From 46bb325e0d2e429b79d85a41a14dcb8dd9c00902 Mon Sep 17 00:00:00 2001 From: Eric Conrad Date: Thu, 28 Oct 2021 11:53:59 -0400 Subject: [PATCH] Inclusive language update --- READMEs/README-DeepWhite.md | 12 ++++++------ safelists/readme.md | 1 + 2 files changed, 7 insertions(+), 6 deletions(-) create mode 100644 safelists/readme.md diff --git a/READMEs/README-DeepWhite.md b/READMEs/README-DeepWhite.md index 3d4e618..d5ae412 100644 --- a/READMEs/README-DeepWhite.md +++ b/READMEs/README-DeepWhite.md @@ -1,12 +1,12 @@ # DeepWhite -Detective whitelisting using Sysmon event logs. +Detective safelisting using Sysmon event logs. Parses the Sysmon event logs, grabbing the SHA256 hashes from process creation (event 1), driver load (event 6, sys), and image load (event 7, DLL) events. -## VirusTotal and Whitelisting setup +## VirusTotal and Safelisting setup -Setting up VirusTotal hash submissions and whitelisting: +Setting up VirusTotal hash submissions and safelisting: The hash checker requires Post-VirusTotal: @@ -59,11 +59,11 @@ You can go *much* further than this with Sysmon. The Sysinternals Sysmon page ha Also see @swiftonsecurity's awesome Sysmon config here: https://github.com/SwiftOnSecurity/sysmon-config -## Generating a Whitelist +## Generating a Safelist -Generate a custom whitelist on Windows (note: this is optional): +Generate a custom safelist on Windows (note: this is optional): ``` -PS C:\> Get-ChildItem c:\windows\system32 -Include '*.exe','*.dll','*.sys','*.com' -Recurse | Get-FileHash| Export-Csv -Path whitelist.csv +PS C:\> Get-ChildItem c:\windows\system32 -Include '*.exe','*.dll','*.sys','*.com' -Recurse | Get-FileHash| Export-Csv -Path safelist.csv ``` Note: this will generate (harmless) 'PermissionDenied' warnings for locked files, etc. They may be ignored. diff --git a/safelists/readme.md b/safelists/readme.md new file mode 100644 index 0000000..cab4008 --- /dev/null +++ b/safelists/readme.md @@ -0,0 +1 @@ +Placeholder for safelists directory