Cyberdefense/DeepBlueCLI
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Updated for Sysmon schema 8

Browse Source
This commit is contained in:
Eric Conrad
2023-06-07 16:17:34 -04:00
parent ce3c408efa
commit f35415586d
1 changed files with 30 additions and 11 deletions
Download Patch File Download Diff File Expand all files Collapse all files

19
DeepBlue.ps1
View File

@ -517,8 +517,14 @@ function Main {
ElseIf ($logname -eq "Sysmon"){ ElseIf ($logname -eq "Sysmon"){
# Check command lines # Check command lines
if ($event.id -eq 1){ if ($event.id -eq 1){
if ($eventXML.Event.EventData.Data.Count -le 16){
$creator=$eventXML.Event.EventData.Data[14]."#text" $creator=$eventXML.Event.EventData.Data[14]."#text"
$commandline=$eventXML.Event.EventData.Data[10]."#text" $commandline=$eventXML.Event.EventData.Data[10]."#text"
}
Else {
$creator=$eventXML.Event.EventData.Data[19]."#text"
$commandline=$eventXML.Event.EventData.Data[9]."#text"
}
if ($commandline){ if ($commandline){
Check-Command -EventID 1 Check-Command -EventID 1
} }
@ -528,6 +534,7 @@ function Main {
# This can be very chatty, so it's disabled. # This can be very chatty, so it's disabled.
# Set $checkunsigned to 1 (global variable section) to enable: # Set $checkunsigned to 1 (global variable section) to enable:
if ($checkunsigned){ if ($checkunsigned){
if ($event.Properties.Count -lt 14){
if ($eventXML.Event.EventData.Data[6]."#text" -eq "false"){ if ($eventXML.Event.EventData.Data[6]."#text" -eq "false"){
$obj.Message="Unsigned Image (DLL)" $obj.Message="Unsigned Image (DLL)"
$image=$eventXML.Event.EventData.Data[3]."#text" $image=$eventXML.Event.EventData.Data[3]."#text"
@ -536,6 +543,18 @@ function Main {
$obj.Command=$imageload $obj.Command=$imageload
$obj.Results= "Loaded by: $image" $obj.Results= "Loaded by: $image"
Write-Output $obj Write-Output $obj
}
}
Else{
if ($eventXML.Event.EventData.Data[11]."#text" -eq "false"){
$obj.Message="Unsigned Image (DLL)"
$image=$eventXML.Event.EventData.Data[4]."#text"
$imageload=$eventXML.Event.EventData.Data[5]."#text"
# $hash=$eventXML.Event.EventData.Data[10]."#text"
$obj.Command=$imageload
$obj.Results= "Loaded by: $image"
Write-Output $obj
}
} }
} }
} }