More updates, including more WMI detection

2023-06-07 16:47:34 -04:00
parent 79dd0e6b11
commit 229010219a
3 changed files with 10 additions and 0 deletions
--- a/DeepBlue.ps1
+++ b/DeepBlue.ps1
@ -824,6 +824,14 @@ function Check-Creator($command,$creator){
                $creatortext += "PowerShell launched via WMI: $creator`n"
            }
        }
+        ElseIf ($command -Match "cmd.exe"){
+            if ($creator -Match "PSEXESVC"){
+                $creatortext += "cmd.exe launched via PsExec: $creator`n"
+            }
+            ElseIf($creator -Match "WmiPrvSE"){
+                $creatortext += "cmd.exe launched via WMI: $creator`n"
+            }
+        }
    }
    return $creatortext
 }