diff --git a/DeepWhite-checker.ps1 b/DeepBlueHash-checker.ps1 similarity index 100% rename from DeepWhite-checker.ps1 rename to DeepBlueHash-checker.ps1 diff --git a/DeepWhite-collector.ps1 b/DeepBlueHash-collector.ps1 similarity index 100% rename from DeepWhite-collector.ps1 rename to DeepBlueHash-collector.ps1 diff --git a/README.md b/README.md index d3cc2f8..1ae38ab 100644 --- a/README.md +++ b/README.md @@ -22,7 +22,7 @@ Sample EVTX files are in the .\evtx directory - [Output](#output) - [Logging setup](#logging-setup) - See the [DeepBlue.py Readme](READMEs/README-DeepBlue.py.md) for information on DeepBlue.py -- See the [DeepWhite Readme](READMEs/README-DeepWhite.md) for information on DeepWhite (detective safelisting using Sysmon event logs) +- See the [DeepBlueHash Readme](READMEs/README-DeepBlueHash.md) for information on DeepBlueHash (detective safelisting using Sysmon event logs) ## Usage: @@ -157,7 +157,7 @@ Thank you: [@heinzarelli](https://twitter.com/heinzarelli) and [@HackerHurricane Install Sysmon from Sysinternals: https://docs.microsoft.com/en-us/sysinternals/downloads/sysmon -DeepBlue and DeepWhite currently use Sysmon events, 1, 6 and 7. +DeepBlue and DeepBlueHash currently use Sysmon events, 1, 6 and 7. Log SHA256 hashes. Others are fine; DeepWhite will use SHA256. diff --git a/READMEs/README-DeepWhite.md b/READMEs/README-DeepBlueHash.md similarity index 94% rename from READMEs/README-DeepWhite.md rename to READMEs/README-DeepBlueHash.md index d5ae412..a8fe476 100644 --- a/READMEs/README-DeepWhite.md +++ b/READMEs/README-DeepBlueHash.md @@ -1,4 +1,4 @@ -# DeepWhite +# DeepBlueHash Detective safelisting using Sysmon event logs. @@ -26,7 +26,7 @@ The script assumes a personal API key, and waits 15 seconds between submissions. Sysmon is required: https://docs.microsoft.com/en-us/sysinternals/downloads/sysmon -Must log the SHA256 hash, DeepWhite will ignore the others. +Must log the SHA256 hash, DeepBlueHash will ignore the others. This minimal Sysmon 6.0 config will log the proper events/hashes. Note that image (DLL) logging may create performance issues. This config ignores DLLs signed by Microsoft (which should lighten the load), but please test! @@ -53,7 +53,7 @@ This minimal Sysmon 6.0 config will log the proper events/hashes. Note that imag ``` -These are the events used by DeepBlueCLI and DeepWhite. +These are the events used by DeepBlueCLI and DeepBlueHash. You can go *much* further than this with Sysmon. The Sysinternals Sysmon page has a good basic configuration: https://docs.microsoft.com/en-us/sysinternals/downloads/sysmon