Cyberdefense/DeepBlueCLI
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Added event 29, updated for new Sysmon schema

Browse Source
This commit is contained in:
Eric Conrad
2023-06-28 14:21:01 -04:00
committed by GitHub
parent 9e5979fca2
commit ac1a9991fd
1 changed files with 34 additions and 22 deletions
Download Patch File Download Diff File Expand all files Collapse all files

56
DeepBlueHash-collector.ps1
View File

@ -1,39 +1,51 @@
$hashdirectory=".\hashes\" $hashdirectory=".\hashes\"
$events = get-winevent @{logname="Microsoft-Windows-Sysmon/Operational";id=1,6,7} $events = get-winevent @{logname="Microsoft-Windows-Sysmon/Operational";id=1,6,7,29}
ForEach ($event in $events) { ForEach ($event in $events) {
if ($event.id -eq 1){ # Process creation if ($event.id -eq 1){ # Process creation
if ($event.Properties.Count -le 16){
if ($event.Properties.Count -le 16){ $path=$event.Properties[3].Value # Full path of the file
$path=$event.Properties[3].Value # Full path of the file
$hash=$event.Properties[11].Value # Hashes $hash=$event.Properties[11].Value # Hashes
} }
Else { ElseIf ($event.Properties.Count -le 17){
$path=$event.Properties[4].Value # Full path of the file $path=$event.Properties[4].Value # Full path of the file
$hash=$event.Properties[16].Value # Hashes $hash=$event.Properties[16].Value # Hashes
} }
Else {
$path=$event.Properties[4].Value # Full path of the file
$hash=$event.Properties[17].Value # Hashes
}
}
ElseIf ($event.id -eq 29){ # FileExecutableDetected
$path=$event.Properties[6].Value # Full path of the file
$hash=$event.Properties[7].Value # Hashes
} }
Else{ Else{
# Hash and path are part of the message field in Sysmon events 6 and 7. Need to parse the XML # Hash and path are part of the message field in Sysmon events 6 and 7. Need to parse the XML
$eventXML = [xml]$event.ToXml() $eventXML = [xml]$event.ToXml()
If ($event.id -eq 6){ # Driver (.sys) load If ($event.id -eq 6){ # Driver (.sys) load
if ($event.Properties.Count -le 6){ if ($event.Properties.Count -le 6){
$path=$eventXML.Event.EventData.Data[1]."#text" # Full path of the file $path=$eventXML.Event.EventData.Data[1]."#text" # Full path of the file
$hash=$eventXML.Event.EventData.Data[2]."#text" # Hashes $hash=$eventXML.Event.EventData.Data[2]."#text" # Hashes
} $hash
Else{ }
$path=$eventXML.Event.EventData.Data[2]."#text" # Full path of the file Else{
$hash=$eventXML.Event.EventData.Data[3]."#text" # Hashes $path=$eventXML.Event.EventData.Data[2]."#text" # Full path of the file
} $hash=$eventXML.Event.EventData.Data[3]."#text" # Hashes
}
} }
ElseIf ($event.id -eq 7){ # Image (.dll) load ElseIf ($event.id -eq 7){ # Image (.dll) load
if ($event.Properties.Count -lt 14){ if ($event.Properties.Count -lt 14){
$path=$eventXML.Event.EventData.Data[4]."#text" # Full path of the file $path=$eventXML.Event.EventData.Data[4]."#text" # Full path of the file
$hash=$eventXML.Event.EventData.Data[5]."#text" # Hashes $hash=$eventXML.Event.EventData.Data[5]."#text" # Hashes
} }
Else{ Elseif ($event.Properties.Count -lt 15){
$path=$eventXML.Event.EventData.Data[5]."#text" # Full path of the file $path=$eventXML.Event.EventData.Data[5]."#text" # Full path of the file
$hash=$eventXML.Event.EventData.Data[10]."#text" # Hashes $hash=$eventXML.Event.EventData.Data[10]."#text" # Hashes
} }
Else{
$path=$eventXML.Event.EventData.Data[5]."#text" # Full path of the file
$hash=$eventXML.Event.EventData.Data[11]."#text" # Hashes
}
} }
Else{ Else{
Out-Host "Logic error 1, should not reach here..." Out-Host "Logic error 1, should not reach here..."