Inclusive language update
This commit is contained in:
10
DeepBlue.ps1
10
DeepBlue.ps1
@ -40,8 +40,8 @@ function Main {
|
|||||||
$minlength=1000 # Minimum length of command line to alert
|
$minlength=1000 # Minimum length of command line to alert
|
||||||
# Load cmd match regexes from csv file, ignore comments
|
# Load cmd match regexes from csv file, ignore comments
|
||||||
$regexes = Get-Content ".\regexes.txt" | Select-String '^[^#]' | ConvertFrom-Csv
|
$regexes = Get-Content ".\regexes.txt" | Select-String '^[^#]' | ConvertFrom-Csv
|
||||||
# Load cmd whitelist regexes from csv file, ignore comments
|
# Load cmd safelist regexes from csv file, ignore comments
|
||||||
$whitelist = Get-Content ".\whitelist.txt" | Select-String '^[^#]' | ConvertFrom-Csv
|
$safelist = Get-Content ".\safelist.txt" | Select-String '^[^#]' | ConvertFrom-Csv
|
||||||
$logname=Check-Options $file $log
|
$logname=Check-Options $file $log
|
||||||
#"Processing the " + $logname + " log..."
|
#"Processing the " + $logname + " log..."
|
||||||
$filter=Create-Filter $file $logname
|
$filter=Create-Filter $file $logname
|
||||||
@ -671,10 +671,10 @@ function Check-Command(){
|
|||||||
|
|
||||||
$text=""
|
$text=""
|
||||||
$base64=""
|
$base64=""
|
||||||
# Check to see if command is whitelisted
|
# Check to see if command is safelisted
|
||||||
foreach ($entry in $whitelist) {
|
foreach ($entry in $safelist) {
|
||||||
if ($commandline -Match $entry.regex) {
|
if ($commandline -Match $entry.regex) {
|
||||||
# Command is whitelisted, return nothing
|
# Command is safelisted, return nothing
|
||||||
return
|
return
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
@ -1,58 +1,58 @@
|
|||||||
# Requires Posh-VirusTotal: https://github.com/darkoperator/Posh-VirusTotal
|
# Requires Posh-VirusTotal: https://github.com/darkoperator/Posh-VirusTotal
|
||||||
#
|
#
|
||||||
# Plus a (free) VirusTotal API Key: https://www.virustotal.com/en/documentation/public-api/
|
# Plus a (free) VirusTotal API Key: https://www.virustotal.com/en/documentation/public-api/
|
||||||
#
|
#
|
||||||
$hashdirectory = ".\hashes"
|
$hashdirectory = ".\hashes"
|
||||||
$whitelistfile=".\file-whitelist.csv"
|
$safelistfile=".\file-safelist.csv"
|
||||||
# Load the whitelist into a hash table
|
# Load the safelist into a hash table
|
||||||
if (Test-Path $whitelistfile){
|
if (Test-Path $safelistfile){
|
||||||
$whitelist = Get-Content $whitelistfile | Select-String '^[^#]' | ConvertFrom-Csv
|
$safelist = Get-Content $safelistfile | Select-String '^[^#]' | ConvertFrom-Csv
|
||||||
$hashes=@{}
|
$hashes=@{}
|
||||||
foreach($entry in $whitelist){
|
foreach($entry in $safelist){
|
||||||
$hashes[$entry.sha256]=$entry.path
|
$hashes[$entry.sha256]=$entry.path
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
Get-ChildItem $hashdirectory | Foreach-Object{
|
Get-ChildItem $hashdirectory | Foreach-Object{
|
||||||
if ($_.Name -Match '^[0-9A-F]{64}$'){ # SHA256 hashes are 64 character hex strings
|
if ($_.Name -Match '^[0-9A-F]{64}$'){ # SHA256 hashes are 64 character hex strings
|
||||||
$SHA256=$_.Name
|
$SHA256=$_.Name
|
||||||
if ($hashes.containsKey($SHA256)){
|
if ($hashes.containsKey($SHA256)){
|
||||||
Rename-Item -Path "$hashdirectory\$SHA256" -NewName "$SHA256.whitelisted"
|
Rename-Item -Path "$hashdirectory\$SHA256" -NewName "$SHA256.safelisted"
|
||||||
}
|
}
|
||||||
Else{
|
Else{
|
||||||
try{
|
try{
|
||||||
$VTreport = Get-VTFileReport $SHA256
|
$VTreport = Get-VTFileReport $SHA256
|
||||||
}
|
}
|
||||||
catch {
|
catch {
|
||||||
Write-Host "`r`nAttempted to run: Get-VTFileReport $SHA256`r`r"
|
Write-Host "`r`nAttempted to run: Get-VTFileReport $SHA256`r`r"
|
||||||
Write-Host "Error: " $_.Exception.Message "`n"
|
Write-Host "Error: " $_.Exception.Message "`n"
|
||||||
Write-Host "Have you installed Posh-VirusTotal and set the VirusTotal API key?"
|
Write-Host "Have you installed Posh-VirusTotal and set the VirusTotal API key?"
|
||||||
Write-Host " - See: https://github.com/darkoperator/Posh-VirusTotal`r`n"
|
Write-Host " - See: https://github.com/darkoperator/Posh-VirusTotal`r`n"
|
||||||
Write-Host "Once you have installed Posh-VirusTotal and have a VirusTotal API key, run the following command:`r`n"
|
Write-Host "Once you have installed Posh-VirusTotal and have a VirusTotal API key, run the following command:`r`n"
|
||||||
Write-Host "Set-VTAPIKey -APIKey <API Key>`r`n"
|
Write-Host "Set-VTAPIKey -APIKey <API Key>`r`n"
|
||||||
Write-Host "Exiting...`n"
|
Write-Host "Exiting...`n"
|
||||||
exit
|
exit
|
||||||
}
|
}
|
||||||
if ($VTreport.positives -eq 0){
|
if ($VTreport.positives -eq 0){
|
||||||
# File is clean
|
# File is clean
|
||||||
Rename-Item -Path "$hashdirectory\$SHA256" -NewName "$SHA256.clean"
|
Rename-Item -Path "$hashdirectory\$SHA256" -NewName "$SHA256.clean"
|
||||||
}
|
}
|
||||||
ElseIf ($VTreport.positives -gt 0){
|
ElseIf ($VTreport.positives -gt 0){
|
||||||
# File is flagged by Virustotal
|
# File is flagged by Virustotal
|
||||||
$positives=$VTreport.positives
|
$positives=$VTreport.positives
|
||||||
Write-Host " - Hash was detected by $positives Virustotal scanners"
|
Write-Host " - Hash was detected by $positives Virustotal scanners"
|
||||||
if ($positives -eq 1){
|
if ($positives -eq 1){
|
||||||
Write-Host " - Don't Panic (yet)! There is only one positive, which may be a sign of a false positive."
|
Write-Host " - Don't Panic (yet)! There is only one positive, which may be a sign of a false positive."
|
||||||
Write-Host " - Check the VirusTotal report for more information."
|
Write-Host " - Check the VirusTotal report for more information."
|
||||||
}
|
}
|
||||||
Write-Host " - See $hashdirectory\$SHA256.Virustotal for the full report`r`n"
|
Write-Host " - See $hashdirectory\$SHA256.Virustotal for the full report`r`n"
|
||||||
$VTreport | Set-Content "$hashdirectory\$SHA256.Virustotal"
|
$VTreport | Set-Content "$hashdirectory\$SHA256.Virustotal"
|
||||||
# Rename original hash file, add the Virustotal positive count as a numbered extension
|
# Rename original hash file, add the Virustotal positive count as a numbered extension
|
||||||
# $SHA256.$positives
|
# $SHA256.$positives
|
||||||
Rename-Item -Path "$hashdirectory\$SHA256" -NewName "$SHA256.$positives"
|
Rename-Item -Path "$hashdirectory\$SHA256" -NewName "$SHA256.$positives"
|
||||||
}
|
}
|
||||||
# Wait 15 seconds between submissions, for public Virustotal API keys
|
# Wait 15 seconds between submissions, for public Virustotal API keys
|
||||||
Start-Sleep -s 15
|
Start-Sleep -s 15
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
}
|
}
|
@ -1,38 +1,38 @@
|
|||||||
$hashdirectory=".\hashes\"
|
$hashdirectory=".\hashes\"
|
||||||
$events = get-winevent @{logname="Microsoft-Windows-Sysmon/Operational";id=1,6,7}
|
$events = get-winevent @{logname="Microsoft-Windows-Sysmon/Operational";id=1,6,7}
|
||||||
ForEach ($event in $events) {
|
ForEach ($event in $events) {
|
||||||
if ($event.id -eq 1){ # Process creation
|
if ($event.id -eq 1){ # Process creation
|
||||||
$path=$event.Properties[3].Value # Full path of the file
|
$path=$event.Properties[3].Value # Full path of the file
|
||||||
$hash=$event.Properties[11].Value # Hashes
|
$hash=$event.Properties[11].Value # Hashes
|
||||||
}
|
}
|
||||||
Else{
|
Else{
|
||||||
# Hash and path are part of the message field in Sysmon events 6 and 7. Need to parse the XML
|
# Hash and path are part of the message field in Sysmon events 6 and 7. Need to parse the XML
|
||||||
$eventXML = [xml]$event.ToXml()
|
$eventXML = [xml]$event.ToXml()
|
||||||
If ($event.id -eq 6){ # Driver (.sys) load
|
If ($event.id -eq 6){ # Driver (.sys) load
|
||||||
$path=$eventxml.Event.EventData.Data[1]."#text" # Full path of the file
|
$path=$eventxml.Event.EventData.Data[1]."#text" # Full path of the file
|
||||||
$hash=$eventXML.Event.EventData.Data[2]."#text" # Hashes
|
$hash=$eventXML.Event.EventData.Data[2]."#text" # Hashes
|
||||||
}
|
}
|
||||||
ElseIf ($event.id -eq 7){ # Image (.dll) load
|
ElseIf ($event.id -eq 7){ # Image (.dll) load
|
||||||
$path=$eventxml.Event.EventData.Data[4]."#text" # Full path of the file
|
$path=$eventxml.Event.EventData.Data[4]."#text" # Full path of the file
|
||||||
$hash=$eventXML.Event.EventData.Data[5]."#text" # Hashes
|
$hash=$eventXML.Event.EventData.Data[5]."#text" # Hashes
|
||||||
}
|
}
|
||||||
Else{
|
Else{
|
||||||
Out-Host "Logic error 1, should not reach here..."
|
Out-Host "Logic error 1, should not reach here..."
|
||||||
Exit 1
|
Exit 1
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
# Multiple hashes may be logged, we want SHA256. Remove everything through "SHA256="
|
# Multiple hashes may be logged, we want SHA256. Remove everything through "SHA256="
|
||||||
$SHA256= $hash -Replace "^.*SHA256=",""
|
$SHA256= $hash -Replace "^.*SHA256=",""
|
||||||
# Split the string on commas, grab field 0
|
# Split the string on commas, grab field 0
|
||||||
$SHA256=$SHA256.Split(",")[0]
|
$SHA256=$SHA256.Split(",")[0]
|
||||||
if ($SHA256 -Match '^[0-9A-F]{64}$'){ # SHA256 hashes are 64 character hex strings
|
if ($SHA256 -Match '^[0-9A-F]{64}$'){ # SHA256 hashes are 64 character hex strings
|
||||||
$hashfile="$hashdirectory\$SHA256"
|
$hashfile="$hashdirectory\$SHA256"
|
||||||
if (-not (Test-Path "$hashfile*")){
|
if (-not (Test-Path "$hashfile*")){
|
||||||
# Hash file doesn't exist (or any variants with extensions), create it
|
# Hash file doesn't exist (or any variants with extensions), create it
|
||||||
$path | Set-Content $hashfile
|
$path | Set-Content $hashfile
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
Else{
|
Else{
|
||||||
Out-Host "No SHA256 hash found. Ensure Sysmon is creating SHA256 hashes"
|
Out-Host "No SHA256 hash found. Ensure Sysmon is creating SHA256 hashes"
|
||||||
}
|
}
|
||||||
}
|
}
|
@ -20,7 +20,7 @@ Sample evtx files are in the .\evtx directory
|
|||||||
- [Output](#output)
|
- [Output](#output)
|
||||||
- [Logging setup](#logging-setup)
|
- [Logging setup](#logging-setup)
|
||||||
- See the [DeepBlue.py Readme](READMEs/README-DeepBlue.py.md) for information on DeepBlue.py
|
- See the [DeepBlue.py Readme](READMEs/README-DeepBlue.py.md) for information on DeepBlue.py
|
||||||
- See the [DeepWhite Readme](READMEs/README-DeepWhite.md) for information on DeepWhite (detective whitelisting using Sysmon event logs)
|
- See the [DeepWhite Readme](READMEs/README-DeepWhite.md) for information on DeepWhite (detective safelisting using Sysmon event logs)
|
||||||
|
|
||||||
## Usage:
|
## Usage:
|
||||||
|
|
||||||
|
16471
whitelists/win10-x64.csv
16471
whitelists/win10-x64.csv
File diff suppressed because it is too large
Load Diff
Reference in New Issue
Block a user