4/gI'\");\n _fullMont=$(eval \"echo \\\"$_fullMont\\\" | sed 's/may/5/gI'\");\n _fullMont=$(eval \"echo \\\"$_fullMont\\\" | sed 's/jun/6/gI'\");\n _fullMont=$(eval \"echo \\\"$_fullMont\\\" | sed 's/jul/7/gI'\");\n _fullMont=$(eval \"echo \\\"$_fullMont\\\" | sed 's/aug/8/gI'\");\n _fullMont=$(eval \"echo \\\"$_fullMont\\\" | sed 's/sep/9/gI'\");\n _fullMont=$(eval \"echo \\\"$_fullMont\\\" | sed 's/oct/10/gI'\");\n _fullMont=$(eval \"echo \\\"$_fullMont\\\" | sed 's/nov/11/gI'\");\n _fullMont=$(eval \"echo \\\"$_fullMont\\\" | sed 's/dec/12/gI'\");\n #FIX Short day name to Num\n _fullDayOfWeek=$(eval \"echo \\\"$_fullDayOfWeek\\\" | sed 's/mon/1/gI'\");\n _fullDayOfWeek=$(eval \"echo \\\"$_fullDayOfWeek\\\" | sed 's/tue/2/gI'\");\n _fullDayOfWeek=$(eval \"echo \\\"$_fullDayOfWeek\\\" | sed 's/wed/3/gI'\");\n _fullDayOfWeek=$(eval \"echo \\\"$_fullDayOfWeek\\\" | sed 's/thu/4/gI'\");\n _fullDayOfWeek=$(eval \"echo \\\"$_fullDayOfWeek\\\" | sed 's/fri/5/gI'\");\n _fullDayOfWeek=$(eval \"echo \\\"$_fullDayOfWeek\\\" | sed 's/sat/6/gI'\");\n _fullDayOfWeek=$(eval \"echo \\\"$_fullDayOfWeek\\\" | sed 's/sun/7/gI'\");\n\n # '-------Minutes---------'\n\n local MIN;\n local MIN_FINAL;\n # build the possibilities\n # Min\n if [[ \"$_fullMin\" == \"*\" ]]\n then\n for i in $(seq 1 60)\n do\n MIN_FINAL[$i-1]=$i\n done\n else\n IFS=',';\n local arrayRAWMin=( $_fullMin );\n IFS=\"$oldIFS\";\n for (( j=0; j<${#arrayRAWMin[@]}; j=j+1 ))\n do\n #set jump\n local jump=1\n if [[ ${arrayRAWMin[j]} =~ \\/[0-9]+$ ]]\n then\n jump=$(eval \"echo \\\"${arrayRAWMin[j]}\\\" | grep -o -E [0-9]+$ \");\n fi\n\n # Interval time\n if [[ ${arrayRAWMin[j]} =~ ^[0-9]+-[0-9]+ ]];\n then\n local _min=$(eval \"echo \\\"${arrayRAWMin[j]}\\\" | grep -o -E ^[0-9]+ \");\n local _max=$(eval \"echo \\\"${arrayRAWMin[j]}\\\" | grep -o -E '\\-[0-9]+'\");\n _max=${_max#-};\n\n MIN+=($_min);\n local k=${#MIN[@]};\n local tmp1=$((${MIN[k-1]} + $jump));\n\n while [ \"$(($tmp1 + $jump))\" -le \"$_max\" ]\n do\n tmp1=$((${MIN[k-1]} + $jump));\n k=$k+1;\n MIN+=($tmp1);\n\n done\n # every X time\n elif [[ ${arrayRAWMin[j]} =~ ^\\*\\/[0-9]+$ ]];\n then\n local _min=0;\n local _max=59;\n MIN+=($_min);\n local k=${#MIN[@]};\n local tmp1=$((${MIN[k-1]} + $jump));\n\n while [ \"$(($tmp1 + $jump))\" -le \"$_max\" ]\n do\n tmp1=$((${MIN[k-1]} + $jump));\n k=$k+1;\n MIN+=($tmp1);\n\n done\n elif [[ ${arrayRAWMin[j]} =~ ^[0-9]+$ ]];\n then\n MIN+=(${arrayRAWMin[j]});\n else\n echo \"error ${arrayRAWMin[j]}\";\n fi\n\n done\n MIN_FINAL=( $(for (( j=0; j<${#MIN[@]}; j=j+1 ));\n do\n echo ${MIN[j]}\n done | sort -g) )\n fi\n\n # '---------Hours---------'\n\n local HOUR;\n local HOUR_FINAL;\n # build the possibilities\n if [[ \"$_fullHour\" == \"*\" ]];then\n for i in $(seq 0 23)\n do\n HOUR_FINAL[$i]=$i;\n done\n else\n IFS=',';\n local arrayRAWHour=( $_fullHour );\n IFS=\"$oldIFS\";\n for (( j=0; j<${#arrayRAWHour[@]}; j=j+1 ))\n do\n local jump=1;\n if [[ ${arrayRAWHour[j]} =~ \\/[0-9]+$ ]];\n then\n jump=$(eval \"echo \\\"${arrayRAWHour[j]}\\\" | grep -o -E [0-9]+$ \");\n fi\n\n # Interval time\n if [[ ${arrayRAWHour[j]} =~ ^[0-9]+-[0-9]+ ]]; then\n local _min=$(eval \"echo \\\"${arrayRAWHour[j]}\\\" | grep -o -E ^[0-9]+ \");\n local _max=$(eval \"echo \\\"${arrayRAWHour[j]}\\\" | grep -o -E '\\-[0-9]+'\");\n _max=${_max#-};\n HOUR+=($_min);\n local k=${#HOUR[@]};\n local tmp1=$((${HOUR[k-1]} + $jump));\n\n while [ \"$(($tmp1 + $jump))\" -le \"$_max\" ]\n do\n tmp1=$((${HOUR[k-1]} + $jump));\n k=$k+1;\n HOUR+=($tmp1);\n done\n # every X time\n elif [[ ${arrayRAWHour[j]} =~ ^\\*\\/[0-9]+$ ]]; then\n local _min=0;\n local _max=23;\n HOUR+=($_min);\n local k=${#HOUR[@]};\n local tmp1=$((${HOUR[k-1]} + $jump));\n\n while [ \"$(($tmp1 + $jump))\" -le \"$_max\" ]\n do\n tmp1=$((${HOUR[k-1]} + $jump));\n k=$k+1;\n HOUR+=($tmp1);\n done\n elif [[ ${arrayRAWHour[j]} =~ ^[0-9]+$ ]]\n then\n HOUR+=(${arrayRAWHour[j]});\n else\n echo \"error ${arrayRAWHour[j]}\";\n\n fi\n\n done\n HOUR_FINAL=( $(for (( j=0; j<${#HOUR[@]}; j=j+1 ))\n do\n echo ${HOUR[j]}\n done | sort -g) )\n fi\n\n # '---------DAY-----------'\n\n local DAY_OM;\n local DAY_OM_FINAL;\n # build the possibilities\n if [[ \"$_fullDayOfMonth\" == \"*\" ]]\n then\n for i in $(seq 1 31)\n do\n DAY_OM_FINAL[$i-1]=$i;\n done\n else\n IFS=',';\n local arrayRAWDayOfMonth=( $_fullDayOfMonth );\n IFS=\"$oldIFS\";\n for (( j=0; j<${#arrayRAWDayOfMonth[@]}; j=j+1 ))\n do\n local jump=1;\n if [[ ${arrayRAWDayOfMonth[j]} =~ \\/[0-9]+$ ]]\n then\n jump=$(eval \"echo \\\"${arrayRAWDayOfMonth[j]}\\\" | grep -o -E [0-9]+$ \");\n fi\n # Interval time\n if [[ ${arrayRAWDayOfMonth[j]} =~ ^[0-9]+-[0-9]+ ]];\n then\n local _min=$(eval \"echo \\\"${arrayRAWDayOfMonth[j]}\\\" | grep -o -E ^[0-9]+ \");\n local _max=$(eval \"echo \\\"${arrayRAWDayOfMonth[j]}\\\" | grep -o -E '\\-[0-9]+'\");\n _max=${_max#-};\n DAY_OM+=($_min);\n local k=${#DAY_OM[@]};\n local tmp1=$((${DAY_OM[k-1]} + $jump));\n\n while [ \"$(($tmp1 + $jump))\" -le \"$_max\" ]\n do\n tmp1=$((${DAY_OM[k-1]} + $jump));\n k=$k+1;\n DAY_OM+=($tmp1);\n done\n # every X time\n elif [[ ${arrayRAWDayOfMonth[j]} =~ ^\\*\\/[0-9]+$ ]]\n then\n local _min=0;\n local _max=31;\n DAY_OM+=($_min);\n local k=${#DAY_OM[@]};\n local tmp1=$((${DAY_OM[k-1]} + $jump));\n\n while [ \"$(($tmp1 + $jump))\" -le \"$_max\" ]\n do\n tmp1=$((${DAY_OM[k-1]} + $jump));\n k=$k+1;\n DAY_OM+=($tmp1);\n done\n elif [[ ${arrayRAWDayOfMonth[j]} =~ ^[0-9]+$ ]];\n then\n DAY_OM+=(${arrayRAWDayOfMonth[j]});\n else\n echo \"error ${arrayRAWDayOfMonth[j]}\";\n fi\n\n done\n DAY_OM_FINAL=( $(for (( j=0; j<${#DAY_OM[@]}; j=j+1 ))\n do\n echo ${DAY_OM[j]}\n done | sort -g) )\n fi\n\n # '---------MONTH---------'\n local MONTH;\n local MONTH_FINAL;\n\n # build the possibilities\n if [[ \"$_fullMonth\" == \"*\" ]];then\n for i in $(seq 1 12)\n do\n MONTH_FINAL[$i-1]=$i;\n done\n else\n IFS=',';\n local arrayRAWMonth=( $_fullMonth );\n IFS=\"$oldIFS\";\n for (( j=0; j<${#arrayRAWMonth[@]}; j=j+1 ))\n do\n local jump=1;\n if [[ ${arrayRAWMonth[j]} =~ \\/[0-9]+$ ]];\n then\n jump=$(eval \"echo \\\"${arrayRAWMonth[j]}\\\" | grep -o -E [0-9]+$ \");\n fi\n\n # Interval time\n if [[ ${arrayRAWMonth[j]} =~ ^[0-9]+-[0-9]+ ]];\n then\n local _min=$(eval \"echo \\\"${arrayRAWMonth[j]}\\\" | grep -o -E ^[0-9]+ \");\n local _max=$(eval \"echo \\\"${arrayRAWMonth[j]}\\\" | grep -o -E '\\-[0-9]+'\");\n _max=${_max#-};\n MONTH+=($_min);\n local k=${#MONTH[@]};\n local tmp1=$((${MONTH[k-1]} + $jump));\n\n while [ \"$(($tmp1 + $jump))\" -le \"$_max\" ]\n do\n tmp1=$((${MONTH[k-1]} + $jump));\n k=$k+1;\n MONTH+=($tmp1);\n\n done\n # every X time\n elif [[ ${arrayRAWMonth[j]} =~ ^\\*\\/[0-9]+$ ]]; then\n local _min=1;\n local _max=12;\n MONTH+=($_min);\n local k=${#MONTH[@]};\n local tmp1=$((${MONTH[k-1]} + $jump));\n\n while [ \"$(($tmp1 + $jump))\" -le \"$_max\" ]\n do\n tmp1=$((${MONTH[k-1]} + $jump));\n k=$k+1;\n MONTH+=($tmp1);\n\n done\n elif [[ ${arrayRAWMonth[j]} =~ ^[0-9]+$ ]];\n then\n MONTH+=(${arrayRAWMonth[j]});\n else\n echo \"error ${arrayRAWMonth[j]}\"\n\n fi\n\n done\n MONTH_FINAL=( $(for (( j=0; j<${#MONTH[@]}; j=j+1 ))\n do\n echo ${MONTH[j]}\n done | sort -g) )\n fi\n\n # '-------Day Of Week-----'\n\n local DayOfWeek;\n local DayOfWeek_FINAL;\n # build the possibilities\n # DayOfWeek\n if [[ \"$_fullDayOfWeek\" == \"*\" ]]\n then\n\n for i in $(seq 1 7)\n do\n DayOfWeek_FINAL[$i-1]=$i\n done\n else\n IFS=',';\n local arrayRAWDayOfWeek=( $_fullDayOfWeek );\n IFS=\"$oldIFS\";\n for (( j=0; j<${#arrayRAWDayOfWeek[@]}; j=j+1 ))\n do\n #set jump\n local jump=1\n if [[ ${arrayRAWDayOfWeek[j]} =~ \\/[0-9]+$ ]]\n then\n jump=$(eval \"echo \\\"${arrayRAWDayOfWeek[j]}\\\" | grep -o -E [0-9]+$ \");\n fi\n\n # Interval time\n if [[ ${arrayRAWDayOfWeek[j]} =~ ^[0-9]+-[0-9]+ ]];\n then\n local _min=$(eval \"echo \\\"${arrayRAWDayOfWeek[j]}\\\" | grep -o -E ^[0-9]+ \");\n local _max=$(eval \"echo \\\"${arrayRAWDayOfWeek[j]}\\\" | grep -o -E '\\-[0-9]+'\");\n _max=${_max#-};\n\n DayOfWeek+=($_min);\n local k=${#DayOfWeek[@]};\n local tmp1=$((${DayOfWeek[k-1]} + $jump));\n\n while [ \"$(($tmp1 + $jump))\" -le \"$_max\" ]\n do\n tmp1=$((${DayOfWeek[k-1]} + $jump));\n k=$k+1;\n DayOfWeek+=($tmp1);\n\n done\n # every X time\n elif [[ ${arrayRAWDayOfWeek[j]} =~ ^\\*\\/[0-9]+$ ]];\n then\n local _min=0;\n local _max=7;\n DayOfWeek+=($_min);\n local k=${#DayOfWeek[@]};\n local tmp1=$((${DayOfWeek[k-1]} + $jump));\n\n while [ \"$(($tmp1 + $jump))\" -le \"$_max\" ]\n do\n tmp1=$((${DayOfWeek[k-1]} + $jump));\n k=$k+1;\n DayOfWeek+=($tmp1);\n\n done\n elif [[ ${arrayRAWDayOfWeek[j]} =~ ^[0-9]+$ ]];\n then\n DayOfWeek+=(${arrayRAWDayOfWeek[j]});\n else\n echo \"error ${arrayRAWDayOfWeek[j]}\";\n fi\n\n done\n DayOfWeek_FINAL=( $(for (( j=0; j<${#DayOfWeek[@]}; j=j+1 ));\n do\n if [[ ${DayOfWeek[j]} -eq 0 ]]; then\n echo 7\n else\n echo ${DayOfWeek[j]}\n fi\n\n done | sort -g) )\n fi\n\n # Calc the next run\n # - Year\n for year in $(eval \"seq ${_nextRun[4]} 2035\");do\n # - Month\n _nextRun[4]=$year\n for ((mo=0; mo < ${#MONTH_FINAL[@]};mo=mo+1))\n do\n if [[ ${MONTH_FINAL[mo]#0} -ge ${_nextRun[3]#0} ]]; then\n #Fix not current month\n if [[ ${MONTH_FINAL[mo]#0} -ne ${_nextRun[3]#0} ]]; then\n _nextRun[2]=1; # Day 1\n _nextRun[1]=0; # 0 Hours\n _nextRun[0]=0; # 0 Minutes\n fi\n _nextRun[3]=${MONTH_FINAL[mo]}\n # - Day of month\n for ((dom=0; dom < ${#DAY_OM_FINAL[@]};dom=dom+1)); do\n if [[ ${DAY_OM_FINAL[dom]#0} -ge ${_nextRun[2]#0} ]]; then\n #Fix not current day\n if [[ ${DAY_OM_FINAL[dom]#0} -ne ${_nextRun[2]#0} ]]; then\n _nextRun[1]=0; # 0 Hours\n _nextRun[0]=0; # 0 Minutes\n fi\n _nextRun[2]=${DAY_OM_FINAL[dom]}\n # - Day of week\n for ((dow=0; dow < ${#DayOfWeek_FINAL[@]};dow=dow+1)); do\n if [[ ${DayOfWeek_FINAL[dow]#0} -eq $(eval \"date --date \\\"${_nextRun[4]}-${_nextRun[3]}-${_nextRun[2]}\\\" +\\\"%u\\\" 2>/dev/null \") ]];then\n # - Hour\n for ((hour=0; hour < ${#HOUR_FINAL[@]};hour=hour+1)); do\n if [[ ${HOUR_FINAL[hour]#0} -ge ${_nextRun[1]#0} ]];then\n #Fix not current hour\n if [[ ${HOUR_FINAL[hour]#0} -ne ${_nextRun[1]#0} ]]; then\n _nextRun[0]=0; # 0 Minutes\n fi\n _nextRun[1]=${HOUR_FINAL[hour]}\n # - Minutes\n for ((min=0; min < ${#MIN_FINAL[@]};min=min+1)); do\n if [[ ${MIN_FINAL[min]#0} -ge ${_nextRun[0]#0} ]];then\n _nextRun[0]=${MIN_FINAL[min]}\n break 6\n fi\n done\n _nextRun[0]=0; # 0 Minutes\n fi\n done\n _nextRun[1]=0; # 0 Hours\n _nextRun[0]=0; # 0 Minutes\n # Not today, change day of month, not dat of week\n continue 2\n fi\n done\n _nextRun[1]=0; # 0 Hours\n _nextRun[0]=0; # 0 Minutes\n fi\n done\n # Go next Month\n _nextRun[2]=1; # Day 1\n _nextRun[1]=0; # 0 Hours\n _nextRun[0]=0; # 0 Minutes\n fi\n done\n # Go next year\n _nextRun[3]=1; # Jun\n _nextRun[2]=1; # Day 1\n _nextRun[1]=0; # 0 Hours\n _nextRun[0]=0; # 0 Minutes\n done\n echo $(eval \"date --date \\\"${_nextRun[4]}-${_nextRun[3]}-${_nextRun[2]} ${_nextRun[1]}:${_nextRun[0]}:00\\\" +\\\"%F %T\\\"\")\n\n}\n\n# Processes a task\n# Args: Full Line Task, User\n# Return: LastRunning, Task, User\nfunction processATask(){\n local _lineTask=$1\n local _user=$2\n local _trigger=\"\"\n local _task;\n local _nextR;\n #Fix var op\n \n _trigger=$(eval \"echo \\\"${_lineTask}\\\" | egrep -o '^@(\\w)*' \")\n if [[ \"$_trigger\" == \"\" ]]; then\n _trigger=\"time\"\n fi\n _lineTask=${_lineTask/@yearly/0 0 1 1 *}\n _lineTask=${_lineTask/@daily/0 0 * * *}\n _lineTask=${_lineTask/@hourly/0 * * * *}\n\n if [[ \"$_lineTask\" =~ ^@reboot ]]\n then\n _trigger=\"boot\"\n _task=$(echo \"$_lineTask\" | awk '{$1=\"\"; print}' | sed -r \"s/^(\\s|\\\\t)*($_user)*//g\" | sed \"s/^[[:space:]]*//\" | sed \"s/[[:space:]]*$//\");\n else\n _task=$(echo \"$_lineTask\" | awk '{$1=$2=$3=$4=$5=\"\"; print}' | sed -r \"s/^(\\s|\\\\t)*($_user)*//g\" | sed \"s/^[[:space:]]*//\" | sed \"s/[[:space:]]*$//\")\n _nextR=$(timeCalc \"$_lineTask\")\n fi\n\n local _lastRunning='tac /var/log/cron 2>/dev/null | grep -i -E '\"\\\"\\($_user\\)+(.)+($_task)\\\" 2>/dev/null | head -n 1 2>/dev/null\"\n _lastRunning=$(eval \"$_lastRunning\")\n if [[ \"$_lastRunning\" != \"\" ]]\n then\n _lastRunning=$(echo \"$_lastRunning\" | awk '{print $1\" \"$2\" \"$3}')\n _lastRunning=$(eval \"date --date '$_lastRunning' +\\\"%F %T\\\"\" )\n fi\n\n _trigger=${_trigger#@}\n _trigger=$(eval \"awk '{print tolower(\\$0)}' 2>/dev/null <<< \\\"$_trigger\\\"\")\n echo \"\\\"\\\",\\\"\\\",\\\"$_nextR\\\",\\\"$_lastRunning\\\",\\\"Ready\\\",\\\"$_task\\\",\\\"$_user\\\",\\\"${_trigger^}\\\",\\\"\\\"\"\n\n}\n\n\n#Cron for users\nfor cronFile in $(find $DIRCRON4USER -maxdepth 1 -type f)\ndo\n if [ -r \"$cronFile\" ]\n then\n #Get user\n USER=${cronFile/$DIRCRON4USER/}\n\n #Get array Task\n ALLSTASK4USER=$(egrep -v \"(^(\\w)+=|^#|^[[:space:]]*$)\" \"$cronFile\")\n IFS=${newIFS:0:1}\n ARRAYTASK4USER=( $ALLSTASK4USER )\n IFS=\"$oldIFS\"\n\n for (( i=0; i<${#ARRAYTASK4USER[*]}; i=i+1 ))\n do\n processATask \"${ARRAYTASK4USER[i]}\" \"$USER\"\n done\n\n fi\n\ndone\n\nSYSTEMTASK=$(cat /etc/cron.d/* | egrep -v \"(^(\\w)+=|^#|^[[:space:]]*$)\");\nIFS=${newIFS:0:1};\nARRAYSYSTASK=( $SYSTEMTASK );\nIFS=\"$oldIFS\";\n\nfor (( i=0; i<${#ARRAYSYSTASK[@]}; i=i+1 ))\ndo\n USER=$(echo \"${ARRAYSYSTASK[i]}\" | awk '{ print $6}')\n processATask \"${ARRAYSYSTASK[i]}\" \"$USER\"\ndone\n","arguments":null,"utf8Sensitive":false},{"platform":{"catalogVersion":0,"dbVersion":0,"id":null,"name":"windows","topic":null},"capability":{"catalogVersion":0,"dbVersion":0,"id":null,"name":"Execute PowerShell Script","description":null,"module":null,"function":null,"contentEnabled":false,"arguments":null,"outputs":null,"formatArgs":null,"format":null,"platforms":null,"platformSettings":null,"itemType":null,"catalogItems":null},"content":"# Copyright (C) 2016 McAfee, Inc., 2821 Mission College Boulevard, Santa Clara, CA 95054, 1.888.847.8766, www.intelsecurity.com\n#\n# Purpose: Shows the status of scheduled tasks on Windows endpoints, and also when it is scheduled to run next.\n#\n# Version: 2.0\n\n# resize PS buffer size in order to avoid undesired line endings or trims in the output\n$pshost = get-host\n$pswindow = $pshost.ui.rawui\n$newsize = $pswindow.buffersize\n$newsize.height = 3000\n$newsize.width = 3000\n$pswindow.buffersize = $newsize\n\n[Console]::OutputEncoding = [System.Text.Encoding]::UTF8\n$Schedule = New-Object -ComObject \"Schedule.Service\"\ntry{\n\t$Schedule.Connect($Computer) | Out-Null\n} catch {}\n\n$ArrayFolders=@();\n$Folders = schtasks | Select-String 'Folder: ';\nforeach ($Folder in $Folders){\n\t$folder=$Folder -replace '^Folder: ','';\n\t$ArrayFolders+= $folder;\n}\n\nforeach ($folder in $ArrayFolders){\n\t$taskFolder = $Schedule.GetFolder($folder)\n\t$tasks=$taskFolder.GetTasks(1); \n\tforeach ($task in $tasks){\n Try{\n $userid= $task.Definition.Principal.UserId -replace \"\\\\\",\"/\"; \n }\n Catch{\n $userid=\"\"\n }\n\t\t\t$statusCode=$task.State\n\t\t\t$actions= $task.Definition.Actions;\n \n\t\t\tforeach($action in $actions){\n\t\t\t\t$taskRun=('\"'+$action.Path + \" \" + $action.Arguments+'\"')\n\t\t\t}\n $triggersXml=@($task.Definition.Triggers);\n $triggersArray=@();\n foreach($triggerXml in $triggersXml){\n $triggerValue = switch ($triggerXml.Type) {\n 0{'Event'}\n 1{'Time'}\n 2{'Daily'}\n 3{'Weekly'}\n 4{'Monthly'}\n 5{'Monthlydow'}\n 6{'Idle'}\n 7{'Registration'}\n 8{'Boot'}\n 9{'Log On'}\n 11{'On Session State Change'}\n }\n if ((-not ($triggersArray -Contains $triggerValue))){\n $triggersArray+=$triggerValue;\n }\n }\n $triggers='\"';\n for($i=0; $i -lt $triggersArray.Count;$i++){\n if($i -lt ($triggersArray.Count-1)){\n $triggers=$triggers+$triggersArray[$i]+\", \";\n }\n else{\n $triggers=$triggers+$triggersArray[$i];\n }\n }\n $triggers=$triggers+'\"';\n\n \n\t\t\t$status = switch ($statusCode) {\n\t\t\t\t\t0 {'Unknown'}\n\t\t\t\t\t1 {'Disabled'}\n\t\t\t\t\t2 {'Queued'}\n\t\t\t\t\t3 {'Ready'}\n\t\t\t\t\t4 {'Running'}\n\t\t\t }\n\t\t\t$nextRun=\"\";\n $lastRun=\"\"\n\t\t\tif($task.nextruntime -gt [datetime]\"1/1/1980\"){\n\t\t\t\t$nextRun=($task.nextruntime).ToString(\"yyyy-MM-dd HH:mm:ss\");\n\t\t\t}\n if($task.lastruntime -gt [datetime]\"1/1/1980\"){ \n\t\t\t\t$lastRun=($task.lastruntime).ToString(\"yyyy-MM-dd HH:mm:ss\");\n\t\t\t}\n \n $logOnTypeCode= $task.Definition.Principal.LogOnType\n $logOnType = switch ($logOnTypeCode) {\n\t\t\t\t\t0 {'None'}\n\t\t\t\t\t1 {'Password'}\n\t\t\t\t\t2 {'S4U'}\n\t\t\t\t\t3 {'InteractiveToken'}\n\t\t\t\t\t4 {'Group'}\n 5 {'ServiceAccount'}\n 6 {'InteractiveToken or Password'}\n\t\t\t }\n \n [Console]::WriteLine(($folder -replace \"\\\\\",\"/\")+\",\"+$task.Name+\",\"+$nextRun+\",\"+$lastRun+\",\"+$status+\",\"+($taskRun -replace \"\\\\\",\"/\")+\",\"+$userid+\",\"+$triggers+\",\"+ $logOnType);\n\t}\n}","arguments":null,"utf8Sensitive":false}],"outputs":[{"name":"folder","type":"STRING","byDefault":true,"sequence":0},{"name":"taskname","type":"STRING","byDefault":true,"sequence":0},{"name":"next_run_time","type":"DATE","byDefault":true,"sequence":0},{"name":"last_run","type":"DATE","byDefault":true,"sequence":0},{"name":"status","type":"STRING","byDefault":true,"sequence":0},{"name":"taskrun","type":"STRING","byDefault":true,"sequence":0},{"name":"username","type":"STRING","byDefault":true,"sequence":0},{"name":"schedule_on","type":"STRING","byDefault":true,"sequence":0},{"name":"logon_type","type":"STRING","byDefault":true,"sequence":0}]},"type":"com.intel.mar.model.collector.Collector"},{"item":{"catalogVersion":1,"dbVersion":0,"id":null,"name":"DisksAndPartitions","description":"Shows information about installed disks and their associated partitions","type":"BUILTIN","contents":[{"platform":{"catalogVersion":0,"dbVersion":0,"id":null,"name":"linux","topic":null},"capability":{"catalogVersion":0,"dbVersion":0,"id":null,"name":"Bash Script","description":null,"module":null,"function":null,"contentEnabled":false,"arguments":null,"outputs":null,"formatArgs":null,"format":null,"platforms":null,"platformSettings":null,"itemType":null,"catalogItems":null},"content":"#!/bin/bash\n# Copyright (C) 2016 McAfee, Inc., 2821 Mission College Boulevard, Santa Clara, CA 95054, 1.888.847.8766, www.intelsecurity.com\n#\n# Purpose: Shows information about disks and partitions\n#\n# Version: 1.0\n\nRAWdata=$(echo -e \"print all\\nquit\\n\" | parted);\n_df=$(df -h 2>/dev/null)\n_blkid=$(blkid -o full -s TYPE 2>/dev/null )\n_procPart=$(cat /proc/partitions)\n\ndiskArray[0]='NoDisk';\nND=0;\noldIFS=$IFS\nnewIFS='\n'\n\n# Separate disk\nwhile IFS= read -r line\ndo\n if [[ \"$line\" =~ (^Model:)+[[:space:]]* ]]; then\n ND=$((ND+1));\n fi\n diskArray[ND]=\"${diskArray[ND]}\\n$line\";\ndone <<< \"$RAWdata\"\n\nIFS=$oldIFS;\n\nfor (( i=1; i < ${#diskArray[@]} ; i++))\ndo\n # Disk info\n # i: fisical disk number\n # Deviace Model\n _DeviaceModel=$(eval \"echo -e \\\"${diskArray[i]}\\\" 2>/dev/null | egrep ^Model 2>/dev/null\")\n _DeviaceModel=$(eval \"sed -r 's/(^Model:)+[[:space:]]*//i' 2>/dev/null <<< \\\"$_DeviaceModel\\\" \")\n\n # Deviace location and Size\n _DevLocSize=$(eval \"echo -e \\\"${diskArray[i]}\\\" 2>/dev/null | egrep ^Disk[[:space:]]*/dev 2>/dev/null\")\n _DevLocSize=$(eval \"sed -r 's/(^Disk)+[[:space:]]*//i' 2>/dev/null <<< \\\"$_DevLocSize\\\" \")\n _DevLoc=$(eval \"sed -r 's/(:)+(.)*//i' 2>/dev/null <<< \\\"$_DevLocSize\\\" \")\n _DevLoc=$(eval \"sed -r 's/[[:space:]]*$//i' 2>/dev/null <<< \\\"$_DevLoc\\\" \")\n _DevSize=$(eval \"sed -r 's/(.)+:[[:space:]]//i' 2>/dev/null <<< \\\"$_DevLocSize\\\" \")\n\n #\n _DevSectorSize=$(eval \"echo -e \\\"${diskArray[i]}\\\" 2>/dev/null | egrep ^Sector\\\\ size\\\\ .logical.physical.: 2>/dev/null\")\n _DevSectorSize=$(eval \"sed -r 's/^Sector\\\\ size\\\\ .logical.physical.:[[:space:]]*//i' 2>/dev/null <<< \\\"$_DevSectorSize\\\" \")\n\n\tIFS=\"/\"\n \t_sectors=( $_DevSectorSize )\n\tIFS=$oldIFS\n # Partition Table\n _DevPartitionTable=$(eval \"echo -e \\\"${diskArray[i]}\\\" 2>/dev/null | egrep ^Partition\\\\ Table:[[:space:]]* 2>/dev/null\")\n _DevPartitionTable=$(eval \"sed -r 's/(^Partition Table:)+[[:space:]]*//i' 2>/dev/null <<< \\\"$_DevPartitionTable\\\" \")\n\n # Disk Flags\n _DevFlags=$(eval \"echo -e \\\"${diskArray[i]}\\\" 2>/dev/null | egrep ^Disk\\\\ Flags:[[:space:]]* 2>/dev/null\")\n _DevFlags=$(eval \"sed -r 's/(^Disk\\\\ Flags:)+[[:space:]]*//i' 2>/dev/null <<< \\\"$_DevFlags\\\" \")\n\n # Disk Info\n # - Partitions info\n\n _PartitionRaw=$(eval \"echo -e \\\"${diskArray[i]}\\\" 2>/dev/null | egrep ^[[:space:]]+[0-9]+ 2>/dev/null \")\n\n IFS=$newIFS\n _arrayPartition=($_PartitionRaw)\n IFS=$oldIFS\n\t\n\t_blkid=${_blkid//\\\"/}\n _blkid=${_blkid//:/}\n\t_blkid=${_blkid//TYPE=/}\n\n\t# Parse flags of partition\n\t_infoCol=$(eval \"echo -e \\\"${diskArray[i]}\\\" 2>/dev/null | egrep -B1 ^[[:space:]]+[0-9]+ 2>/dev/null | head -n 1 2>/dev/null\")\n\t_nameFlagCol=$(eval echo $_infoCol | awk '{print $NF}' 2>/dev/null)\n\t_posFlagCol=$(eval grep -b -o $_nameFlagCol <<< \"$_infoCol\" 2>/dev/null | egrep -o ^[0-9]+ 2>/dev/null)\n\t\n\n for partNum in \"${!_arrayPartition[@]}\"\n do\n\n _partNumOnDev=$(eval \"awk '{print \\$1}' <<< \\\"${_arrayPartition[partNum]}\\\"\")\n\t\t_partMountPoint=$(eval \"echo \\\"$_df\\\" | egrep $_DevLoc$_partNumOnDev 2>/dev/null\" | awk '{print $NF}' 2>/dev/null )\n\t\t_partSize=$(echo \"${_arrayPartition[partNum]}\" | awk '{print $4}')\n\t\t_partFree=$(eval \"echo \\\"$_df\\\" | egrep $_DevLoc$_partNumOnDev 2>/dev/null\" | awk '{print $4}' 2>/dev/null )\n\t\t_fs=$(eval egrep ^$_DevLoc$_partNumOnDev <<< \"$_blkid\" 2>/dev/null | awk '{print $2}' 2>/dev/null)\n\t\t_partFlags=${_arrayPartition[partNum]:$_posFlagCol-1}\n\t\t\n\t\t#Disk, Model, disk size, Logical sector, Physical sector, virtual loc, disk flags\n\t\tcolpDisk=\"\\\"Disk #$i\\\",\\\"$_DeviaceModel\\\",\\\"$_DevSize\\\",\\\"${_sectors[0]}\\\",\\\"${_sectors[1]}\\\",\\\"$_DevLoc\\\",\\\"$_DevFlags\\\"\"\n\t\t#Partition, Volume (Only if Mounted), Part Size, Part Free (Only if mounted), file system, part type, part flags\n\t\tcolpPart=\"\\\"Partition #$_partNumOnDev\\\",\\\"$_partMountPoint\\\",\\\"$_partSize\\\",\\\"$_partFree\\\",\\\"$_fs\\\",\\\"\\\",\\\"$_partFlags\\\"\"\n\t\techo \"$colpDisk,$colpPart\"\n\n done\ndone\n\n","arguments":null,"utf8Sensitive":false},{"platform":{"catalogVersion":0,"dbVersion":0,"id":null,"name":"windows","topic":null},"capability":{"catalogVersion":0,"dbVersion":0,"id":null,"name":"Execute PowerShell Script","description":null,"module":null,"function":null,"contentEnabled":false,"arguments":null,"outputs":null,"formatArgs":null,"format":null,"platforms":null,"platformSettings":null,"itemType":null,"catalogItems":null},"content":"# Copyright (C) 2016 McAfee, Inc., 2821 Mission College Boulevard, Santa Clara, CA 95054, 1.888.847.8766, www.intelsecurity.com\n#\n# Purpose: Shows information about disks and partitions\n#\n# Version: 1.0\n$pshost = get-host\n$pswindow = $pshost.ui.rawui\n$newsize = $pswindow.buffersize\n$newsize.height = 3000\n$newsize.width = 3000\n$pswindow.buffersize = $newsize\n\n[Console]::OutputEncoding = [System.Text.Encoding]::UTF8\n$disks= Get-WmiObject Win32_DiskDrive;\n$output=@();\nforeach ($disk in $disks){\n \n $model=$disk.Model;\n $interfaceType=$disk.InterfaceType;\n $mediaType=$disk.MediaType;\n $diskPath=$disk.__PATH;\n $diskSizeInMB=$disk.Size/1048576;\n $diskSizeInMB= [math]::round($diskSizeInMB,2);\n $queryString=\"ASSOCIATORS OF {Win32_DiskDrive.DeviceID='\"+$disk.DeviceID+\"'} WHERE AssocClass=Win32_DiskDriveToDiskPartition\"\n $partitions= Get-WMIObject -Query $queryString\n foreach ($partition in $partitions){\n $qString=\"ASSOCIATORS OF {Win32_DiskPartition.DeviceID='\"+$partition.DeviceID+\"'} WHERE AssocClass=Win32_LogicalDiskToPartition\"\n $logicaldisk= Get-WMIObject -Query $qString;\n $partitionSizeInMB=$partition.Size/1048576;\n $partitionSizeInMB= [math]::round($partitionSizeInMB,1);\n if($logicaldisk){\n $freeSpaceInMB=($logicaldisk.FreeSpace/1048576);\n $freeSpaceInMB= [math]::round($freeSpaceInMB,2);\n }\n $diskNumber= $partition.Name.split(\",\")[0];\n $partitionNumber= $partition.Name.split(\",\")[1];\n $part_flags=\"\";\n if($partition.BootPartition -and $partition.PrimaryPartition){\n $part_flags='\"'+\"boot, primary\"+'\"';\n }\n elseif($partition.BootPartition){\n $part_flags=\"boot\";\n }\n elseif($partition.PrimaryPartition){\n $part_flags=\"primary\";\n }\n \n if($logicaldisk.FileSystem -like \"ntfs\" -and $logicaldisk.DeviceID){\n $ntfsinfo= (fsutil fsinfo ntfsinfo $logicaldisk.DeviceID) | select-string \"Bytes Per Cluster\";\n $logical_sector= ($ntfsinfo.ToString().Split(\" \")[-1])+\" B\";\n }\n $a = New-Object System.Globalization.CultureInfo(\"en-US\")\n $partitionSize=$partitionSizeInMB.ToString(\"f\",$a)+\" MB\";\n if($freeSpaceInMB){\n $partitionFreespace=$freeSpaceInMB.ToString(\"f\",$a)+\" MB\";\n }\n \n [Console]::WriteLine($diskNumber+\",\"+$model+\",\"+$diskSizeInMB+\" MB,\"+$logical_sector+\",\"+$disk.BytesPerSector+\" B,\"+\"\"+\",\"+\"\"+\",\"+$partitionNumber+\",\"+$logicaldisk.DeviceID+\",\"+$partitionSize+\",\"+$partitionFreespace+\",\"+$logicaldisk.FileSystem+\",\"+$mediaType+\",\"+$part_flags);\n #[Console]::WriteLine($logicaldisk.DeviceID+\",\"+$logicaldisk.FileSystem+\",\"+$diskSizeInMB+\" MB,\"+$partition.Name+\",\"+$partitionSizeInMB+\" MB,\"+$freeSpaceInMB+\" MB,\"+$partition.BootPartition+\",\"+$mediaType+\",\"+$interfaceType+\",\"+$model+\",\"+$disk.BytesPerSector)\n\n }\n}","arguments":null,"utf8Sensitive":false}],"outputs":[{"name":"disk","type":"STRING","byDefault":true,"sequence":0},{"name":"model","type":"STRING","byDefault":true,"sequence":0},{"name":"disk_size","type":"STRING","byDefault":true,"sequence":0},{"name":"logical_sector","type":"STRING","byDefault":true,"sequence":0},{"name":"physical_sector","type":"STRING","byDefault":true,"sequence":0},{"name":"virtual_loc","type":"STRING","byDefault":true,"sequence":0},{"name":"disk_flags","type":"STRING","byDefault":true,"sequence":0},{"name":"partition","type":"STRING","byDefault":true,"sequence":0},{"name":"volume","type":"STRING","byDefault":true,"sequence":0},{"name":"partition_size","type":"STRING","byDefault":true,"sequence":0},{"name":"partition_freespace","type":"STRING","byDefault":true,"sequence":0},{"name":"filesystem","type":"STRING","byDefault":true,"sequence":0},{"name":"type","type":"STRING","byDefault":true,"sequence":0},{"name":"partition_flags","type":"STRING","byDefault":true,"sequence":0}]},"type":"com.intel.mar.model.collector.Collector"}]