From ac1a9991fd3c4cbc1b123a0394c2393cd9382f00 Mon Sep 17 00:00:00 2001
From: Eric Conrad <git@zez.me>
Date: Wed, 28 Jun 2023 14:21:01 -0400
Subject: [PATCH] Added event 29, updated for new Sysmon schema

---
 DeepBlueHash-collector.ps1 | 56 +++++++++++++++++++++++---------------
 1 file changed, 34 insertions(+), 22 deletions(-)

diff --git a/DeepBlueHash-collector.ps1 b/DeepBlueHash-collector.ps1
index 6e44d3f..c91392b 100644
--- a/DeepBlueHash-collector.ps1
+++ b/DeepBlueHash-collector.ps1
@@ -1,39 +1,51 @@
 $hashdirectory=".\hashes\"
-$events = get-winevent @{logname="Microsoft-Windows-Sysmon/Operational";id=1,6,7} 
+$events = get-winevent @{logname="Microsoft-Windows-Sysmon/Operational";id=1,6,7,29} 
 ForEach ($event in $events) {
-    if ($event.id -eq 1){ # Process creation
-        
-		if ($event.Properties.Count -le 16){
-		$path=$event.Properties[3].Value   # Full path of the file
+    if ($event.id -eq 1){ # Process creation   
+	if ($event.Properties.Count -le 16){
+ 		$path=$event.Properties[3].Value   # Full path of the file
        		$hash=$event.Properties[11].Value  # Hashes
-		}
-		Else {
+	}
+        ElseIf ($event.Properties.Count -le 17){
 		$path=$event.Properties[4].Value   # Full path of the file
 	        $hash=$event.Properties[16].Value  # Hashes		
-		}
+	}
+	Else {
+ 		$path=$event.Properties[4].Value   # Full path of the file
+		$hash=$event.Properties[17].Value  # Hashes		
+	}
+    }
+    ElseIf ($event.id -eq 29){ # FileExecutableDetected
+    	$path=$event.Properties[6].Value  # Full path of the file
+     	$hash=$event.Properties[7].Value  # Hashes		
     }
     Else{
         # Hash and path are part of the message field in Sysmon events 6 and 7. Need to parse the XML
         $eventXML = [xml]$event.ToXml()
         If ($event.id -eq 6){ # Driver (.sys) load    
             if ($event.Properties.Count -le 6){
-	    $path=$eventXML.Event.EventData.Data[1]."#text" # Full path of the file
-            $hash=$eventXML.Event.EventData.Data[2]."#text" # Hashes
-	}
-	Else{
-		$path=$eventXML.Event.EventData.Data[2]."#text" # Full path of the file
-		$hash=$eventXML.Event.EventData.Data[3]."#text" # Hashes
-		}
+	            $path=$eventXML.Event.EventData.Data[1]."#text" # Full path of the file
+                $hash=$eventXML.Event.EventData.Data[2]."#text" # Hashes
+                $hash
+	        }
+	        Else{
+	            $path=$eventXML.Event.EventData.Data[2]."#text" # Full path of the file
+		        $hash=$eventXML.Event.EventData.Data[3]."#text" # Hashes
+		    }
         }
         ElseIf ($event.id -eq 7){ # Image (.dll) load
             if ($event.Properties.Count -lt 14){
-            $path=$eventXML.Event.EventData.Data[4]."#text" # Full path of the file
-            $hash=$eventXML.Event.EventData.Data[5]."#text" # Hashes   
-		}
-	Else{
-		$path=$eventXML.Event.EventData.Data[5]."#text" # Full path of the file
-            	$hash=$eventXML.Event.EventData.Data[10]."#text" # Hashes   
-		} 
+                $path=$eventXML.Event.EventData.Data[4]."#text" # Full path of the file
+                $hash=$eventXML.Event.EventData.Data[5]."#text" # Hashes   
+		 }
+	        Elseif ($event.Properties.Count -lt 15){
+		        $path=$eventXML.Event.EventData.Data[5]."#text" # Full path of the file
+            		$hash=$eventXML.Event.EventData.Data[10]."#text" # Hashes   
+	     	}  
+            Else{
+		        $path=$eventXML.Event.EventData.Data[5]."#text" # Full path of the file
+            		$hash=$eventXML.Event.EventData.Data[11]."#text" # Hashes   
+	     	}  
         }
         Else{
             Out-Host "Logic error 1, should not reach here..."