BigBrother v1.7
0 Votes |
Description
Lost or Stolen laptop but still reporting into the console?
Deploy BigBrother to force enablement of location services, allow application access and get an approximate location using the BigBrother analysis.
Note: Location services will use a combination of global positioning service (GPS), nearby wireless access points, cell towers, and the IP address to determine the device’s location. Depending on the capabilities of the device, the location can be determined with varying degrees of accuracy (accuracy results are reported in the BigBrother analysis).
Tested on Windows 10 and Windows 11
DISCLAIMER: This task is intended to be used responsibly and solely for the recovery of assets
Property Details
27352 | |
Production - Fully Tested and Ready for Production | |
BigBrother v1.7 | |
BESC | |
Asset Management / Forensics | |
michael.english@hcl-software.com | |
7/14/2024 12:00:00 AM | |
Locate lost or stolen devices | |
True | |
Mike_English on 7/23/2024 2:15:44 PM | |
Mike_English on 7/23/2024 2:15:44 PM | |
389 Views / 2 Downloads | |
* Average over 0 ratings. ** Log In or Register to add your rating. |
Relevance
Used in 1 fixlet | * Results in a true/false |
Actions
Action 1 (default)
//BigBrother
//Force Location services ON and allow application access
delete "c:\windows\temp\bb1.ps1"
delete __createfile
createfile until _THEEND_
$RegName = "LetAppsAccessLocation"
$RegValue = 1
$RegPath = "HKLM:\SOFTWARE\Policies\Microsoft\Windows\AppPrivacy"
If ((Test-Path $RegPath) -eq $false){{
New-Item -Path $RegPath -ItemType Directory
}
If (-!(Get-ItemProperty -Path $RegPath -Name $RegName -ErrorAction SilentlyContinue)){{
New-ItemProperty -Path $RegPath -Name $RegName -Value $RegValue
}
else{{
Set-ItemProperty -Path $RegPath -Name $RegName -Value $RegValue
}
_THEEND_
move __createfile "c:\windows\temp\bb1.ps1"
waithidden powershell -ExecutionPolicy Bypass -command "c:\windows\temp\bb1.ps1"
//------------------------------------------------------------------------------
//Get Location
delete "c:\windows\temp\bb"
delete "c:\windows\temp\bb2.ps1"
delete __createfile
createfile until _THEEND_
Add-Type -AssemblyName System.Device
$BigBrother = New-Object System.Device.Location.GeoCoordinateWatcher(1)
$BigBrother.Start()
while (($BigBrother.Status -ne 'Ready') -and ($BigBrother.Permission -ne 'Denied')) {{
Start-Sleep -Seconds 3
}
if ($BigBrother.Permission -eq 'Denied'){{
Write-Error 'Access Denied (most likely location services is not turned on)'
} else {{
$BigBrother.Position.Location | Select *
}
_THEEND_
move __createfile "c:\windows\temp\bb2.ps1"
waithidden powershell -ExecutionPolicy Bypass -command "c:\windows\temp\bb2.ps1 2>&1 > C:\windows\temp\bb"
This action will be considered successful when the applicability relevance evaluates to false.
Action 2
// BigBrother
//Turn off Location services
delete "c:\windows\temp\bb"
delete "c:\windows\temp\bb1.ps1"
delete __createfile
createfile until _THEEND_
$Name = "LetAppsAccessLocation"
$Value = 2
$Path = "HKLM:\SOFTWARE\Policies\Microsoft\Windows\AppPrivacy"
If ((Test-Path $Path) -eq $false){{
New-Item -Path $Path -ItemType Directory
}
If (-!(Get-ItemProperty -Path $Path -Name $name -ErrorAction SilentlyContinue)){{
New-ItemProperty -Path $Path -Name $Name -Value $Value
}
else{{
Set-ItemProperty -Path $Path -Name $Name -Value $Value
}
_THEEND_
move __createfile "c:\windows\temp\bb1.ps1"
waithidden powershell -ExecutionPolicy Bypass -command "c:\windows\temp\bb1.ps1"
This action will be considered successful when the applicability relevance evaluates to false.
Sharing
Social Media: |