From 5755000882064fc50aff91c7187510be85c6922b Mon Sep 17 00:00:00 2001 From: Eric Conrad Date: Tue, 20 Sep 2016 15:24:53 -0400 Subject: [PATCH] Add files via upload --- DeepBlue.ps1 | Bin 0 -> 29986 bytes regexes.txt | 27 +++++++++++++++++++++++++++ whitelist.txt | 9 +++++++++ 3 files changed, 36 insertions(+) create mode 100644 DeepBlue.ps1 create mode 100644 regexes.txt create mode 100644 whitelist.txt diff --git a/DeepBlue.ps1 b/DeepBlue.ps1 new file mode 100644 index 0000000000000000000000000000000000000000..c56d296d98dc41d5ceee91c6019dcfafdabf19cf GIT binary patch literal 29986 zcmds=e{&T_c82HQq$=M*C8=t~+FZb3Y;Ts$0>&{_V7m;Cw}R~riv(7X1S`ply^g)S$~=Gxa0fO`lZ@l(uccfTee)JU;8K2a^FkQ z#QgWw|5o=%Ge1uE9dysSZ@bOzsruMcUpMr9M;!Q@dXIDOHrnrru4h$ipShs^TOVlP z?`h)i6OC@(u66fC)viWd>wZox;_l7FkstN%jc#3^wX~)WMcuw;!>Tc(pLG66v*p*Z zj^FDybKTbQZ>hzu{$-U|<73^omezbPwRj4=A4c%kC&TEyaK9U_MTcfo<^^iJaWqIG4 z_z2>FsjPlr$JaV{(A_EcQm^2rniqB%OCGpgum76X{Ep}V=?=S_2~onDfGaN~xwZWK zQqAFsdJg=oZBESOYxQgFxY&KF{)`@PcMkv1txgr%VlLrVpktfzDHh`1kK!8sOKA8) zcG!CRIN1|g|A*G8=HoK{&@X(m?pu?`dqFa2UCLLzQlF$1zN7WBW#3BP2{yqRWxoNB zCC(j5yZW9)P`#<%vb`_83J?U0*wejbo9q+dWn_z0Qk;9wRQyTYyr;ge~7Man{vWTc(G-melMf&m#H-sXo+a zSzpoThG@B|KRnx4I=)O&7nT5z3!TO@#%spc!($5s-E8iyjw4p0VFdj}z9)|SP zlJ!oK4rZNgZl42Vb3l)Weko`B9?quLW9SE69+9}9xz@rs8^=46<|EDh?rZs+lB5r0 z^BC`Et>YX%ZKxfx^g|j0i;niQmSKrs=?v1;m!UbmZ@%s~wCSw!aQW2o01r!V0UbOm zHSe98nwE58G1j`zL?>FESES}Vwq?lIaoi6%iert-_=Di4$EM9i{eAUX8XidQK2CA+ zW;)mB;PP?jOZQen-(}JbPC_N#i1B**j;qp$3rQp9NNnf>9{PSlP(}$IATlHuL0stQ z_OZV8B@0|f-tAA(c1viAmr1T-Pw^Sw@r(A-T%INT{y{jtn5DCu>J2}GJI+h5PAkdq zD`P4iC{{Gn#~IM$rg&xyb#&+q0&D1e4_-Ohg*_b|cdUtvKWc^%!w0|j)TSJvj-*4% z`^RkEGi|}U(!x*CX=@)n&yl8RJJi>+BF|}YFjLf*+VjA}E2qT6pz27PhL76vKNq^P zJzI~X$2eZ=u#6u{a()(ij-zizzM-y{It&K4Bq^UWGESpkP}e^~Ex2_SYBR>X8CqAH z*%Z&2eQ9+j{ZsfWVQC?c`l24v+W-D z^gdA3b1h~2R?!0cZik9S+0!BR4Nng#g+hEZ=PdDLh@~ULdL(}(<}gn)>_O+z0_WbA zFMtM>zS~pj2;S~d(u$XfCuI82ks+so`Z>CqcbA-{spD|a!aEsQD*TcmkGKLh6IH|^E8rPJ;@=>Sv92LValql z$xiYaN_^fcIaD2h<7a1;i0+K6j{5LP$Y_%v?Ds>@YiWnzm9Em_Fx3jQ5IN#bto?zk zAbYX)E{MnH&dWX!d$`^K!WO(p*%@rXa*B@|@AENm^L#LMHG~_ZWsa21!I%eW?X!<^o;LEl zapU?@Z?3c=%W%UxPw08%+`PMu-^IQoTCuHs+M#s&;I({!8+dN$=iAhlM?%rl?p}na z^8e3YLi1gjP}-pTS}W=pVn37?>l1sTAw~UTTc6I;3uan3s^ep6#smG4qrqQdF9ARC zS>jgIql9deMfN_ylf-E(bdKEVYp7><4z8c!8jgFT3yS+bgEv+CSi^COD|51xyv zGKaJ3x|^ytviKVFzAbtB=A@#G47Mv*UFqfg-In<9q4HrD)Gm8%&aF;4%Oy- zIB5!VPX4n*8EY9IsQ+3NeI{hP-Tj*=yr~G`Q{@J3>D*V!-kDxJ0=xvIinU#JjTjF< z%(ZsJ6l*C@T+%U}ON*9q+&G!T7gaxT)kkJ`S-icaS+RGqr9FX<^zE9~;WRUNIAg4j zw3;#2`^tZ^=BF9!zWBT?j*~sBXSJ60llR3-^0!p$EYuQxU40z(>$a1wvNH8J!M*FM zS%iZhC_i{b93&@06|xb+dqJ*Ng;wgAUGL;7?tZOqJ;w0YrtYT>%s9o~dR>Xc&T{GL zT+}b45vczg$?HL?%0)gvJg}cDV4(NKID_V8>tV0B-!rWo!8*#$bgjZ?YF}!KJ*V88 z{oK|1Y-6y!UGjnZk{%*_YL{6DS2y9al;d8Nf4!P?4s-LXj(P1AV~+1PvhP*<2}o_9 z=kxuVkjE*{i80}0%L=}Uk;osH9;L^amxXD2+cC>HhL=4r_aAp{h!1yVU9)G`|x}aqSH#N0pf?`;1Y!{u{3a z-NAPPGosEe_S+(pZ-mPg`Q>hgM*wwrzN4IPe}=2+{J0i;owPdgJ7_>2wbl+lVX-3) zlgI0?4;ezdle`XPPxWfB>O7x;u7~He+xDTn6878XM@Z!U_+9T`MVI> zZ%_JH?TDCcK$fU$=~=9+Y29113havGrbgv?v9dC_?-8wD6MWiQwLHTiRm}0eP$+7T z){7?*LUvktnYNC`{QF0=;C{jxV%O})p$T|;_H*!01IN7&;&tR%5TlTv^`XAod$!=$ za*FNg%&VUc%3CYwe%e1yxH3L;9VPC z=UqiA?j{RKpv%-hjv3_Nx$?2Z!*y!3)+diAEQ#qq$S@zn-Ka{-SvD{8G z@DA9r{q7nGrq+H8jqCZ;zw)fgET%nHKXHlWN-7|(iKk3R&&mPBEu~+1${K|Qw zrFmYU9v%$#w)P6MO(ovSPf8jO(Z}P2dQjevcO1t>BwT0fk-w6A*_TC{9lt>1XByS9 zC9z%1C!Vc~T`|AUB9CNR{3J)v)vjJO9XVR-)4^}sn06a-&!t?(4xFD;{z9wClN9hZ z_&b#3SWD|9k`OfKx<~GU1F`#3u4P!;IJQ=QNN1~u8Y7~=p}h)LFgGWNHmG`rdJIM%BqDX7x=!JbU=c(JfAkJsd zy6mNv10)amc1zuQOZ(a6w|P$ndW8Nk|G?Xf5kU_& zf!Vt6g<3xp-?sIKWpG^@edGI?mdG1{Uc_>|t0SWgJ(OGtp2iVgj6ctx_d4-dh)URd zaQ@HHBB+~fLG8^_13#n)juE*zV-uXflYODq^apw%Cy$fGU~huTVIwhdDOdbX7@{tG zkkIAmZO*L8{ewlpO*{ts)Qi_tV-NX-x6OB>Xk5=+rnUsi+28RSjrf&wd(fQM-x%)- z2zYs@F{WeDjiqat?O;afd!pc(tWVTh)bzkBa2-zPT+WoNOuaE8(K_{(h$*^jBnS%QnBO5W)yFi>MPL7S-s=z)#c_->cGtlXN3PaM z@1aa_BYF*Fo@zVI{pqLjY6%|q(SsfzTklec7CfP6v{?htVwBjSC&J;kb#=Y_XJKRZkEU0+eYJgdxyLlL*x7f%TFya-5|^@vxL)8r z-h$%^Vn{r)Y7jeSIv+5R~;?(v4q~-o^P!v+$(91*gl^-egVZZMU zC~!+`Lg3i&F7HXAp|Lv|-mY=`&O&}#H)uQ^k)qgQ)(NBodu1=bD^95ft{ z`iAzjwsy;GXv-D`f`RI#bg)6?(G#mbUGz^o;Ap9NOA;l(jvZEG^fp<q7l2+vAqadK-FgPbMtXjim2GPx|d(K%2JG_pa&swXmQ?*BGLd6#jbX zfX3&FAFt{h@7uFreql#z{Pzs#J+9YwcDcs#Ued6rWwpu_o}6|zt&zrKiE^dhCN{bL z_}9m#zE@mYo!TcJ^NaD1kPE+&IKMj(zqsDbiAsxib%iH2$l8&c^c$Ty3pII%l{3RP z=W!N~B)<*7&yx53qx^K2HKD}b&GgPKdbut?ba);Ayw1y&HG%f<>bXVL;gDWx*vhe^ zHYcJ&_~g0(*Q3A}GR?!D#^0)$ea@Py;5Z&=S;th4xG1dPI+|=5J{hHI3AWk)t1G2>X1a9dFbO z>guYAFLl)#ij20o$rb3!n#}Vmbwz$(!=jdkcj1Lzl7~1*W8m?TRq4m&NEg?jgJbMp zdxsW&F%PdHBe0)cYa?_#6!*Lr!^rG$#*yD)vE~ z@8PL5B7MBhZMBWvg|V4hFJdOK6K_ttI@V7cSxU&Yv!g^5&b!Irfk$R8P#O4K??9Jw zUCP-QVyx>46!wHz59-SvbvO0<-!i^il-?Tots(@!EgQdJTnoziyZUoX znp)L^t{GfQRNYBbZJo%#wvfA=(FN5R5_u1+;cCghqxFSncO_+hQ_(m*C6=yBBje5Z zw@zdNtMWkW5cON%sM=sIFQSfed~|fMuB9|L=F#zuo+BdPJLE@3sB&$Bp88yCP3U>N z_ORx5mcO#!F=@%I$GK9kiDjVF7jSi<{j9%Bn|W%K)d55I6U`s%yZg@fjIUU5YD1E8 zUw86e0Z;&+l|31r-l8@J>k~CCxnE;hRP&Yd4-GS#wGfZIDK$HNTD_+{U3t2h@PRwQ z3Ep%2nU1eS?dP%(|Ecd_A61c`izm#Bidnppl3QDnoJUE=^8XC+t#n|y^x^50v*l^= z($)r7)#1$;u(su^{lhivHo$K_L$1ChWZm)#u^Rj?E4c#?Wg=xL8x(A;l) z%QiLliWIt{li0@9b$IS%eO-NZS6UQrW65Q+U3iKI%`Vq0g~?yjs$jzt4+T z>oMckwESeu%A+kRZJRHt!+E#SBq+=6m$hqOug})MGRH$}$0R1V1l5;iTY~mD!nM4+ zY5Vb@>L*w7QD^H)Cw7d-qDo_PSdyT=C2#eNgQD>7r|W@QblYYl<5Q^h@R=Wi9|<5+#TG`T$OoB?cFeDRMjHUXT)yj8A)qC}!p(ZQstj zc9=o_xK6j6L7V!wM{kW@k(nshXrUDV-S$(IgM_lab++Uit \\\\.\\pipe\\[a-z]{6}$,Metasploit-style cmd with pipe (possible use of Meterpreter 'getsystem') +0,^%SYSTEMROOT%\\[a-zA-Z]{8}\.exe$,Metasploit-style %SYSTEMROOT% image path (possible use of Metasploit 'Native upload' exploit payload) +0,powershell.*FromBase64String.*IO.Compression.GzipStream,Metasploit-style base64 encoded/compressed PowerShell function (possible use of Metasploit PowerShell exploit payload) +0,DownloadString\(.http,Download via Net.WebClient DownloadString +0,mimikatz,Command referencing Mimikatz +0,Invoke-Mimikatz.ps,PowerSploit Invoke-Mimikatz.ps1 +0,PowerSploit.*ps1,Use of PowerSploit +0,User-Agent,User-Agent set via command line +0,[a-zA-Z0-9/+=]{500},500+ consecutive Base64 characters +0,powershell.exe.*Hidden.*Enc,Base64 encoded and hidden PowerShell command +# Generic csc.exe alert, comment out if experiencing false positives +0,\\csc\.exe,Use of C Sharp compiler csc.exe +0,\\csc\.exe.*\\Appdata\\Local\\Temp\\[a-z0-9]{8}\.cmdline,PSAttack-style command via csc.exe +# Generic cvtres.exe alert, comment out if experiencing false positives +0,\\cvtres\.exe.*,Resource File To COFF Object Conversion Utility cvtres.exe +0,\\cvtres\.exe.*\\AppData\\Local\\Temp\\[A-Z0-9]{7}\.tmp,PSAttack-style command via cvtres.exe +1,^[a-zA-Z]{22}$,Metasploit-style service name: 22 characters, [A-Za-z] +1,^[a-zA-Z]{16}$,Metasploit-style service name: 16 characters, [A-Za-z] diff --git a/whitelist.txt b/whitelist.txt new file mode 100644 index 0000000..1707c21 --- /dev/null +++ b/whitelist.txt @@ -0,0 +1,9 @@ +# DeepBlueCLI command whitelist +# Currently: one entry (regex) per line +# Read as a CSV file for future growth (may want to add options to each entry) +# +# Include only regex CSV entries, or comments beginning with "#" +# +regex +^"C:\\Program Files\\Google\\Chrome\\Application\\chrome\.exe" +^"C:\\Program Files\\Google\\Update\\GoogleUpdate\.exe" \ No newline at end of file