Cyberdefense/DeepBlueCLI
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Add files via upload

Browse Source
This commit is contained in:
Eric Conrad
2017-09-10 18:24:28 -04:00
committed by GitHub
parent 3f9a8f45c3
commit f91e4c8934
1 changed files with 19 additions and 19 deletions
Download Patch File Download Diff File Expand all files Collapse all files

38
DeepBlue.ps1
View File

@ -404,12 +404,10 @@ function Check-Command($commandline,$minlength,$regexes,$whitelist,$servicecmd){
} }
function Check-Regex($string,$regexes,$type){ function Check-Regex($string,$regexes,$type){
$regextext="" # Local variable for return output $regextext="" # Local variable for return output
if ($regex.Type -eq $type) { # Type is 0 for Commands, 1 for services. Set in regexes.csv
if ($regex.Type -eq $type) { # Type is 0 for Commands, 1 for services. Set in regexes.csv if ($string -Match $regex.regex) {
if ($string -Match $regex.regex) { $regextext += " - " + $regex.String + "`n"
$regextext += " - " + $regex.String + "`n"
}
} }
} }
return $regextext return $regextext
@ -427,19 +425,21 @@ function Check-Obfu($string){
$noalphastring = $lowercasestring -replace "[a-z0-9/\;:|.]" $noalphastring = $lowercasestring -replace "[a-z0-9/\;:|.]"
$nobinarystring = $lowercasestring -replace "[01]" # To catch binary encoding $nobinarystring = $lowercasestring -replace "[01]" # To catch binary encoding
# Calculate the percent alphanumeric/common symbols # Calculate the percent alphanumeric/common symbols
$percent=(($length-$noalphastring.length)/$length) if ($length -gt 0){
if ($percent -lt $minpercent){ $percent=(($length-$noalphastring.length)/$length)
$percent = "{0:P0}" -f $percent # Convert to a percent if ($percent -lt $minpercent){
$obfutext += " - Possible command obfuscation: only $percent alphanumeric and common symbols`n" $percent = "{0:P0}" -f $percent # Convert to a percent
} $obfutext += " - Possible command obfuscation: only $percent alphanumeric and common symbols`n"
# Calculate the percent of binary characters }
#$percent=(($length-$nobinarystring.length/$length)/$length) # Calculate the percent of binary characters
$percent=(($nobinarystring.length-$length/$length)/$length) #$percent=(($length-$nobinarystring.length/$length)/$length)
$binarypercent = 1-$percent $percent=(($nobinarystring.length-$length/$length)/$length)
if ($binarypercent -gt $maxbinary){ $binarypercent = 1-$percent
#$binarypercent = 1-$percent if ($binarypercent -gt $maxbinary){
$binarypercent = "{0:P0}" -f $binarypercent # Convert to a percent #$binarypercent = 1-$percent
$obfutext += " - Possible command obfuscation: $binarypercent zeroes and ones (possible numeric or binary encoding)`n" $binarypercent = "{0:P0}" -f $binarypercent # Convert to a percent
$obfutext += " - Possible command obfuscation: $binarypercent zeroes and ones (possible numeric or binary encoding)`n"
}
} }
return $obfutext return $obfutext
} }