Cyberdefense/DeepBlueCLI
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Merge pull request #25 from netscylla/wmi-events

Browse Source 
Wmi events
This commit is contained in:
Eric Conrad
2023-06-07 13:41:55 -04:00
committed by GitHub
parent 2fc4fd599f 0c7338dd38
commit 9e51dd0579
2 changed files with 18 additions and 1 deletions
Download Patch File Download Diff File Expand all files Collapse all files

19
DeepBlue.ps1
View File

@ -540,10 +540,23 @@ function Main {
} }
} }
} }
ElseIf ($logname -eq "WMI-Activity"){
# Check commandlines for suspicious commands
if ($event.id -eq 5861){
if($event.Message -match ".*CommandLineTemplate\s=\s(.*?);"){
$command = $event.message
$obj.Message = "Suspicous WMI Event Filter"
$obj.Results += "Event Triggered Execution: WMI - T1546.003`n"
$obj.Results += $event.message
$obj.Command=$matches[0].Split("=")[1]
Write-Output $obj
}
}
}
} }
# Iterate through admin logons hashtable (key is $username) # Iterate through admin logons hashtable (key is $username)
foreach ($username in $adminlogons.Keys) { foreach ($username in $adminlogons.Keys) {
$securityid=$adminlogons.Get_Item($username) $securityid=$adminlogons.Get_Item($username)
if($multipleadminlogons.$username){ if($multipleadminlogons.$username){
$obj.Message="Multiple admin logons for one account" $obj.Message="Multiple admin logons for one account"
$obj.Results= "Username: $username`n" $obj.Results= "Username: $username`n"
@ -621,6 +634,7 @@ function Check-Options($file, $log)
"Microsoft-Windows-AppLocker/EXE and DLL" {$logname="Applocker"} "Microsoft-Windows-AppLocker/EXE and DLL" {$logname="Applocker"}
"Microsoft-Windows-PowerShell/Operational" {$logname="Powershell"} "Microsoft-Windows-PowerShell/Operational" {$logname="Powershell"}
"Microsoft-Windows-Sysmon/Operational" {$logname="Sysmon"} "Microsoft-Windows-Sysmon/Operational" {$logname="Sysmon"}
"Microsoft-Windows-WMI-Activity/Operational" {$logname="WMI-Activity"}
default {"Logic error 3, should not reach here...";Exit 1} default {"Logic error 3, should not reach here...";Exit 1}
} }
} }
@ -642,6 +656,7 @@ function Create-Filter($file, $logname)
$applocker_events="8003,8004,8006,8007" $applocker_events="8003,8004,8006,8007"
$powershell_events="4103,4104" $powershell_events="4103,4104"
$sysmon_events="1,7" $sysmon_events="1,7"
$wmi_events="5861"
if ($file -ne ""){ if ($file -ne ""){
switch ($logname){ switch ($logname){
"Security" {$filter="@{path=""$file"";ID=$sec_events}"} "Security" {$filter="@{path=""$file"";ID=$sec_events}"}
@ -650,6 +665,7 @@ function Create-Filter($file, $logname)
"Applocker" {$filter="@{path=""$file"";ID=$applocker_events}"} "Applocker" {$filter="@{path=""$file"";ID=$applocker_events}"}
"Powershell" {$filter="@{path=""$file"";ID=$powershell_events}"} "Powershell" {$filter="@{path=""$file"";ID=$powershell_events}"}
"Sysmon" {$filter="@{path=""$file"";ID=$sysmon_events}"} "Sysmon" {$filter="@{path=""$file"";ID=$sysmon_events}"}
"WMI-Activity"{$filter="@{path=""$file"";ID=$wmi_events}"}
default {"Logic error 1, should not reach here...";Exit 1} default {"Logic error 1, should not reach here...";Exit 1}
} }
} }
@ -661,6 +677,7 @@ function Create-Filter($file, $logname)
"Applocker" {$filter="@{logname=""Microsoft-Windows-AppLocker/EXE and DLL"";ID=$applocker_events}"} "Applocker" {$filter="@{logname=""Microsoft-Windows-AppLocker/EXE and DLL"";ID=$applocker_events}"}
"Powershell" {$filter="@{logname=""Microsoft-Windows-PowerShell/Operational"";ID=$powershell_events}"} "Powershell" {$filter="@{logname=""Microsoft-Windows-PowerShell/Operational"";ID=$powershell_events}"}
"Sysmon" {$filter="@{logname=""Microsoft-Windows-Sysmon/Operational"";ID=$sysmon_events}"} "Sysmon" {$filter="@{logname=""Microsoft-Windows-Sysmon/Operational"";ID=$sysmon_events}"}
"WMI-Activity"{$filter="@{logname=""Microsoft-Windows-WMI-Activity/Operational"";ID=$wmi_events}"}
default {"Logic error 2, should not reach here...";Exit 1} default {"Logic error 2, should not reach here...";Exit 1}
} }
} }

BIN
evtx/wmi-event-filter-persistance.evtx Normal file
View File

Binary file not shown.