Cyberdefense/DeepBlueCLI
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Disable Metasploit psexec detect due to false-positive conflict with MS Exchange; revise alert for _Multiple admin logons for one account_ to show attempt count instead of unique event IDs

Browse Source
This commit is contained in:
Joshua Wright
2019-05-06 14:34:31 -04:00
parent 1708e03fc3
commit 612cde1cf3
2 changed files with 19 additions and 18 deletions
Download Patch File Download Diff File Expand all files Collapse all files

37
DeepBlue.ps1
View File

@ -158,23 +158,24 @@ function Main {
Write-Output($obj) Write-Output($obj)
} }
# This unique privilege list is used by Metasploit exploit/windows/smb/psexec (v5.0.4 tested) # This unique privilege list is used by Metasploit exploit/windows/smb/psexec (v5.0.4 tested)
If ($privileges -Match "SeSecurityPrivilege" ` # # Disabling due to false-positive with MS Exchange Server
-And $privileges -Match "SeBackupPrivilege" ` # If ($privileges -Match "SeSecurityPrivilege" `
-And $privileges -Match "SeRestorePrivilege" ` # -And $privileges -Match "SeBackupPrivilege" `
-And $privileges -Match "SeTakeOwnershipPrivilege" ` # -And $privileges -Match "SeRestorePrivilege" `
-And $privileges -Match "SeDebugPrivilege" ` # -And $privileges -Match "SeTakeOwnershipPrivilege" `
-And $privileges -Match "SeSystemEnvironmentPrivilege" ` # -And $privileges -Match "SeDebugPrivilege" `
-And $privileges -Match "SeLoadDriverPrivilege" ` # -And $privileges -Match "SeSystemEnvironmentPrivilege" `
-And $privileges -Match "SeImpersonatePrivilege" ` # -And $privileges -Match "SeLoadDriverPrivilege" `
-And $privileges -Match "SeDelegateSessionUserImpersonatePrivilege") { # -And $privileges -Match "SeImpersonatePrivilege" `
$obj.Message = "Metasploit psexec Privilege Use" # -And $privileges -Match "SeDelegateSessionUserImpersonatePrivilege") {
$obj.Results = "Username: $username`n" # $obj.Message = "Metasploit psexec Privilege Use"
$obj.Results += "Domain: $domain`n" # $obj.Results = "Username: $username`n"
$obj.Results += "User SID: $securityid`n" # $obj.Results += "Domain: $domain`n"
$pprivileges = $privileges -replace "`n",", " -replace "\s+"," " # $obj.Results += "User SID: $securityid`n"
$obj.Results += "Privileges: $pprivileges" # $pprivileges = $privileges -replace "`n",", " -replace "\s+"," "
Write-Output($obj) # $obj.Results += "Privileges: $pprivileges"
} # Write-Output($obj)
# }
} }
ElseIf ($event.id -eq 4720){ ElseIf ($event.id -eq 4720){
# A user account was created. # A user account was created.
@ -471,7 +472,7 @@ function Main {
if($multipleadminlogons.$username){ if($multipleadminlogons.$username){
$obj.Message="Multiple admin logons for one account" $obj.Message="Multiple admin logons for one account"
$obj.Results= "Username: $username`n" $obj.Results= "Username: $username`n"
$obj.Results += "User SIDs: $securityid" $obj.Results += "User SID Access Count: " + $securityid.split().Count
Write-Output $obj Write-Output $obj
} }
} }

BIN
evtx/metasploit-psexec-pwshpayload.evtx Executable file
View File

Binary file not shown.