Cyberdefense/DeepBlueCLI
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

More updates, including more WMI detection

Browse Source
This commit is contained in:
Eric Conrad
2023-06-07 16:47:34 -04:00
parent 79dd0e6b11
commit 229010219a
3 changed files with 10 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files

8
DeepBlue.ps1
View File

@ -824,6 +824,14 @@ function Check-Creator($command,$creator){
$creatortext += "PowerShell launched via WMI: $creator`n" $creatortext += "PowerShell launched via WMI: $creator`n"
} }
} }
ElseIf ($command -Match "cmd.exe"){
if ($creator -Match "PSEXESVC"){
$creatortext += "cmd.exe launched via PsExec: $creator`n"
}
ElseIf($creator -Match "WmiPrvSE"){
$creatortext += "cmd.exe launched via WMI: $creator`n"
}
}
} }
return $creatortext return $creatortext
} }

1
regexes.txt Normal file → Executable file
View File

@ -26,5 +26,6 @@ Type,regex,string
0,Register-ScheduledTask,Command referencing Register-ScheduledTask (possible ASEP) 0,Register-ScheduledTask,Command referencing Register-ScheduledTask (possible ASEP)
0,Software\\Microsoft\\Windows\\CurrentVersion\\Run,Reference to registry run key (possible ASEP) 0,Software\\Microsoft\\Windows\\CurrentVersion\\Run,Reference to registry run key (possible ASEP)
0,reg *add,Registry addition (possible ASEP) 0,reg *add,Registry addition (possible ASEP)
0,cmd.exe.*\\ADMIN\$\\,cmd.exe accessing the ADMIN$ share
1,^[a-zA-Z]{22}$,Metasploit-style service name: 22 characters, [A-Za-z] 1,^[a-zA-Z]{22}$,Metasploit-style service name: 22 characters, [A-Za-z]
1,^[a-zA-Z]{16}$,Metasploit-style service name: 16 characters, [A-Za-z] 1,^[a-zA-Z]{16}$,Metasploit-style service name: 16 characters, [A-Za-z]

1
safelist.txt Normal file → Executable file
View File

@ -7,3 +7,4 @@
regex regex
^"C:\\Program Files\\Google\\Chrome\\Application\\chrome\.exe" ^"C:\\Program Files\\Google\\Chrome\\Application\\chrome\.exe"
^"C:\\Program Files\\Google\\Update\\GoogleUpdate\.exe" ^"C:\\Program Files\\Google\\Update\\GoogleUpdate\.exe"
^"C:\\Program Files \(x86\)\\Google\\Update\\GoogleUpdate\.exe"