Cyberdefense/DeepBlueCLI
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Inclusive language update

Browse Source
This commit is contained in:
Eric Conrad
2021-10-28 12:00:04 -04:00
parent 62d25d9e76
commit 15999a1243
6 changed files with 100 additions and 16571 deletions
Download Patch File Download Diff File Expand all files Collapse all files

10
DeepBlue.ps1
View File

@ -40,8 +40,8 @@ function Main {
$minlength=1000 # Minimum length of command line to alert $minlength=1000 # Minimum length of command line to alert
# Load cmd match regexes from csv file, ignore comments # Load cmd match regexes from csv file, ignore comments
$regexes = Get-Content ".\regexes.txt" | Select-String '^[^#]' | ConvertFrom-Csv $regexes = Get-Content ".\regexes.txt" | Select-String '^[^#]' | ConvertFrom-Csv
# Load cmd whitelist regexes from csv file, ignore comments # Load cmd safelist regexes from csv file, ignore comments
$whitelist = Get-Content ".\whitelist.txt" | Select-String '^[^#]' | ConvertFrom-Csv $safelist = Get-Content ".\safelist.txt" | Select-String '^[^#]' | ConvertFrom-Csv
$logname=Check-Options $file $log $logname=Check-Options $file $log
#"Processing the " + $logname + " log..." #"Processing the " + $logname + " log..."
$filter=Create-Filter $file $logname $filter=Create-Filter $file $logname
@ -671,10 +671,10 @@ function Check-Command(){
$text="" $text=""
$base64="" $base64=""
# Check to see if command is whitelisted # Check to see if command is safelisted
foreach ($entry in $whitelist) { foreach ($entry in $safelist) {
if ($commandline -Match $entry.regex) { if ($commandline -Match $entry.regex) {
# Command is whitelisted, return nothing # Command is safelisted, return nothing
return return
} }
} }

12
DeepWhite-checker.ps1
View File

@ -3,12 +3,12 @@
# Plus a (free) VirusTotal API Key: https://www.virustotal.com/en/documentation/public-api/ # Plus a (free) VirusTotal API Key: https://www.virustotal.com/en/documentation/public-api/
# #
$hashdirectory = ".\hashes" $hashdirectory = ".\hashes"
$whitelistfile=".\file-whitelist.csv" $safelistfile=".\file-safelist.csv"
# Load the whitelist into a hash table # Load the safelist into a hash table
if (Test-Path $whitelistfile){ if (Test-Path $safelistfile){
$whitelist = Get-Content $whitelistfile | Select-String '^[^#]' | ConvertFrom-Csv $safelist = Get-Content $safelistfile | Select-String '^[^#]' | ConvertFrom-Csv
$hashes=@{} $hashes=@{}
foreach($entry in $whitelist){ foreach($entry in $safelist){
$hashes[$entry.sha256]=$entry.path $hashes[$entry.sha256]=$entry.path
} }
} }
@ -17,7 +17,7 @@ Get-ChildItem $hashdirectory | Foreach-Object{
if ($_.Name -Match '^[0-9A-F]{64}$'){ # SHA256 hashes are 64 character hex strings if ($_.Name -Match '^[0-9A-F]{64}$'){ # SHA256 hashes are 64 character hex strings
$SHA256=$_.Name $SHA256=$_.Name
if ($hashes.containsKey($SHA256)){ if ($hashes.containsKey($SHA256)){
Rename-Item -Path "$hashdirectory\$SHA256" -NewName "$SHA256.whitelisted" Rename-Item -Path "$hashdirectory\$SHA256" -NewName "$SHA256.safelisted"
} }
Else{ Else{
try{ try{

2
README.md
View File

@ -20,7 +20,7 @@ Sample evtx files are in the .\evtx directory
- [Output](#output) - [Output](#output)
- [Logging setup](#logging-setup) - [Logging setup](#logging-setup)
- See the [DeepBlue.py Readme](READMEs/README-DeepBlue.py.md) for information on DeepBlue.py - See the [DeepBlue.py Readme](READMEs/README-DeepBlue.py.md) for information on DeepBlue.py
- See the [DeepWhite Readme](READMEs/README-DeepWhite.md) for information on DeepWhite (detective whitelisting using Sysmon event logs) - See the [DeepWhite Readme](READMEs/README-DeepWhite.md) for information on DeepWhite (detective safelisting using Sysmon event logs)
## Usage: ## Usage:

0
whitelist.txt → safelist.txt
View File

16471
whitelists/win10-x64.csv
View File

File diff suppressed because it is too large Load Diff