Cyberdefense/DeepBlueCLI
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Add files via upload

Browse Source
This commit is contained in:
Eric Conrad
2017-09-10 21:29:48 -04:00
committed by GitHub
parent f91e4c8934
commit dff301f17a
1 changed files with 25 additions and 18 deletions
Download Patch File Download Diff File Expand all files Collapse all files

43
DeepBlue.ps1
View File

@ -39,6 +39,7 @@ function Main {
$minlength=1000 # Minimum length of command line to alert $minlength=1000 # Minimum length of command line to alert
# Load cmd match regexes from csv file, ignore comments # Load cmd match regexes from csv file, ignore comments
$regexes = Get-Content ".\regexes.txt" | Select-String '^[^#]' | ConvertFrom-Csv $regexes = Get-Content ".\regexes.txt" | Select-String '^[^#]' | ConvertFrom-Csv
#$regexes
# Load cmd whitelist regexes from csv file, ignore comments # Load cmd whitelist regexes from csv file, ignore comments
$whitelist = Get-Content ".\whitelist.txt" | Select-String '^[^#]' | ConvertFrom-Csv $whitelist = Get-Content ".\whitelist.txt" | Select-String '^[^#]' | ConvertFrom-Csv
$logname=Check-Options $file $log $logname=Check-Options $file $log
@ -63,7 +64,9 @@ function Main {
if ($event.id -eq 4688){ if ($event.id -eq 4688){
# A new process has been created. (Command Line Logging) # A new process has been created. (Command Line Logging)
$commandline=$eventXML.Event.EventData.Data[8]."#text" $commandline=$eventXML.Event.EventData.Data[8]."#text"
$output += (Check-Command $commandline $minlength $regexes $whitelist 0) if ($commandline){
$output += (Check-Command $commandline $minlength $regexes $whitelist 0)
}
} }
ElseIf ($event.id -eq 4720){ ElseIf ($event.id -eq 4720){
# A user account was created. # A user account was created.
@ -99,6 +102,7 @@ function Main {
if ($event.id -eq 7045){ if ($event.id -eq 7045){
# A service was installed in the system. # A service was installed in the system.
$servicename=$eventXML.Event.EventData.Data[0]."#text" $servicename=$eventXML.Event.EventData.Data[0]."#text"
#$servicename
# Check for suspicious service name # Check for suspicious service name
$text = (Check-Regex $servicename $regexes 1) $text = (Check-Regex $servicename $regexes 1)
if ($text){ if ($text){
@ -107,7 +111,9 @@ function Main {
} }
# Check for suspicious cmd # Check for suspicious cmd
$commandline=$eventXML.Event.EventData.Data[1]."#text" $commandline=$eventXML.Event.EventData.Data[1]."#text"
$output += (Check-Command $commandline $minlength $regexes $whitelist 1) if ($commandline){
$output += (Check-Command $commandline $minlength $regexes $whitelist 1)
}
} }
ElseIf ($event.id -eq 7030){ ElseIf ($event.id -eq 7030){
# The ... service is marked as an interactive service. However, the system is configured # The ... service is marked as an interactive service. However, the system is configured
@ -174,7 +180,9 @@ function Main {
$pscommand = $pscommand -Replace "(?ms)^.*Host.Application = ","" $pscommand = $pscommand -Replace "(?ms)^.*Host.Application = ",""
# Remove every line after the "Host Application = " line. # Remove every line after the "Host Application = " line.
$pscommand = $pscommand -Replace "(?ms)`n.*$","" $pscommand = $pscommand -Replace "(?ms)`n.*$",""
$output += (Check-Command $pscommand $minlength $regexes $whitelist 0) if ($pscommand){
$output += (Check-Command $pscommand $minlength $regexes $whitelist 0)
}
} }
} }
ElseIf ($event.id -eq 4104){ ElseIf ($event.id -eq 4104){
@ -207,22 +215,19 @@ function Main {
# This ignores scripts and grabs PowerShell CLIs # This ignores scripts and grabs PowerShell CLIs
if (-not ($eventxml.Event.EventData.Data[4]."#text")){ if (-not ($eventxml.Event.EventData.Data[4]."#text")){
$pscommand=$eventXML.Event.EventData.Data[2]."#text" $pscommand=$eventXML.Event.EventData.Data[2]."#text"
$output += (Check-Command $pscommand 500 $regexes $whitelist 0) if ($pscommand){
$output += (Check-Command $pscommand 500 $regexes $whitelist 0)
}
} }
} }
} }
ElseIf ($logname -eq "Sysmon"){ ElseIf ($logname -eq "Sysmon"){
#@{logname="Microsoft-Windows-Sysmon/Operational";id=1} | %{$_.Properties[11].Value}| sort -Unique
#get-winevent @{logname="Microsoft-Windows-Sysmon/Operational";id=1} | % {$_.Properties[11].Value}| Sort-Object -unique
#Get-WinEvent @{logname="Microsoft-Windows-Sysmon/Operational";id=7}|fl
# Check command lines # Check command lines
if ($event.id -eq 1){ if ($event.id -eq 1){
#get-winevent @{logname="Microsoft-Windows-Sysmon/Operational";id=1} | % {$_.Properties[4].Value}
$commandline=$eventXML.Event.EventData.Data[4]."#text" $commandline=$eventXML.Event.EventData.Data[4]."#text"
# Remove "Command Line: " from the $commandline if ($commandline){
#$commandline= $commandline -Replace "^Command Line:","" $output += (Check-Command $commandline $minlength $regexes $whitelist 0)
#$commandline }
$output += (Check-Command $commandline $minlength $regexes $whitelist 0)
} }
# Check for unsigned EXEs/DLLs: # Check for unsigned EXEs/DLLs:
ElseIf ($event.id -eq 7){ ElseIf ($event.id -eq 7){
@ -404,10 +409,12 @@ function Check-Command($commandline,$minlength,$regexes,$whitelist,$servicecmd){
} }
function Check-Regex($string,$regexes,$type){ function Check-Regex($string,$regexes,$type){
$regextext="" # Local variable for return output $regextext="" # Local variable for return output
if ($regex.Type -eq $type) { # Type is 0 for Commands, 1 for services. Set in regexes.csv foreach ($regex in $regexes){
if ($string -Match $regex.regex) { if ($regex.Type -eq $type) { # Type is 0 for Commands, 1 for services. Set in regexes.csv
$regextext += " - " + $regex.String + "`n" if ($string -Match $regex.regex) {
$regextext += " - " + $regex.String + "`n"
}
} }
} }
return $regextext return $regextext
@ -418,8 +425,8 @@ function Check-Obfu($string){
# There are many ways to do this, including regex. Need a way that doesn't kill the CPU. # There are many ways to do this, including regex. Need a way that doesn't kill the CPU.
# #
$obfutext="" # Local variable for return output $obfutext="" # Local variable for return output
$minpercent=.75 # minimum percentage of alphanumeric and common symbols $minpercent=.65 # minimum percentage of alphanumeric and common symbols
$maxbinary=.25 # Maximum percentage of zeros and ones $maxbinary=.50 # Maximum percentage of zeros and ones
$lowercasestring=$string.ToLower() $lowercasestring=$string.ToLower()
$length=$lowercasestring.length $length=$lowercasestring.length
$noalphastring = $lowercasestring -replace "[a-z0-9/\;:|.]" $noalphastring = $lowercasestring -replace "[a-z0-9/\;:|.]"