From 45d62cbfbe711338ad9b65b64e362a25d330a5d9 Mon Sep 17 00:00:00 2001
From: Eric Conrad <git@zez.me>
Date: Fri, 29 Oct 2021 16:17:25 -0400
Subject: [PATCH] Was analyzing Sysmon event 1 image instead of CommandLine.
 Fixed

---
 DeepBlue.ps1 | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/DeepBlue.ps1 b/DeepBlue.ps1
index 24e86f4..b9a8e63 100644
--- a/DeepBlue.ps1
+++ b/DeepBlue.ps1
@@ -518,7 +518,7 @@ function Main {
             # Check command lines
             if ($event.id -eq 1){
                 $creator=$eventXML.Event.EventData.Data[14]."#text"
-                $commandline=$eventXML.Event.EventData.Data[4]."#text"
+                $commandline=$eventXML.Event.EventData.Data[10]."#text"
                 if ($commandline){
                     Check-Command -EventID 1
                 }