Cyberdefense/DeepBlueCLI
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Updated for Sysmon schema 8

Browse Source
This commit is contained in:
Eric Conrad
2023-06-07 16:17:34 -04:00
parent ce3c408efa
commit f35415586d
1 changed files with 30 additions and 11 deletions
Download Patch File Download Diff File Expand all files Collapse all files

41
DeepBlue.ps1
View File

@ -517,8 +517,14 @@ function Main {
ElseIf ($logname -eq "Sysmon"){ ElseIf ($logname -eq "Sysmon"){
# Check command lines # Check command lines
if ($event.id -eq 1){ if ($event.id -eq 1){
$creator=$eventXML.Event.EventData.Data[14]."#text" if ($eventXML.Event.EventData.Data.Count -le 16){
$commandline=$eventXML.Event.EventData.Data[10]."#text" $creator=$eventXML.Event.EventData.Data[14]."#text"
$commandline=$eventXML.Event.EventData.Data[10]."#text"
}
Else {
$creator=$eventXML.Event.EventData.Data[19]."#text"
$commandline=$eventXML.Event.EventData.Data[9]."#text"
}
if ($commandline){ if ($commandline){
Check-Command -EventID 1 Check-Command -EventID 1
} }
@ -528,15 +534,28 @@ function Main {
# This can be very chatty, so it's disabled. # This can be very chatty, so it's disabled.
# Set $checkunsigned to 1 (global variable section) to enable: # Set $checkunsigned to 1 (global variable section) to enable:
if ($checkunsigned){ if ($checkunsigned){
if ($eventXML.Event.EventData.Data[6]."#text" -eq "false"){ if ($event.Properties.Count -lt 14){
$obj.Message="Unsigned Image (DLL)" if ($eventXML.Event.EventData.Data[6]."#text" -eq "false"){
$image=$eventXML.Event.EventData.Data[3]."#text" $obj.Message="Unsigned Image (DLL)"
$imageload=$eventXML.Event.EventData.Data[4]."#text" $image=$eventXML.Event.EventData.Data[3]."#text"
# $hash=$eventXML.Event.EventData.Data[5]."#text" $imageload=$eventXML.Event.EventData.Data[4]."#text"
$obj.Command=$imageload # $hash=$eventXML.Event.EventData.Data[5]."#text"
$obj.Results= "Loaded by: $image" $obj.Command=$imageload
Write-Output $obj $obj.Results= "Loaded by: $image"
} Write-Output $obj
}
}
Else{
if ($eventXML.Event.EventData.Data[11]."#text" -eq "false"){
$obj.Message="Unsigned Image (DLL)"
$image=$eventXML.Event.EventData.Data[4]."#text"
$imageload=$eventXML.Event.EventData.Data[5]."#text"
# $hash=$eventXML.Event.EventData.Data[10]."#text"
$obj.Command=$imageload
$obj.Results= "Loaded by: $image"
Write-Output $obj
}
}
} }
} }
} }