Cyberdefense/DeepBlueCLI
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Fix Event ID reporting in analysis @scriptedstatement; whitespace cleanup

Browse Source
This commit is contained in:
Joshua Wright
2020-08-18 08:51:54 -04:00
parent d004e13d2e
commit 486dd1f9ce
1 changed files with 19 additions and 12 deletions
Download Patch File Download Diff File Expand all files Collapse all files

31
DeepBlue.ps1
View File

@ -32,7 +32,7 @@ https://github.com/sans-blue-team/DeepBlueCLI
# http://ericconrad.com # http://ericconrad.com
# #
param ([string]$file=$env:file,[string]$log=$env:log) param ([string]$file=$env:file,[string]$log=$env:log)
function Main { function Main {
# Set up the global variables # Set up the global variables
@ -77,7 +77,7 @@ function Main {
} }
catch { catch {
Write-Host "Get-WinEvent $filter -ErrorAction Stop" Write-Host "Get-WinEvent $filter -ErrorAction Stop"
Write-Host "Get-WinEvent error: " $_.Exception.Message "`n" Write-Host "Get-WinEvent error: " $_.Exception.Message "`n"
Write-Host "Exiting...`n" Write-Host "Exiting...`n"
exit exit
} }
@ -91,7 +91,7 @@ function Main {
Results = "" Results = ""
Command = "" Command = ""
Decoded = "" Decoded = ""
} }
$eventXML = [xml]$event.ToXml() $eventXML = [xml]$event.ToXml()
$servicecmd=0 # CLIs via service creation get extra checks, this defaults to 0 (no extra checks) $servicecmd=0 # CLIs via service creation get extra checks, this defaults to 0 (no extra checks)
if ($logname -eq "Security"){ if ($logname -eq "Security"){
@ -100,7 +100,7 @@ function Main {
$commandline=$eventXML.Event.EventData.Data[8]."#text" # Process Command Line $commandline=$eventXML.Event.EventData.Data[8]."#text" # Process Command Line
$creator=$eventXML.Event.EventData.Data[13]."#text" # Creator Process Name $creator=$eventXML.Event.EventData.Data[13]."#text" # Creator Process Name
if ($commandline){ if ($commandline){
Check-Command Check-Command -EventID 4688
} }
} }
ElseIf ($event.id -eq 4672){ ElseIf ($event.id -eq 4672){
@ -191,7 +191,7 @@ function Main {
# A member was added to a security-enabled (global|local|universal) group. # A member was added to a security-enabled (global|local|universal) group.
$groupname=$eventXML.Event.EventData.Data[2]."#text" $groupname=$eventXML.Event.EventData.Data[2]."#text"
# Check if group is Administrators, may later expand to all groups # Check if group is Administrators, may later expand to all groups
if ($groupname -eq "Administrators"){ if ($groupname -eq "Administrators"){
$username=$eventXML.Event.EventData.Data[0]."#text" $username=$eventXML.Event.EventData.Data[0]."#text"
$securityid=$eventXML.Event.EventData.Data[1]."#text" $securityid=$eventXML.Event.EventData.Data[1]."#text"
switch ($event.id){ switch ($event.id){
@ -294,7 +294,7 @@ function Main {
# Check for suspicious cmd # Check for suspicious cmd
if ($commandline){ if ($commandline){
$servicecmd=1 # CLIs via service creation get extra checks $servicecmd=1 # CLIs via service creation get extra checks
Check-Command Check-Command -EventID 7045
} }
} }
ElseIf ($event.id -eq 7030){ ElseIf ($event.id -eq 7030){
@ -400,7 +400,7 @@ function Main {
# Remove every line after the "Host Application = " line. # Remove every line after the "Host Application = " line.
$commandline = $commandline -Replace "(?ms)`n.*$","" $commandline = $commandline -Replace "(?ms)`n.*$",""
if ($commandline){ if ($commandline){
Check-Command Check-Command -EventID 4103
} }
} }
} }
@ -435,7 +435,7 @@ function Main {
if (-not ($eventxml.Event.EventData.Data[4]."#text")){ if (-not ($eventxml.Event.EventData.Data[4]."#text")){
$commandline=$eventXML.Event.EventData.Data[2]."#text" $commandline=$eventXML.Event.EventData.Data[2]."#text"
if ($commandline){ if ($commandline){
Check-Command Check-Command -EventID 4104
} }
} }
} }
@ -446,7 +446,7 @@ function Main {
$creator=$eventXML.Event.EventData.Data[14]."#text" $creator=$eventXML.Event.EventData.Data[14]."#text"
$commandline=$eventXML.Event.EventData.Data[4]."#text" $commandline=$eventXML.Event.EventData.Data[4]."#text"
if ($commandline){ if ($commandline){
Check-Command Check-Command -EventID 1
} }
} }
ElseIf ($event.id -eq 7){ ElseIf ($event.id -eq 7){
@ -474,6 +474,7 @@ function Main {
$obj.Message="Multiple admin logons for one account" $obj.Message="Multiple admin logons for one account"
$obj.Results= "Username: $username`n" $obj.Results= "Username: $username`n"
$obj.Results += "User SID Access Count: " + $securityid.split().Count $obj.Results += "User SID Access Count: " + $securityid.split().Count
$obj.EventId = 4672
Write-Output $obj Write-Output $obj
} }
} }
@ -484,6 +485,7 @@ function Main {
$obj.Message="High number of logon failures for one account" $obj.Message="High number of logon failures for one account"
$obj.Results= "Username: $username`n" $obj.Results= "Username: $username`n"
$obj.Results += "Total logon failures: $count" $obj.Results += "Total logon failures: $count"
$obj.EventId = 4625
Write-Output $obj Write-Output $obj
} }
} }
@ -492,6 +494,7 @@ function Main {
$obj.Message="High number of total logon failures for multiple accounts" $obj.Message="High number of total logon failures for multiple accounts"
$obj.Results= "Total accounts: $totalfailedaccounts`n" $obj.Results= "Total accounts: $totalfailedaccounts`n"
$obj.Results+= "Total logon failures: $totalfailedlogons`n" $obj.Results+= "Total logon failures: $totalfailedlogons`n"
$obj.EventId = 4625
Write-Output $obj Write-Output $obj
} }
} }
@ -520,7 +523,7 @@ function Check-Options($file, $log)
Else{ Else{
write-host $log_error write-host $log_error
exit 1 exit 1
} }
} }
else{ # Filename provided, check if it exists: else{ # Filename provided, check if it exists:
if (Test-Path $file){ # File exists. Todo: verify it is an evtx file. if (Test-Path $file){ # File exists. Todo: verify it is an evtx file.
@ -592,6 +595,9 @@ function Create-Filter($file, $logname)
function Check-Command(){ function Check-Command(){
Param($EventID)
$text="" $text=""
$base64="" $base64=""
# Check to see if command is whitelisted # Check to see if command is whitelisted
@ -642,10 +648,11 @@ function Check-Command(){
} }
$obj.Command = $commandline $obj.Command = $commandline
$obj.Results += $text $obj.Results += $text
$obj.EventID = $EventID
Write-Output $obj Write-Output $obj
} }
return return
} }
function Check-Regex($string,$type){ function Check-Regex($string,$type){
$regextext="" # Local variable for return output $regextext="" # Local variable for return output
@ -672,7 +679,7 @@ function Check-Obfu($string){
$nobinarystring = $lowercasestring -replace "[01]" # To catch binary encoding $nobinarystring = $lowercasestring -replace "[01]" # To catch binary encoding
# Calculate the percent alphanumeric/common symbols # Calculate the percent alphanumeric/common symbols
if ($length -gt 0){ if ($length -gt 0){
$percent=(($length-$noalphastring.length)/$length) $percent=(($length-$noalphastring.length)/$length)
# Adjust minpercent for very short commands, to avoid triggering short warnings # Adjust minpercent for very short commands, to avoid triggering short warnings
if (($length/100) -lt $minpercent){ if (($length/100) -lt $minpercent){
$minpercent=($length/100) $minpercent=($length/100)