Cyberdefense/DeepBlueCLI
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Merge pull request #26 from sans-blue-team/Conrad-test

Browse Source 
Inclusive language update
This commit is contained in:
Eric Conrad
2021-10-28 09:07:53 -07:00
committed by GitHub
parent 45c21e3821 15999a1243
commit 8b15218ae3
9 changed files with 107 additions and 107 deletions
Download Patch File Download Diff File Expand all files Collapse all files

10
DeepBlue.ps1
View File

@ -40,8 +40,8 @@ function Main {
$minlength=1000 # Minimum length of command line to alert $minlength=1000 # Minimum length of command line to alert
# Load cmd match regexes from csv file, ignore comments # Load cmd match regexes from csv file, ignore comments
$regexes = Get-Content ".\regexes.txt" | Select-String '^[^#]' | ConvertFrom-Csv $regexes = Get-Content ".\regexes.txt" | Select-String '^[^#]' | ConvertFrom-Csv
# Load cmd whitelist regexes from csv file, ignore comments # Load cmd safelist regexes from csv file, ignore comments
$whitelist = Get-Content ".\whitelist.txt" | Select-String '^[^#]' | ConvertFrom-Csv $safelist = Get-Content ".\safelist.txt" | Select-String '^[^#]' | ConvertFrom-Csv
$logname=Check-Options $file $log $logname=Check-Options $file $log
#"Processing the " + $logname + " log..." #"Processing the " + $logname + " log..."
$filter=Create-Filter $file $logname $filter=Create-Filter $file $logname
@ -671,10 +671,10 @@ function Check-Command(){
$text="" $text=""
$base64="" $base64=""
# Check to see if command is whitelisted # Check to see if command is safelisted
foreach ($entry in $whitelist) { foreach ($entry in $safelist) {
if ($commandline -Match $entry.regex) { if ($commandline -Match $entry.regex) {
# Command is whitelisted, return nothing # Command is safelisted, return nothing
return return
} }
} }

12
DeepWhite-checker.ps1
View File

@ -3,12 +3,12 @@
# Plus a (free) VirusTotal API Key: https://www.virustotal.com/en/documentation/public-api/ # Plus a (free) VirusTotal API Key: https://www.virustotal.com/en/documentation/public-api/
# #
$hashdirectory = ".\hashes" $hashdirectory = ".\hashes"
$whitelistfile=".\file-whitelist.csv" $safelistfile=".\file-safelist.csv"
# Load the whitelist into a hash table # Load the safelist into a hash table
if (Test-Path $whitelistfile){ if (Test-Path $safelistfile){
$whitelist = Get-Content $whitelistfile | Select-String '^[^#]' | ConvertFrom-Csv $safelist = Get-Content $safelistfile | Select-String '^[^#]' | ConvertFrom-Csv
$hashes=@{} $hashes=@{}
foreach($entry in $whitelist){ foreach($entry in $safelist){
$hashes[$entry.sha256]=$entry.path $hashes[$entry.sha256]=$entry.path
} }
} }
@ -17,7 +17,7 @@ Get-ChildItem $hashdirectory | Foreach-Object{
if ($_.Name -Match '^[0-9A-F]{64}$'){ # SHA256 hashes are 64 character hex strings if ($_.Name -Match '^[0-9A-F]{64}$'){ # SHA256 hashes are 64 character hex strings
$SHA256=$_.Name $SHA256=$_.Name
if ($hashes.containsKey($SHA256)){ if ($hashes.containsKey($SHA256)){
Rename-Item -Path "$hashdirectory\$SHA256" -NewName "$SHA256.whitelisted" Rename-Item -Path "$hashdirectory\$SHA256" -NewName "$SHA256.safelisted"
} }
Else{ Else{
try{ try{

2
README.md
View File

@ -20,7 +20,7 @@ Sample evtx files are in the .\evtx directory
- [Output](#output) - [Output](#output)
- [Logging setup](#logging-setup) - [Logging setup](#logging-setup)
- See the [DeepBlue.py Readme](READMEs/README-DeepBlue.py.md) for information on DeepBlue.py - See the [DeepBlue.py Readme](READMEs/README-DeepBlue.py.md) for information on DeepBlue.py
- See the [DeepWhite Readme](READMEs/README-DeepWhite.md) for information on DeepWhite (detective whitelisting using Sysmon event logs) - See the [DeepWhite Readme](READMEs/README-DeepWhite.md) for information on DeepWhite (detective safelisting using Sysmon event logs)
## Usage: ## Usage:

12
READMEs/README-DeepWhite.md
View File

@ -1,12 +1,12 @@
# DeepWhite # DeepWhite
Detective whitelisting using Sysmon event logs. Detective safelisting using Sysmon event logs.
Parses the Sysmon event logs, grabbing the SHA256 hashes from process creation (event 1), driver load (event 6, sys), and image load (event 7, DLL) events. Parses the Sysmon event logs, grabbing the SHA256 hashes from process creation (event 1), driver load (event 6, sys), and image load (event 7, DLL) events.
## VirusTotal and Whitelisting setup ## VirusTotal and Safelisting setup
Setting up VirusTotal hash submissions and whitelisting: Setting up VirusTotal hash submissions and safelisting:
The hash checker requires Post-VirusTotal: The hash checker requires Post-VirusTotal:
@ -59,11 +59,11 @@ You can go *much* further than this with Sysmon. The Sysinternals Sysmon page ha
Also see @swiftonsecurity's awesome Sysmon config here: https://github.com/SwiftOnSecurity/sysmon-config Also see @swiftonsecurity's awesome Sysmon config here: https://github.com/SwiftOnSecurity/sysmon-config
## Generating a Whitelist ## Generating a Safelist
Generate a custom whitelist on Windows (note: this is optional): Generate a custom safelist on Windows (note: this is optional):
``` ```
PS C:\> Get-ChildItem c:\windows\system32 -Include '*.exe','*.dll','*.sys','*.com' -Recurse | Get-FileHash| Export-Csv -Path whitelist.csv PS C:\> Get-ChildItem c:\windows\system32 -Include '*.exe','*.dll','*.sys','*.com' -Recurse | Get-FileHash| Export-Csv -Path safelist.csv
``` ```
Note: this will generate (harmless) 'PermissionDenied' warnings for locked files, etc. They may be ignored. Note: this will generate (harmless) 'PermissionDenied' warnings for locked files, etc. They may be ignored.

0
whitelist.txt → safelist.txt
View File

1
safelists/readme.md Normal file
View File

@ -0,0 +1 @@
Placeholder for safelists directory

0
whitelists/win10-x64.csv → safelists/win10-x64.csv
View File

Can't render this file because it is too large.

1
whitelists/readme.md
View File

@ -1 +0,0 @@
Placeholder for whitelists directory