Cyberdefense/DeepBlueCLI
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Add files via upload

Browse Source
This commit is contained in:
Eric Conrad
2016-09-20 15:24:53 -04:00
committed by GitHub
parent 11c208c725
commit 5755000882
3 changed files with 36 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files

BIN
DeepBlue.ps1 Normal file
View File

Binary file not shown.

27
regexes.txt Normal file
View File

@ -0,0 +1,27 @@
# DeepBlueCLI command regex CSV file
# Include only regex CSV entries or comments beginning with "#"
#
# Format: Match type, regex, output string
# Match types:
# 0: Image Path - regex
# 1: Service Name - regex
#
Type,regex,string
0,^cmd.exe /c echo [a-z]{6} > \\\\.\\pipe\\[a-z]{6}$,Metasploit-style cmd with pipe (possible use of Meterpreter 'getsystem')
0,^%SYSTEMROOT%\\[a-zA-Z]{8}\.exe$,Metasploit-style %SYSTEMROOT% image path (possible use of Metasploit 'Native upload' exploit payload)
0,powershell.*FromBase64String.*IO.Compression.GzipStream,Metasploit-style base64 encoded/compressed PowerShell function (possible use of Metasploit PowerShell exploit payload)
0,DownloadString\(.http,Download via Net.WebClient DownloadString
0,mimikatz,Command referencing Mimikatz
0,Invoke-Mimikatz.ps,PowerSploit Invoke-Mimikatz.ps1
0,PowerSploit.*ps1,Use of PowerSploit
0,User-Agent,User-Agent set via command line
0,[a-zA-Z0-9/+=]{500},500+ consecutive Base64 characters
0,powershell.exe.*Hidden.*Enc,Base64 encoded and hidden PowerShell command
# Generic csc.exe alert, comment out if experiencing false positives
0,\\csc\.exe,Use of C Sharp compiler csc.exe
0,\\csc\.exe.*\\Appdata\\Local\\Temp\\[a-z0-9]{8}\.cmdline,PSAttack-style command via csc.exe
# Generic cvtres.exe alert, comment out if experiencing false positives
0,\\cvtres\.exe.*,Resource File To COFF Object Conversion Utility cvtres.exe
0,\\cvtres\.exe.*\\AppData\\Local\\Temp\\[A-Z0-9]{7}\.tmp,PSAttack-style command via cvtres.exe
1,^[a-zA-Z]{22}$,Metasploit-style service name: 22 characters, [A-Za-z]
1,^[a-zA-Z]{16}$,Metasploit-style service name: 16 characters, [A-Za-z]

9
whitelist.txt Normal file
View File

@ -0,0 +1,9 @@
# DeepBlueCLI command whitelist
# Currently: one entry (regex) per line
# Read as a CSV file for future growth (may want to add options to each entry)
#
# Include only regex CSV entries, or comments beginning with "#"
#
regex
^"C:\\Program Files\\Google\\Chrome\\Application\\chrome\.exe"
^"C:\\Program Files\\Google\\Update\\GoogleUpdate\.exe"