@@ -106,6 +106,7 @@ function Invoke-FileSystemChecks {
106106
107107 foreach ($file in $files ) {
108108 if ($file.Name -match ' ^ps-script-[0-9a-f\-]+\.ps1$' continue }
109+ if ($file.Name -match ' ^remoteIpMoProxy_' continue } # PS implicit remoting proxy — scanner artifact
109110
110111 $inTrustedDir = $false
111112 foreach ($pattern in $trustedAppDirs ) {
@@ -542,10 +543,8 @@ function Invoke-FileSystemChecks {
542543 }
543544
544545 if ($dllPath -notmatch " ^C:\\Windows\\" -and $dllPath -notmatch " ^C:\\Program Files"
545- $comSig = $null
546- if (Test-Path $dllPath ) {
547- $comSig = Get-FileSignature - FilePath $dllPath
548- }
546+ if (-not (Test-Path $dllPath )) { continue } # stale registration — file gone, can't be exploited
547+ $comSig = Get-FileSignature - FilePath $dllPath
549548 if ($comSig -and $comSig.Status -eq " Valid" continue }
550549
551550 Add-Finding - Severity " WARNING" - Category " FileSystem" `
@@ -646,23 +645,42 @@ function Invoke-FileSystemChecks {
646645 $tasks = Get-ScheduledTask - ErrorAction SilentlyContinue |
647646 Where-Object { $_.State -ne " Disabled"
648647
648+ $knownLegitTaskPaths = @ (
649+ " *\OneDrive\*\OneDriveLauncher.exe*" ,
650+ " *\OneDrive*\OneDriveStandaloneUpdater.exe*" ,
651+ " *\Opera\autoupdate\opera_autoupdate.exe*" ,
652+ " *\Zoom\bin\Zoom.exe*" ,
653+ " *\Discord\Update.exe*" ,
654+ " *\Teams\*\Teams.exe*" ,
655+ " *\Update.exe*--processStart*"
656+ )
657+
649658 foreach ($task in $tasks ) {
650659 try {
651660 $actions = $task.Actions
652661 foreach ($action in $actions ) {
653662 $execute = $action.Execute
654663 if (-not $execute ) { continue }
664+ $taskArgs = $action.Arguments
655665
656666 $suspicious = $false
657667 $severity = " INFO"
658668
669+ # Known-legitimate updater paths
670+ $isKnownLegit = $false
671+ foreach ($pattern in $knownLegitTaskPaths ) {
672+ if ($execute -like $pattern -or " $execute $taskArgs " -like $pattern ) {
673+ $isKnownLegit = $true ; break
674+ }
675+ }
676+ if ($isKnownLegit ) { continue }
677+
659678 if ($execute -match " \\Temp\\" -or $execute -match " \\AppData\\"
660679 $suspicious = $true
661680 $severity = " WARNING"
662681 }
663682
664- $args = $action.Arguments
665- if ($execute -match " powershell" -and $args -match " -enc|-e |-WindowStyle\s+Hidden"
683+ if ($execute -match " powershell" -and $taskArgs -match " -enc|-e |-WindowStyle\s+Hidden"
666684 $suspicious = $true
667685 $severity = " CRITICAL"
668686 }
@@ -675,13 +693,13 @@ function Invoke-FileSystemChecks {
675693 if ($suspicious ) {
676694 Add-Finding - Severity $severity - Category " FileSystem" `
677695 - Title " Suspicious Scheduled Task: $ ( $task.TaskName ) " `
678- - Description " Scheduled task '$ ( $task.TaskName ) ' (Path: $ ( $task.TaskPath ) ) executes: '$execute ' with arguments: '$args '. This task runs as: $ ( $task.Principal.UserId ) ." `
696+ - Description " Scheduled task '$ ( $task.TaskName ) ' (Path: $ ( $task.TaskPath ) ) executes: '$execute ' with arguments: '$taskArgs '. This task runs as: $ ( $task.Principal.UserId ) ." `
679697 - Remediation " If you don't recognize this task, disable it: Disable-ScheduledTask -TaskName '$ ( $task.TaskName ) ' -TaskPath '$ ( $task.TaskPath ) '" `
680698 - Details @ {
681699 TaskName = $task.TaskName
682700 TaskPath = $task.TaskPath
683701 Execute = $execute
684- Arguments = $args
702+ Arguments = $taskArgs
685703 RunAs = $task.Principal.UserId
686704 State = $task.State.ToString ()
687705 } `
0 commit comments