Was analyzing Sysmon event 1 image instead of CommandLine. Fixed

2021-10-29 16:17:25 -04:00
parent 350fe3c134
commit 45d62cbfbe
1 changed files with 1 additions and 1 deletions
--- a/DeepBlue.ps1
+++ b/DeepBlue.ps1
@ -518,7 +518,7 @@ function Main {
            # Check command lines
            if ($event.id -eq 1){
                $creator=$eventXML.Event.EventData.Data[14]."#text"
-                $commandline=$eventXML.Event.EventData.Data[4]."#text"
+                $commandline=$eventXML.Event.EventData.Data[10]."#text"
                if ($commandline){
                    Check-Command -EventID 1
                }