From 229010219a87444ca0629de75a73d8c314ddc713 Mon Sep 17 00:00:00 2001 From: Eric Conrad Date: Wed, 7 Jun 2023 16:47:34 -0400 Subject: [PATCH] More updates, including more WMI detection --- DeepBlue.ps1 | 8 ++++++++ regexes.txt | 1 + safelist.txt | 1 + 3 files changed, 10 insertions(+) mode change 100644 => 100755 regexes.txt mode change 100644 => 100755 safelist.txt diff --git a/DeepBlue.ps1 b/DeepBlue.ps1 index f31ee8c..efa5e7d 100644 --- a/DeepBlue.ps1 +++ b/DeepBlue.ps1 @@ -824,6 +824,14 @@ function Check-Creator($command,$creator){ $creatortext += "PowerShell launched via WMI: $creator`n" } } + ElseIf ($command -Match "cmd.exe"){ + if ($creator -Match "PSEXESVC"){ + $creatortext += "cmd.exe launched via PsExec: $creator`n" + } + ElseIf($creator -Match "WmiPrvSE"){ + $creatortext += "cmd.exe launched via WMI: $creator`n" + } + } } return $creatortext } diff --git a/regexes.txt b/regexes.txt old mode 100644 new mode 100755 index 03e08ec..09725f1 --- a/regexes.txt +++ b/regexes.txt @@ -26,5 +26,6 @@ Type,regex,string 0,Register-ScheduledTask,Command referencing Register-ScheduledTask (possible ASEP) 0,Software\\Microsoft\\Windows\\CurrentVersion\\Run,Reference to registry run key (possible ASEP) 0,reg *add,Registry addition (possible ASEP) +0,cmd.exe.*\\ADMIN\$\\,cmd.exe accessing the ADMIN$ share 1,^[a-zA-Z]{22}$,Metasploit-style service name: 22 characters, [A-Za-z] 1,^[a-zA-Z]{16}$,Metasploit-style service name: 16 characters, [A-Za-z] diff --git a/safelist.txt b/safelist.txt old mode 100644 new mode 100755 index e3a45dd..b326ba1 --- a/safelist.txt +++ b/safelist.txt @@ -7,3 +7,4 @@ regex ^"C:\\Program Files\\Google\\Chrome\\Application\\chrome\.exe" ^"C:\\Program Files\\Google\\Update\\GoogleUpdate\.exe" +^"C:\\Program Files \(x86\)\\Google\\Update\\GoogleUpdate\.exe"