Cyberdefense/DeepBlueCLI
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Merge pull request #26 from sans-blue-team/Conrad-test

Browse Source 
Inclusive language update
This commit is contained in:
Eric Conrad
2021-10-28 09:07:53 -07:00
committed by GitHub
parent 45c21e3821 15999a1243
commit 8b15218ae3
9 changed files with 107 additions and 107 deletions
Download Patch File Download Diff File Expand all files Collapse all files

10
DeepBlue.ps1
View File

@ -40,8 +40,8 @@ function Main {
$minlength=1000 # Minimum length of command line to alert $minlength=1000 # Minimum length of command line to alert
# Load cmd match regexes from csv file, ignore comments # Load cmd match regexes from csv file, ignore comments
$regexes = Get-Content ".\regexes.txt" | Select-String '^[^#]' | ConvertFrom-Csv $regexes = Get-Content ".\regexes.txt" | Select-String '^[^#]' | ConvertFrom-Csv
# Load cmd whitelist regexes from csv file, ignore comments # Load cmd safelist regexes from csv file, ignore comments
$whitelist = Get-Content ".\whitelist.txt" | Select-String '^[^#]' | ConvertFrom-Csv $safelist = Get-Content ".\safelist.txt" | Select-String '^[^#]' | ConvertFrom-Csv
$logname=Check-Options $file $log $logname=Check-Options $file $log
#"Processing the " + $logname + " log..." #"Processing the " + $logname + " log..."
$filter=Create-Filter $file $logname $filter=Create-Filter $file $logname
@ -671,10 +671,10 @@ function Check-Command(){
$text="" $text=""
$base64="" $base64=""
# Check to see if command is whitelisted # Check to see if command is safelisted
foreach ($entry in $whitelist) { foreach ($entry in $safelist) {
if ($commandline -Match $entry.regex) { if ($commandline -Match $entry.regex) {
# Command is whitelisted, return nothing # Command is safelisted, return nothing
return return
} }
} }

114
DeepWhite-checker.ps1
View File

@ -1,58 +1,58 @@
# Requires Posh-VirusTotal: https://github.com/darkoperator/Posh-VirusTotal # Requires Posh-VirusTotal: https://github.com/darkoperator/Posh-VirusTotal
# #
# Plus a (free) VirusTotal API Key: https://www.virustotal.com/en/documentation/public-api/ # Plus a (free) VirusTotal API Key: https://www.virustotal.com/en/documentation/public-api/
# #
$hashdirectory = ".\hashes" $hashdirectory = ".\hashes"
$whitelistfile=".\file-whitelist.csv" $safelistfile=".\file-safelist.csv"
# Load the whitelist into a hash table # Load the safelist into a hash table
if (Test-Path $whitelistfile){ if (Test-Path $safelistfile){
$whitelist = Get-Content $whitelistfile | Select-String '^[^#]' | ConvertFrom-Csv $safelist = Get-Content $safelistfile | Select-String '^[^#]' | ConvertFrom-Csv
$hashes=@{} $hashes=@{}
foreach($entry in $whitelist){ foreach($entry in $safelist){
$hashes[$entry.sha256]=$entry.path $hashes[$entry.sha256]=$entry.path
} }
} }
Get-ChildItem $hashdirectory | Foreach-Object{ Get-ChildItem $hashdirectory | Foreach-Object{
if ($_.Name -Match '^[0-9A-F]{64}$'){ # SHA256 hashes are 64 character hex strings if ($_.Name -Match '^[0-9A-F]{64}$'){ # SHA256 hashes are 64 character hex strings
$SHA256=$_.Name $SHA256=$_.Name
if ($hashes.containsKey($SHA256)){ if ($hashes.containsKey($SHA256)){
Rename-Item -Path "$hashdirectory\$SHA256" -NewName "$SHA256.whitelisted" Rename-Item -Path "$hashdirectory\$SHA256" -NewName "$SHA256.safelisted"
} }
Else{ Else{
try{ try{
$VTreport = Get-VTFileReport $SHA256 $VTreport = Get-VTFileReport $SHA256
} }
catch { catch {
Write-Host "`r`nAttempted to run: Get-VTFileReport $SHA256`r`r" Write-Host "`r`nAttempted to run: Get-VTFileReport $SHA256`r`r"
Write-Host "Error: " $_.Exception.Message "`n" Write-Host "Error: " $_.Exception.Message "`n"
Write-Host "Have you installed Posh-VirusTotal and set the VirusTotal API key?" Write-Host "Have you installed Posh-VirusTotal and set the VirusTotal API key?"
Write-Host " - See: https://github.com/darkoperator/Posh-VirusTotal`r`n" Write-Host " - See: https://github.com/darkoperator/Posh-VirusTotal`r`n"
Write-Host "Once you have installed Posh-VirusTotal and have a VirusTotal API key, run the following command:`r`n" Write-Host "Once you have installed Posh-VirusTotal and have a VirusTotal API key, run the following command:`r`n"
Write-Host "Set-VTAPIKey -APIKey <API Key>`r`n" Write-Host "Set-VTAPIKey -APIKey <API Key>`r`n"
Write-Host "Exiting...`n" Write-Host "Exiting...`n"
exit exit
} }
if ($VTreport.positives -eq 0){ if ($VTreport.positives -eq 0){
# File is clean # File is clean
Rename-Item -Path "$hashdirectory\$SHA256" -NewName "$SHA256.clean" Rename-Item -Path "$hashdirectory\$SHA256" -NewName "$SHA256.clean"
} }
ElseIf ($VTreport.positives -gt 0){ ElseIf ($VTreport.positives -gt 0){
# File is flagged by Virustotal # File is flagged by Virustotal
$positives=$VTreport.positives $positives=$VTreport.positives
Write-Host " - Hash was detected by $positives Virustotal scanners" Write-Host " - Hash was detected by $positives Virustotal scanners"
if ($positives -eq 1){ if ($positives -eq 1){
Write-Host " - Don't Panic (yet)! There is only one positive, which may be a sign of a false positive." Write-Host " - Don't Panic (yet)! There is only one positive, which may be a sign of a false positive."
Write-Host " - Check the VirusTotal report for more information." Write-Host " - Check the VirusTotal report for more information."
} }
Write-Host " - See $hashdirectory\$SHA256.Virustotal for the full report`r`n" Write-Host " - See $hashdirectory\$SHA256.Virustotal for the full report`r`n"
$VTreport | Set-Content "$hashdirectory\$SHA256.Virustotal" $VTreport | Set-Content "$hashdirectory\$SHA256.Virustotal"
# Rename original hash file, add the Virustotal positive count as a numbered extension # Rename original hash file, add the Virustotal positive count as a numbered extension
# $SHA256.$positives # $SHA256.$positives
Rename-Item -Path "$hashdirectory\$SHA256" -NewName "$SHA256.$positives" Rename-Item -Path "$hashdirectory\$SHA256" -NewName "$SHA256.$positives"
} }
# Wait 15 seconds between submissions, for public Virustotal API keys # Wait 15 seconds between submissions, for public Virustotal API keys
Start-Sleep -s 15 Start-Sleep -s 15
} }
} }
} }

74
DeepWhite-collector.ps1
View File

@ -1,38 +1,38 @@
$hashdirectory=".\hashes\" $hashdirectory=".\hashes\"
$events = get-winevent @{logname="Microsoft-Windows-Sysmon/Operational";id=1,6,7} $events = get-winevent @{logname="Microsoft-Windows-Sysmon/Operational";id=1,6,7}
ForEach ($event in $events) { ForEach ($event in $events) {
if ($event.id -eq 1){ # Process creation if ($event.id -eq 1){ # Process creation
$path=$event.Properties[3].Value # Full path of the file $path=$event.Properties[3].Value # Full path of the file
$hash=$event.Properties[11].Value # Hashes $hash=$event.Properties[11].Value # Hashes
} }
Else{ Else{
# Hash and path are part of the message field in Sysmon events 6 and 7. Need to parse the XML # Hash and path are part of the message field in Sysmon events 6 and 7. Need to parse the XML
$eventXML = [xml]$event.ToXml() $eventXML = [xml]$event.ToXml()
If ($event.id -eq 6){ # Driver (.sys) load If ($event.id -eq 6){ # Driver (.sys) load
$path=$eventxml.Event.EventData.Data[1]."#text" # Full path of the file $path=$eventxml.Event.EventData.Data[1]."#text" # Full path of the file
$hash=$eventXML.Event.EventData.Data[2]."#text" # Hashes $hash=$eventXML.Event.EventData.Data[2]."#text" # Hashes
} }
ElseIf ($event.id -eq 7){ # Image (.dll) load ElseIf ($event.id -eq 7){ # Image (.dll) load
$path=$eventxml.Event.EventData.Data[4]."#text" # Full path of the file $path=$eventxml.Event.EventData.Data[4]."#text" # Full path of the file
$hash=$eventXML.Event.EventData.Data[5]."#text" # Hashes $hash=$eventXML.Event.EventData.Data[5]."#text" # Hashes
} }
Else{ Else{
Out-Host "Logic error 1, should not reach here..." Out-Host "Logic error 1, should not reach here..."
Exit 1 Exit 1
} }
} }
# Multiple hashes may be logged, we want SHA256. Remove everything through "SHA256=" # Multiple hashes may be logged, we want SHA256. Remove everything through "SHA256="
$SHA256= $hash -Replace "^.*SHA256=","" $SHA256= $hash -Replace "^.*SHA256=",""
# Split the string on commas, grab field 0 # Split the string on commas, grab field 0
$SHA256=$SHA256.Split(",")[0] $SHA256=$SHA256.Split(",")[0]
if ($SHA256 -Match '^[0-9A-F]{64}$'){ # SHA256 hashes are 64 character hex strings if ($SHA256 -Match '^[0-9A-F]{64}$'){ # SHA256 hashes are 64 character hex strings
$hashfile="$hashdirectory\$SHA256" $hashfile="$hashdirectory\$SHA256"
if (-not (Test-Path "$hashfile*")){ if (-not (Test-Path "$hashfile*")){
# Hash file doesn't exist (or any variants with extensions), create it # Hash file doesn't exist (or any variants with extensions), create it
$path | Set-Content $hashfile $path | Set-Content $hashfile
} }
} }
Else{ Else{
Out-Host "No SHA256 hash found. Ensure Sysmon is creating SHA256 hashes" Out-Host "No SHA256 hash found. Ensure Sysmon is creating SHA256 hashes"
} }
} }

2
README.md
View File

@ -20,7 +20,7 @@ Sample evtx files are in the .\evtx directory
- [Output](#output) - [Output](#output)
- [Logging setup](#logging-setup) - [Logging setup](#logging-setup)
- See the [DeepBlue.py Readme](READMEs/README-DeepBlue.py.md) for information on DeepBlue.py - See the [DeepBlue.py Readme](READMEs/README-DeepBlue.py.md) for information on DeepBlue.py
- See the [DeepWhite Readme](READMEs/README-DeepWhite.md) for information on DeepWhite (detective whitelisting using Sysmon event logs) - See the [DeepWhite Readme](READMEs/README-DeepWhite.md) for information on DeepWhite (detective safelisting using Sysmon event logs)
## Usage: ## Usage:

12
READMEs/README-DeepWhite.md
View File

@ -1,12 +1,12 @@
# DeepWhite # DeepWhite
Detective whitelisting using Sysmon event logs. Detective safelisting using Sysmon event logs.
Parses the Sysmon event logs, grabbing the SHA256 hashes from process creation (event 1), driver load (event 6, sys), and image load (event 7, DLL) events. Parses the Sysmon event logs, grabbing the SHA256 hashes from process creation (event 1), driver load (event 6, sys), and image load (event 7, DLL) events.
## VirusTotal and Whitelisting setup ## VirusTotal and Safelisting setup
Setting up VirusTotal hash submissions and whitelisting: Setting up VirusTotal hash submissions and safelisting:
The hash checker requires Post-VirusTotal: The hash checker requires Post-VirusTotal:
@ -59,11 +59,11 @@ You can go *much* further than this with Sysmon. The Sysinternals Sysmon page ha
Also see @swiftonsecurity's awesome Sysmon config here: https://github.com/SwiftOnSecurity/sysmon-config Also see @swiftonsecurity's awesome Sysmon config here: https://github.com/SwiftOnSecurity/sysmon-config
## Generating a Whitelist ## Generating a Safelist
Generate a custom whitelist on Windows (note: this is optional): Generate a custom safelist on Windows (note: this is optional):
``` ```
PS C:\> Get-ChildItem c:\windows\system32 -Include '*.exe','*.dll','*.sys','*.com' -Recurse | Get-FileHash| Export-Csv -Path whitelist.csv PS C:\> Get-ChildItem c:\windows\system32 -Include '*.exe','*.dll','*.sys','*.com' -Recurse | Get-FileHash| Export-Csv -Path safelist.csv
``` ```
Note: this will generate (harmless) 'PermissionDenied' warnings for locked files, etc. They may be ignored. Note: this will generate (harmless) 'PermissionDenied' warnings for locked files, etc. They may be ignored.

0
whitelist.txt → safelist.txt
View File

1
safelists/readme.md Normal file
View File

@ -0,0 +1 @@
Placeholder for safelists directory

0
whitelists/win10-x64.csv → safelists/win10-x64.csv
View File

Can't render this file because it is too large.

1
whitelists/readme.md
View File

@ -1 +0,0 @@
Placeholder for whitelists directory