Cyberdefense/DeepBlueCLI
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Add files via upload

Browse Source
This commit is contained in:
Eric Conrad
2017-09-10 18:24:28 -04:00
committed by GitHub
parent 3f9a8f45c3
commit f91e4c8934
1 changed files with 19 additions and 19 deletions
Download Patch File Download Diff File Expand all files Collapse all files

4
DeepBlue.ps1
View File

@ -405,13 +405,11 @@ function Check-Command($commandline,$minlength,$regexes,$whitelist,$servicecmd){
function Check-Regex($string,$regexes,$type){ function Check-Regex($string,$regexes,$type){
$regextext="" # Local variable for return output $regextext="" # Local variable for return output
if ($regex.Type -eq $type) { # Type is 0 for Commands, 1 for services. Set in regexes.csv if ($regex.Type -eq $type) { # Type is 0 for Commands, 1 for services. Set in regexes.csv
if ($string -Match $regex.regex) { if ($string -Match $regex.regex) {
$regextext += " - " + $regex.String + "`n" $regextext += " - " + $regex.String + "`n"
} }
} }
}
return $regextext return $regextext
} }
@ -427,6 +425,7 @@ function Check-Obfu($string){
$noalphastring = $lowercasestring -replace "[a-z0-9/\;:|.]" $noalphastring = $lowercasestring -replace "[a-z0-9/\;:|.]"
$nobinarystring = $lowercasestring -replace "[01]" # To catch binary encoding $nobinarystring = $lowercasestring -replace "[01]" # To catch binary encoding
# Calculate the percent alphanumeric/common symbols # Calculate the percent alphanumeric/common symbols
if ($length -gt 0){
$percent=(($length-$noalphastring.length)/$length) $percent=(($length-$noalphastring.length)/$length)
if ($percent -lt $minpercent){ if ($percent -lt $minpercent){
$percent = "{0:P0}" -f $percent # Convert to a percent $percent = "{0:P0}" -f $percent # Convert to a percent
@ -441,6 +440,7 @@ function Check-Obfu($string){
$binarypercent = "{0:P0}" -f $binarypercent # Convert to a percent $binarypercent = "{0:P0}" -f $binarypercent # Convert to a percent
$obfutext += " - Possible command obfuscation: $binarypercent zeroes and ones (possible numeric or binary encoding)`n" $obfutext += " - Possible command obfuscation: $binarypercent zeroes and ones (possible numeric or binary encoding)`n"
} }
}
return $obfutext return $obfutext
} }