Fix Event ID reporting in analysis @scriptedstatement; whitespace cleanup
This commit is contained in:
Joshua Wright
17
DeepBlue.ps1
17
DeepBlue.ps1
@ -100,7 +100,7 @@ function Main {
|
||||
$commandline=$eventXML.Event.EventData.Data[8]."#text" # Process Command Line
|
||||
$creator=$eventXML.Event.EventData.Data[13]."#text" # Creator Process Name
|
||||
if ($commandline){
|
||||
Check-Command
|
||||
Check-Command -EventID 4688
|
||||
}
|
||||
}
|
||||
ElseIf ($event.id -eq 4672){
|
||||
@ -294,7 +294,7 @@ function Main {
|
||||
# Check for suspicious cmd
|
||||
if ($commandline){
|
||||
$servicecmd=1 # CLIs via service creation get extra checks
|
||||
Check-Command
|
||||
Check-Command -EventID 7045
|
||||
}
|
||||
}
|
||||
ElseIf ($event.id -eq 7030){
|
||||
@ -400,7 +400,7 @@ function Main {
|
||||
# Remove every line after the "Host Application = " line.
|
||||
$commandline = $commandline -Replace "(?ms)`n.*$",""
|
||||
if ($commandline){
|
||||
Check-Command
|
||||
Check-Command -EventID 4103
|
||||
}
|
||||
}
|
||||
}
|
||||
@ -435,7 +435,7 @@ function Main {
|
||||
if (-not ($eventxml.Event.EventData.Data[4]."#text")){
|
||||
$commandline=$eventXML.Event.EventData.Data[2]."#text"
|
||||
if ($commandline){
|
||||
Check-Command
|
||||
Check-Command -EventID 4104
|
||||
}
|
||||
}
|
||||
}
|
||||
@ -446,7 +446,7 @@ function Main {
|
||||
$creator=$eventXML.Event.EventData.Data[14]."#text"
|
||||
$commandline=$eventXML.Event.EventData.Data[4]."#text"
|
||||
if ($commandline){
|
||||
Check-Command
|
||||
Check-Command -EventID 1
|
||||
}
|
||||
}
|
||||
ElseIf ($event.id -eq 7){
|
||||
@ -474,6 +474,7 @@ function Main {
|
||||
$obj.Message="Multiple admin logons for one account"
|
||||
$obj.Results= "Username: $username`n"
|
||||
$obj.Results += "User SID Access Count: " + $securityid.split().Count
|
||||
$obj.EventId = 4672
|
||||
Write-Output $obj
|
||||
}
|
||||
}
|
||||
@ -484,6 +485,7 @@ function Main {
|
||||
$obj.Message="High number of logon failures for one account"
|
||||
$obj.Results= "Username: $username`n"
|
||||
$obj.Results += "Total logon failures: $count"
|
||||
$obj.EventId = 4625
|
||||
Write-Output $obj
|
||||
}
|
||||
}
|
||||
@ -492,6 +494,7 @@ function Main {
|
||||
$obj.Message="High number of total logon failures for multiple accounts"
|
||||
$obj.Results= "Total accounts: $totalfailedaccounts`n"
|
||||
$obj.Results+= "Total logon failures: $totalfailedlogons`n"
|
||||
$obj.EventId = 4625
|
||||
Write-Output $obj
|
||||
}
|
||||
}
|
||||
@ -592,6 +595,9 @@ function Create-Filter($file, $logname)
|
||||
|
||||
|
||||
function Check-Command(){
|
||||
|
||||
Param($EventID)
|
||||
|
||||
$text=""
|
||||
$base64=""
|
||||
# Check to see if command is whitelisted
|
||||
@ -642,6 +648,7 @@ function Check-Command(){
|
||||
}
|
||||
$obj.Command = $commandline
|
||||
$obj.Results += $text
|
||||
$obj.EventID = $EventID
|
||||
Write-Output $obj
|
||||
}
|
||||
return
|
||||
|
||||
Reference in New Issue
Block a user