# Get-SuspiciousProcesses.ps1
# Identify processes with suspicious characteristics
# Usage: .\Get-SuspiciousProcesses.ps1

param(
    [switch]$ShowAll,
    [string]$OutputPath
)

Write-Host "Scanning for suspicious processes..." -ForegroundColor Cyan
Write-Host ""

# Suspicious paths
$SuspiciousPaths = @(
    "$env:TEMP",
    "$env:APPDATA",
    "$env:LOCALAPPDATA",
    "\Windows\Temp",
    "\Users\Public",
    "\Downloads"
)

# Suspicious extensions
$SuspiciousExtensions = @('.exe', '.bat', '.cmd', '.ps1', '.vbs', '.js', '.wsf')

$Processes = Get-Process | Select-Object Id, ProcessName, Path, Company, ProductVersion

$Suspicious = @()

foreach ($Proc in $Processes) {
    $Flags = @()
    
    # Check for missing path (possible fileless)
    if ([string]::IsNullOrEmpty($Proc.Path)) {
        $Flags += "No Path (Fileless)"
    }
    
    # Check for suspicious paths
    if ($Proc.Path) {
        foreach ($SuspPath in $SuspiciousPaths) {
            if ($Proc.Path -imatch [regex]::Escape($SuspPath)) {
                $Flags += "Suspicious Path: $SuspPath"
                break
            }
        }
    }
    
    # Check for unsigned processes
    if ($Proc.Path -and -not ($Proc.Company -match "Microsoft")) {
        try {
            $Sig = Get-AuthenticodeSignature $Proc.Path -ErrorAction SilentlyContinue
            if ($Sig.Status -ne "Valid") {
                $Flags += "Unsigned/Bad Signature"
            }
        } catch {
            # Can't check signature
        }
    }
    
    if ($Flags.Count -gt 0) {
        $Suspicious += [PSCustomObject]@{
            PID = $Proc.Id
            Name = $Proc.ProcessName
            Path = if ($Proc.Path) { $Proc.Path } else { "[No Path - Fileless]" }
            Company = if ($Proc.Company) { $Proc.Company } else { "[Unknown]" }
            Version = $Proc.ProductVersion
            Flags = $Flags -join "; "
        }
    }
}

if ($Suspicious.Count -eq 0) {
    Write-Host "No suspicious processes found!" -ForegroundColor Green
} else {
    Write-Host "Found $($Suspicious.Count) suspicious process(es):" -ForegroundColor Yellow
    Write-Host ""
    
    $Suspicious | Format-Table -AutoSize
    
    # Network connections for suspicious processes
    Write-Host ""
    Write-Host "Network connections for suspicious processes:" -ForegroundColor Cyan
    
    foreach ($Proc in $Suspicious) {
        try {
            $Connections = Get-NetTCPConnection -OwningProcess $Proc.PID -ErrorAction SilentlyContinue
            if ($Connections) {
                Write-Host "  $($Proc.Name) (PID: $($Proc.PID)):" -ForegroundColor Yellow
                $Connections | Select-Object LocalAddress, LocalPort, RemoteAddress, State |
                    Format-Table -AutoSize
            }
        } catch { }
    }
}

if ($OutputPath) {
    $Suspicious | Export-Csv -Path $OutputPath -NoTypeInformation
    Write-Host ""
    Write-Host "Exported to: $OutputPath" -ForegroundColor Green
}