Cyberdefense/DeepBlueCLI
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Was analyzing Sysmon event 1 image instead of CommandLine. Fixed

Browse Source
This commit is contained in:
Eric Conrad
2021-10-29 16:17:25 -04:00
committed by GitHub
parent 350fe3c134
commit 45d62cbfbe
1 changed files with 1 additions and 1 deletions
Download Patch File Download Diff File Expand all files Collapse all files

2
DeepBlue.ps1
View File

@ -518,7 +518,7 @@ function Main {
# Check command lines # Check command lines
if ($event.id -eq 1){ if ($event.id -eq 1){
$creator=$eventXML.Event.EventData.Data[14]."#text" $creator=$eventXML.Event.EventData.Data[14]."#text"
$commandline=$eventXML.Event.EventData.Data[4]."#text" $commandline=$eventXML.Event.EventData.Data[10]."#text"
if ($commandline){ if ($commandline){
Check-Command -EventID 1 Check-Command -EventID 1
} }