Inclusive language update

This commit is contained in:
Eric Conrad
2021-10-28 12:00:04 -04:00
parent 62d25d9e76
commit 15999a1243
6 changed files with 100 additions and 16571 deletions

View File

@ -40,8 +40,8 @@ function Main {
$minlength=1000 # Minimum length of command line to alert $minlength=1000 # Minimum length of command line to alert
# Load cmd match regexes from csv file, ignore comments # Load cmd match regexes from csv file, ignore comments
$regexes = Get-Content ".\regexes.txt" | Select-String '^[^#]' | ConvertFrom-Csv $regexes = Get-Content ".\regexes.txt" | Select-String '^[^#]' | ConvertFrom-Csv
# Load cmd whitelist regexes from csv file, ignore comments # Load cmd safelist regexes from csv file, ignore comments
$whitelist = Get-Content ".\whitelist.txt" | Select-String '^[^#]' | ConvertFrom-Csv $safelist = Get-Content ".\safelist.txt" | Select-String '^[^#]' | ConvertFrom-Csv
$logname=Check-Options $file $log $logname=Check-Options $file $log
#"Processing the " + $logname + " log..." #"Processing the " + $logname + " log..."
$filter=Create-Filter $file $logname $filter=Create-Filter $file $logname
@ -671,10 +671,10 @@ function Check-Command(){
$text="" $text=""
$base64="" $base64=""
# Check to see if command is whitelisted # Check to see if command is safelisted
foreach ($entry in $whitelist) { foreach ($entry in $safelist) {
if ($commandline -Match $entry.regex) { if ($commandline -Match $entry.regex) {
# Command is whitelisted, return nothing # Command is safelisted, return nothing
return return
} }
} }

View File

@ -1,58 +1,58 @@
# Requires Posh-VirusTotal: https://github.com/darkoperator/Posh-VirusTotal # Requires Posh-VirusTotal: https://github.com/darkoperator/Posh-VirusTotal
# #
# Plus a (free) VirusTotal API Key: https://www.virustotal.com/en/documentation/public-api/ # Plus a (free) VirusTotal API Key: https://www.virustotal.com/en/documentation/public-api/
# #
$hashdirectory = ".\hashes" $hashdirectory = ".\hashes"
$whitelistfile=".\file-whitelist.csv" $safelistfile=".\file-safelist.csv"
# Load the whitelist into a hash table # Load the safelist into a hash table
if (Test-Path $whitelistfile){ if (Test-Path $safelistfile){
$whitelist = Get-Content $whitelistfile | Select-String '^[^#]' | ConvertFrom-Csv $safelist = Get-Content $safelistfile | Select-String '^[^#]' | ConvertFrom-Csv
$hashes=@{} $hashes=@{}
foreach($entry in $whitelist){ foreach($entry in $safelist){
$hashes[$entry.sha256]=$entry.path $hashes[$entry.sha256]=$entry.path
} }
} }
Get-ChildItem $hashdirectory | Foreach-Object{ Get-ChildItem $hashdirectory | Foreach-Object{
if ($_.Name -Match '^[0-9A-F]{64}$'){ # SHA256 hashes are 64 character hex strings if ($_.Name -Match '^[0-9A-F]{64}$'){ # SHA256 hashes are 64 character hex strings
$SHA256=$_.Name $SHA256=$_.Name
if ($hashes.containsKey($SHA256)){ if ($hashes.containsKey($SHA256)){
Rename-Item -Path "$hashdirectory\$SHA256" -NewName "$SHA256.whitelisted" Rename-Item -Path "$hashdirectory\$SHA256" -NewName "$SHA256.safelisted"
} }
Else{ Else{
try{ try{
$VTreport = Get-VTFileReport $SHA256 $VTreport = Get-VTFileReport $SHA256
} }
catch { catch {
Write-Host "`r`nAttempted to run: Get-VTFileReport $SHA256`r`r" Write-Host "`r`nAttempted to run: Get-VTFileReport $SHA256`r`r"
Write-Host "Error: " $_.Exception.Message "`n" Write-Host "Error: " $_.Exception.Message "`n"
Write-Host "Have you installed Posh-VirusTotal and set the VirusTotal API key?" Write-Host "Have you installed Posh-VirusTotal and set the VirusTotal API key?"
Write-Host " - See: https://github.com/darkoperator/Posh-VirusTotal`r`n" Write-Host " - See: https://github.com/darkoperator/Posh-VirusTotal`r`n"
Write-Host "Once you have installed Posh-VirusTotal and have a VirusTotal API key, run the following command:`r`n" Write-Host "Once you have installed Posh-VirusTotal and have a VirusTotal API key, run the following command:`r`n"
Write-Host "Set-VTAPIKey -APIKey <API Key>`r`n" Write-Host "Set-VTAPIKey -APIKey <API Key>`r`n"
Write-Host "Exiting...`n" Write-Host "Exiting...`n"
exit exit
} }
if ($VTreport.positives -eq 0){ if ($VTreport.positives -eq 0){
# File is clean # File is clean
Rename-Item -Path "$hashdirectory\$SHA256" -NewName "$SHA256.clean" Rename-Item -Path "$hashdirectory\$SHA256" -NewName "$SHA256.clean"
} }
ElseIf ($VTreport.positives -gt 0){ ElseIf ($VTreport.positives -gt 0){
# File is flagged by Virustotal # File is flagged by Virustotal
$positives=$VTreport.positives $positives=$VTreport.positives
Write-Host " - Hash was detected by $positives Virustotal scanners" Write-Host " - Hash was detected by $positives Virustotal scanners"
if ($positives -eq 1){ if ($positives -eq 1){
Write-Host " - Don't Panic (yet)! There is only one positive, which may be a sign of a false positive." Write-Host " - Don't Panic (yet)! There is only one positive, which may be a sign of a false positive."
Write-Host " - Check the VirusTotal report for more information." Write-Host " - Check the VirusTotal report for more information."
} }
Write-Host " - See $hashdirectory\$SHA256.Virustotal for the full report`r`n" Write-Host " - See $hashdirectory\$SHA256.Virustotal for the full report`r`n"
$VTreport | Set-Content "$hashdirectory\$SHA256.Virustotal" $VTreport | Set-Content "$hashdirectory\$SHA256.Virustotal"
# Rename original hash file, add the Virustotal positive count as a numbered extension # Rename original hash file, add the Virustotal positive count as a numbered extension
# $SHA256.$positives # $SHA256.$positives
Rename-Item -Path "$hashdirectory\$SHA256" -NewName "$SHA256.$positives" Rename-Item -Path "$hashdirectory\$SHA256" -NewName "$SHA256.$positives"
} }
# Wait 15 seconds between submissions, for public Virustotal API keys # Wait 15 seconds between submissions, for public Virustotal API keys
Start-Sleep -s 15 Start-Sleep -s 15
} }
} }
} }

View File

@ -1,38 +1,38 @@
$hashdirectory=".\hashes\" $hashdirectory=".\hashes\"
$events = get-winevent @{logname="Microsoft-Windows-Sysmon/Operational";id=1,6,7} $events = get-winevent @{logname="Microsoft-Windows-Sysmon/Operational";id=1,6,7}
ForEach ($event in $events) { ForEach ($event in $events) {
if ($event.id -eq 1){ # Process creation if ($event.id -eq 1){ # Process creation
$path=$event.Properties[3].Value # Full path of the file $path=$event.Properties[3].Value # Full path of the file
$hash=$event.Properties[11].Value # Hashes $hash=$event.Properties[11].Value # Hashes
} }
Else{ Else{
# Hash and path are part of the message field in Sysmon events 6 and 7. Need to parse the XML # Hash and path are part of the message field in Sysmon events 6 and 7. Need to parse the XML
$eventXML = [xml]$event.ToXml() $eventXML = [xml]$event.ToXml()
If ($event.id -eq 6){ # Driver (.sys) load If ($event.id -eq 6){ # Driver (.sys) load
$path=$eventxml.Event.EventData.Data[1]."#text" # Full path of the file $path=$eventxml.Event.EventData.Data[1]."#text" # Full path of the file
$hash=$eventXML.Event.EventData.Data[2]."#text" # Hashes $hash=$eventXML.Event.EventData.Data[2]."#text" # Hashes
} }
ElseIf ($event.id -eq 7){ # Image (.dll) load ElseIf ($event.id -eq 7){ # Image (.dll) load
$path=$eventxml.Event.EventData.Data[4]."#text" # Full path of the file $path=$eventxml.Event.EventData.Data[4]."#text" # Full path of the file
$hash=$eventXML.Event.EventData.Data[5]."#text" # Hashes $hash=$eventXML.Event.EventData.Data[5]."#text" # Hashes
} }
Else{ Else{
Out-Host "Logic error 1, should not reach here..." Out-Host "Logic error 1, should not reach here..."
Exit 1 Exit 1
} }
} }
# Multiple hashes may be logged, we want SHA256. Remove everything through "SHA256=" # Multiple hashes may be logged, we want SHA256. Remove everything through "SHA256="
$SHA256= $hash -Replace "^.*SHA256=","" $SHA256= $hash -Replace "^.*SHA256=",""
# Split the string on commas, grab field 0 # Split the string on commas, grab field 0
$SHA256=$SHA256.Split(",")[0] $SHA256=$SHA256.Split(",")[0]
if ($SHA256 -Match '^[0-9A-F]{64}$'){ # SHA256 hashes are 64 character hex strings if ($SHA256 -Match '^[0-9A-F]{64}$'){ # SHA256 hashes are 64 character hex strings
$hashfile="$hashdirectory\$SHA256" $hashfile="$hashdirectory\$SHA256"
if (-not (Test-Path "$hashfile*")){ if (-not (Test-Path "$hashfile*")){
# Hash file doesn't exist (or any variants with extensions), create it # Hash file doesn't exist (or any variants with extensions), create it
$path | Set-Content $hashfile $path | Set-Content $hashfile
} }
} }
Else{ Else{
Out-Host "No SHA256 hash found. Ensure Sysmon is creating SHA256 hashes" Out-Host "No SHA256 hash found. Ensure Sysmon is creating SHA256 hashes"
} }
} }

View File

@ -20,7 +20,7 @@ Sample evtx files are in the .\evtx directory
- [Output](#output) - [Output](#output)
- [Logging setup](#logging-setup) - [Logging setup](#logging-setup)
- See the [DeepBlue.py Readme](READMEs/README-DeepBlue.py.md) for information on DeepBlue.py - See the [DeepBlue.py Readme](READMEs/README-DeepBlue.py.md) for information on DeepBlue.py
- See the [DeepWhite Readme](READMEs/README-DeepWhite.md) for information on DeepWhite (detective whitelisting using Sysmon event logs) - See the [DeepWhite Readme](READMEs/README-DeepWhite.md) for information on DeepWhite (detective safelisting using Sysmon event logs)
## Usage: ## Usage:

File diff suppressed because it is too large Load Diff