Cyberdefense/DeepBlueCLI
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Update DeepBlueHash-collector.ps1

Browse Source 
Updated for new Sysmon schema
This commit is contained in:
Eric Conrad
2023-06-28 13:23:46 -04:00
committed by GitHub
parent 3c8fa15e28
commit 41fe88f2e4
1 changed files with 24 additions and 5 deletions
Download Patch File Download Diff File Expand all files Collapse all files

29
DeepBlueHash-collector.ps1
View File

@ -1,20 +1,39 @@
$hashdirectory=".\hashes\" $hashdirectory=".\hashes\"
$events = get-winevent @{logname="Microsoft-Windows-Sysmon/Operational";id=1,6,7} $events = get-winevent @{logname="Microsoft-Windows-Sysmon/Operational";id=1,6,7}
ForEach ($event in $events) { ForEach ($event in $events) {
if ($event.id -eq 1){ # Process creation if ($event.id -eq 1){ # Process creation
$path=$event.Properties[3].Value # Full path of the file
$hash=$event.Properties[11].Value # Hashes if ($event.Properties.Count -le 16){
$path=$event.Properties[3].Value # Full path of the file
$hash=$event.Properties[11].Value # Hashes
}
Else {
$path=$event.Properties[4].Value # Full path of the file
$hash=$event.Properties[16].Value # Hashes
}
} }
Else{ Else{
# Hash and path are part of the message field in Sysmon events 6 and 7. Need to parse the XML # Hash and path are part of the message field in Sysmon events 6 and 7. Need to parse the XML
$eventXML = [xml]$event.ToXml() $eventXML = [xml]$event.ToXml()
If ($event.id -eq 6){ # Driver (.sys) load If ($event.id -eq 6){ # Driver (.sys) load
$path=$eventxml.Event.EventData.Data[1]."#text" # Full path of the file if ($event.Properties.Count -le 6){
$path=$eventXML.Event.EventData.Data[1]."#text" # Full path of the file
$hash=$eventXML.Event.EventData.Data[2]."#text" # Hashes $hash=$eventXML.Event.EventData.Data[2]."#text" # Hashes
}
Else{
$path=$eventXML.Event.EventData.Data[2]."#text" # Full path of the file
$hash=$eventXML.Event.EventData.Data[3]."#text" # Hashes
}
} }
ElseIf ($event.id -eq 7){ # Image (.dll) load ElseIf ($event.id -eq 7){ # Image (.dll) load
$path=$eventxml.Event.EventData.Data[4]."#text" # Full path of the file if ($event.Properties.Count -lt 14){
$path=$eventXML.Event.EventData.Data[4]."#text" # Full path of the file
$hash=$eventXML.Event.EventData.Data[5]."#text" # Hashes $hash=$eventXML.Event.EventData.Data[5]."#text" # Hashes
}
Else{
$path=$eventXML.Event.EventData.Data[5]."#text" # Full path of the file
$hash=$eventXML.Event.EventData.Data[10]."#text" # Hashes
}
} }
Else{ Else{
Out-Host "Logic error 1, should not reach here..." Out-Host "Logic error 1, should not reach here..."