Compare commits
40 Commits
Conrad-tes
...
master
| Author | SHA1 | Date | |
|---|---|---|---|
| 4188efbe70 | |||
| 48a8d826e9 | |||
| 2eecc65698 | |||
| 8e510aaaef | |||
| 50d2ca9ef9 | |||
| ac1a9991fd | |||
| 9e5979fca2 | |||
| e9fc13a57b | |||
| 7fb41280a2 | |||
| 41fe88f2e4 | |||
| 3c8fa15e28 | |||
| cd3e304f27 | |||
| a99c412a73 | |||
| 1699dfc5cf | |||
| fc670716d6 | |||
| ecbc203684 | |||
| 229010219a | |||
| 79dd0e6b11 | |||
| f35415586d | |||
| ce3c408efa | |||
| e07e5aa1de | |||
| 9369182b49 | |||
| 9e51dd0579 | |||
| 2fc4fd599f | |||
| 120448c50e | |||
| 115b4f30b2 | |||
| eebd75d029 | |||
| f5b844cb1a | |||
| ea97820b79 | |||
| cf9411f721 | |||
| e3bf84fe51 | |||
| 45d62cbfbe | |||
| 350fe3c134 | |||
| d7d8d5eb80 | |||
| 5f2a62cd9c | |||
| 46fe6b42c5 | |||
| 2ae82a296f | |||
| 8b15218ae3 | |||
| 0c7338dd38 | |||
| ddb9e3e0fa |
107
DeepBlue.ps1
107
DeepBlue.ps1
@ -25,7 +25,7 @@ https://github.com/sans-blue-team/DeepBlueCLI
|
||||
|
||||
#>
|
||||
|
||||
# DeepBlueCLI 2.01
|
||||
# DeepBlueCLI 3.0
|
||||
# Eric Conrad, Backshore Communications, LLC
|
||||
# deepblue <at> backshore <dot> net
|
||||
# Twitter: @eric_conrad
|
||||
@ -45,7 +45,7 @@ function Main {
|
||||
$logname=Check-Options $file $log
|
||||
#"Processing the " + $logname + " log..."
|
||||
$filter=Create-Filter $file $logname
|
||||
# Passworg guessing/spraying variables:
|
||||
# Password guessing/spraying variables:
|
||||
$maxfailedlogons=5 # Alert after this many failed logons
|
||||
$failedlogons=@{} # HashTable of failed logons per user
|
||||
$totalfailedlogons=0 # Total number of failed logons (for all accounts)
|
||||
@ -66,6 +66,7 @@ function Main {
|
||||
$passspraytrack = @{}
|
||||
$passsprayuniqusermax = 6
|
||||
$passsprayloginmax = 6
|
||||
$passsprayuniqaccounts = 0
|
||||
# Sysmon variables:
|
||||
# Check for unsigned EXEs/DLLs. This can be very chatty, so it's disabled.
|
||||
# Set $checkunsigned to 1 to enable:
|
||||
@ -224,7 +225,7 @@ function Main {
|
||||
$totalsensprivuse+=1
|
||||
# use -eq here to avoid multiple log notices
|
||||
if ($totalsensprivuse -eq $maxtotalsensprivuse) {
|
||||
$obj.Message = "Sensititive Privilege Use Exceeds Threshold"
|
||||
$obj.Message = "Sensitive Privilege Use Exceeds Threshold"
|
||||
$obj.Results = "Potentially indicative of Mimikatz, multiple sensitive privilege calls have been made.`n"
|
||||
|
||||
$username=$eventXML.Event.EventData.Data[1]."#text"
|
||||
@ -311,11 +312,13 @@ function Main {
|
||||
foreach($key in $passspraytrack.keys) {
|
||||
$usernames += $key
|
||||
$usernames += " "
|
||||
$passsprayuniqaccounts += 1
|
||||
}
|
||||
$obj.Message = "Distributed Account Explicit Credential Use (Password Spray Attack)"
|
||||
$obj.Results = "The use of multiple user account access attempts with explicit credentials is "
|
||||
$obj.Results += "an indicator of a password spray attack.`n"
|
||||
$obj.Results += "Target Usernames: $usernames`n"
|
||||
$obj.results += "Unique accounts sprayed: $passsprayuniqaccounts`n"
|
||||
$obj.Results += "Accessing Username: $username`n"
|
||||
$obj.Results += "Accessing Host Name: $hostname`n"
|
||||
Write-Output $obj
|
||||
@ -388,7 +391,7 @@ function Main {
|
||||
ElseIf ($event.id -eq 7040){
|
||||
# The start type of the Windows Event Log service was changed from auto start to disabled.
|
||||
$servicename=$eventXML.Event.EventData.Data[0]."#text"
|
||||
$action = $eventXML.Event.EventData.Data[1]."#text"
|
||||
$action = $eventXML.Event.EventData.Data[2]."#text"
|
||||
if ($servicename -ccontains "Windows Event Log") {
|
||||
$obj.Results = "Service name: $servicename`n"
|
||||
$obj.Results += $text
|
||||
@ -514,8 +517,14 @@ function Main {
|
||||
ElseIf ($logname -eq "Sysmon"){
|
||||
# Check command lines
|
||||
if ($event.id -eq 1){
|
||||
$creator=$eventXML.Event.EventData.Data[14]."#text"
|
||||
$commandline=$eventXML.Event.EventData.Data[4]."#text"
|
||||
if ($eventXML.Event.EventData.Data.Count -le 16){
|
||||
$creator=$eventXML.Event.EventData.Data[14]."#text"
|
||||
$commandline=$eventXML.Event.EventData.Data[10]."#text"
|
||||
}
|
||||
Else {
|
||||
$creator=$eventXML.Event.EventData.Data[20]."#text"
|
||||
$commandline=$eventXML.Event.EventData.Data[10]."#text"
|
||||
}
|
||||
if ($commandline){
|
||||
Check-Command -EventID 1
|
||||
}
|
||||
@ -525,22 +534,71 @@ function Main {
|
||||
# This can be very chatty, so it's disabled.
|
||||
# Set $checkunsigned to 1 (global variable section) to enable:
|
||||
if ($checkunsigned){
|
||||
if ($eventXML.Event.EventData.Data[6]."#text" -eq "false"){
|
||||
$obj.Message="Unsigned Image (DLL)"
|
||||
$image=$eventXML.Event.EventData.Data[3]."#text"
|
||||
$imageload=$eventXML.Event.EventData.Data[4]."#text"
|
||||
# $hash=$eventXML.Event.EventData.Data[5]."#text"
|
||||
$obj.Command=$imageload
|
||||
$obj.Results= "Loaded by: $image"
|
||||
Write-Output $obj
|
||||
}
|
||||
if ($event.Properties.Count -lt 14){
|
||||
if ($eventXML.Event.EventData.Data[6]."#text" -eq "false"){
|
||||
$obj.Message="Unsigned Image (DLL)"
|
||||
$image=$eventXML.Event.EventData.Data[3]."#text"
|
||||
$imageload=$eventXML.Event.EventData.Data[4]."#text"
|
||||
# $hash=$eventXML.Event.EventData.Data[5]."#text"
|
||||
$obj.Command=$imageload
|
||||
$obj.Results= "Loaded by: $image"
|
||||
Write-Output $obj
|
||||
}
|
||||
}
|
||||
Else{
|
||||
if ($eventXML.Event.EventData.Data[11]."#text" -eq "false"){
|
||||
$obj.Message="Unsigned Image (DLL)"
|
||||
$image=$eventXML.Event.EventData.Data[4]."#text"
|
||||
$imageload=$eventXML.Event.EventData.Data[5]."#text"
|
||||
# $hash=$eventXML.Event.EventData.Data[10]."#text"
|
||||
$obj.Command=$imageload
|
||||
$obj.Results= "Loaded by: $image"
|
||||
Write-Output $obj
|
||||
}
|
||||
}
|
||||
}
|
||||
}
|
||||
ElseIf ($event.id -eq 8){
|
||||
#Check remote thread (lsass activity, process migration, etc)
|
||||
$image=$eventXML.Event.EventData.Data[7]."#text"
|
||||
$user=$eventXML.Event.EventData.Data[12]."#text"
|
||||
$sourceimage=$eventXML.Event.EventData.Data[4]."#text"
|
||||
If ($image -Match "lsass.exe"){
|
||||
$creatortext += "Remote thread to $image`n"
|
||||
$obj.Message="Suspicious remote thread"
|
||||
$imageload=$eventXML.Event.EventData.Data[7]."#text"
|
||||
$obj.Command=$imageload
|
||||
$obj.Results= "Remote thread created to: $image from: $sourceimage by $user"
|
||||
Write-Output $obj
|
||||
}
|
||||
ElseIf ($user -notmatch "SYSTEM"){
|
||||
$creatortext += "Remote thread to $image`n"
|
||||
$obj.Message="Suspicious remote thread"
|
||||
$imageload=$eventXML.Event.EventData.Data[7]."#text"
|
||||
$obj.Command=$imageload
|
||||
$obj.Results= "Remote thread created to: $image from: $sourceimage by $user"
|
||||
Write-Output $obj
|
||||
}
|
||||
}
|
||||
|
||||
}
|
||||
ElseIf ($logname -eq "WMI-Activity"){
|
||||
# Check commandlines for suspicious commands
|
||||
if ($event.id -eq 5861){
|
||||
if($event.Message -match ".*CommandLineTemplate\s=\s(.*?);"){
|
||||
$command = $event.message
|
||||
$obj.Message = "Suspicous WMI Event Filter"
|
||||
$obj.Results += "Event Triggered Execution: WMI - T1546.003`n"
|
||||
$obj.Results += $event.message
|
||||
$obj.Command=$matches[0].Split("=")[1]
|
||||
Write-Output $obj
|
||||
}
|
||||
}
|
||||
}
|
||||
}
|
||||
# Iterate through admin logons hashtable (key is $username)
|
||||
foreach ($username in $adminlogons.Keys) {
|
||||
$securityid=$adminlogons.Get_Item($username)
|
||||
$securityid=$adminlogons.Get_Item($username)
|
||||
if($multipleadminlogons.$username){
|
||||
$obj.Message="Multiple admin logons for one account"
|
||||
$obj.Results= "Username: $username`n"
|
||||
@ -618,6 +676,7 @@ function Check-Options($file, $log)
|
||||
"Microsoft-Windows-AppLocker/EXE and DLL" {$logname="Applocker"}
|
||||
"Microsoft-Windows-PowerShell/Operational" {$logname="Powershell"}
|
||||
"Microsoft-Windows-Sysmon/Operational" {$logname="Sysmon"}
|
||||
"Microsoft-Windows-WMI-Activity/Operational" {$logname="WMI-Activity"}
|
||||
default {"Logic error 3, should not reach here...";Exit 1}
|
||||
}
|
||||
}
|
||||
@ -638,7 +697,8 @@ function Create-Filter($file, $logname)
|
||||
$app_events="2"
|
||||
$applocker_events="8003,8004,8006,8007"
|
||||
$powershell_events="4103,4104"
|
||||
$sysmon_events="1,7"
|
||||
$sysmon_events="1,7,8"
|
||||
$wmi_events="5861"
|
||||
if ($file -ne ""){
|
||||
switch ($logname){
|
||||
"Security" {$filter="@{path=""$file"";ID=$sec_events}"}
|
||||
@ -647,6 +707,7 @@ function Create-Filter($file, $logname)
|
||||
"Applocker" {$filter="@{path=""$file"";ID=$applocker_events}"}
|
||||
"Powershell" {$filter="@{path=""$file"";ID=$powershell_events}"}
|
||||
"Sysmon" {$filter="@{path=""$file"";ID=$sysmon_events}"}
|
||||
"WMI-Activity"{$filter="@{path=""$file"";ID=$wmi_events}"}
|
||||
default {"Logic error 1, should not reach here...";Exit 1}
|
||||
}
|
||||
}
|
||||
@ -658,6 +719,7 @@ function Create-Filter($file, $logname)
|
||||
"Applocker" {$filter="@{logname=""Microsoft-Windows-AppLocker/EXE and DLL"";ID=$applocker_events}"}
|
||||
"Powershell" {$filter="@{logname=""Microsoft-Windows-PowerShell/Operational"";ID=$powershell_events}"}
|
||||
"Sysmon" {$filter="@{logname=""Microsoft-Windows-Sysmon/Operational"";ID=$sysmon_events}"}
|
||||
"WMI-Activity"{$filter="@{logname=""Microsoft-Windows-WMI-Activity/Operational"";ID=$wmi_events}"}
|
||||
default {"Logic error 2, should not reach here...";Exit 1}
|
||||
}
|
||||
}
|
||||
@ -689,6 +751,9 @@ function Check-Command(){
|
||||
if ($commandline -Match "\-enc.*[A-Za-z0-9/+=]{100}"){
|
||||
$base64= $commandline -Replace "^.* \-Enc(odedCommand)? ",""
|
||||
}
|
||||
ElseIf ($commandline -Match "\-En.*[A-Za-z0-9/+=]{100}"){
|
||||
$base64= $commandline -Replace "^.* \-En",""
|
||||
}
|
||||
ElseIf ($commandline -Match ":FromBase64String\("){
|
||||
$base64 = $commandline -Replace "^.*:FromBase64String\(\'*",""
|
||||
$base64 = $base64 -Replace "\'.*$",""
|
||||
@ -782,6 +847,14 @@ function Check-Creator($command,$creator){
|
||||
$creatortext += "PowerShell launched via WMI: $creator`n"
|
||||
}
|
||||
}
|
||||
ElseIf ($command -Match "cmd.exe"){
|
||||
if ($creator -Match "PSEXESVC"){
|
||||
$creatortext += "cmd.exe launched via PsExec: $creator`n"
|
||||
}
|
||||
ElseIf($creator -Match "WmiPrvSE"){
|
||||
$creatortext += "cmd.exe launched via WMI: $creator`n"
|
||||
}
|
||||
}
|
||||
}
|
||||
return $creatortext
|
||||
}
|
||||
|
||||
@ -1,9 +1,14 @@
|
||||
# Requires Posh-VirusTotal: https://github.com/darkoperator/Posh-VirusTotal
|
||||
# Requires VirusTotalAnalyzer: https://github.com/EvotecIT/VirusTotalAnalyzer
|
||||
#
|
||||
# Plus a (free) VirusTotal API Key: https://www.virustotal.com/en/documentation/public-api/
|
||||
#
|
||||
Import-Module VirusTotalAnalyzer -Force
|
||||
|
||||
# API KEY can be found once you register to Virus Total service (it's free)
|
||||
$VTApi = '<Your API Key>'
|
||||
|
||||
$hashdirectory = ".\hashes"
|
||||
$safelistfile=".\file-safelist.csv"
|
||||
$safelistfile=".\safelists\win10-x64.csv"
|
||||
# Load the safelist into a hash table
|
||||
if (Test-Path $safelistfile){
|
||||
$safelist = Get-Content $safelistfile | Select-String '^[^#]' | ConvertFrom-Csv
|
||||
@ -21,32 +26,30 @@ Get-ChildItem $hashdirectory | Foreach-Object{
|
||||
}
|
||||
Else{
|
||||
try{
|
||||
$VTreport = Get-VTFileReport $SHA256
|
||||
$VTreport = Get-VirusReport -ApiKey $VTApi -Hash "$SHA256"
|
||||
}
|
||||
catch {
|
||||
Write-Host "`r`nAttempted to run: Get-VTFileReport $SHA256`r`r"
|
||||
Write-Host "`r`nAttempted to run: Get-Virusreport $SHA256`r`r"
|
||||
Write-Host "Error: " $_.Exception.Message "`n"
|
||||
Write-Host "Have you installed Posh-VirusTotal and set the VirusTotal API key?"
|
||||
Write-Host "Have you installed VirusTotalAnalyzer and set the VirusTotal API key?"
|
||||
Write-Host " - See: https://github.com/darkoperator/Posh-VirusTotal`r`n"
|
||||
Write-Host "Once you have installed Posh-VirusTotal and have a VirusTotal API key, run the following command:`r`n"
|
||||
Write-Host "Set-VTAPIKey -APIKey <API Key>`r`n"
|
||||
Write-Host "Exiting...`n"
|
||||
exit
|
||||
}
|
||||
if ($VTreport.positives -eq 0){
|
||||
$positives=$VTreport.Data.attributes.last_analysis_stats.malicious
|
||||
if ($positives -eq 0){
|
||||
# File is clean
|
||||
Rename-Item -Path "$hashdirectory\$SHA256" -NewName "$SHA256.clean"
|
||||
}
|
||||
ElseIf ($VTreport.positives -gt 0){
|
||||
ElseIf ($positives -gt 0){
|
||||
# File is flagged by Virustotal
|
||||
$positives=$VTreport.positives
|
||||
Write-Host " - Hash was detected by $positives Virustotal scanners"
|
||||
if ($positives -eq 1){
|
||||
Write-Host " - Don't Panic (yet)! There is only one positive, which may be a sign of a false positive."
|
||||
Write-Host " - Check the VirusTotal report for more information."
|
||||
}
|
||||
Write-Host " - See $hashdirectory\$SHA256.Virustotal for the full report`r`n"
|
||||
$VTreport | Set-Content "$hashdirectory\$SHA256.Virustotal"
|
||||
$VTreport.Data.attributes | Set-Content "$hashdirectory\$SHA256.Virustotal"
|
||||
# Rename original hash file, add the Virustotal positive count as a numbered extension
|
||||
# $SHA256.$positives
|
||||
Rename-Item -Path "$hashdirectory\$SHA256" -NewName "$SHA256.$positives"
|
||||
@ -55,4 +58,4 @@ Get-ChildItem $hashdirectory | Foreach-Object{
|
||||
Start-Sleep -s 15
|
||||
}
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
@ -1,20 +1,51 @@
|
||||
$hashdirectory=".\hashes\"
|
||||
$events = get-winevent @{logname="Microsoft-Windows-Sysmon/Operational";id=1,6,7}
|
||||
$hashdirectory=".\hashes\"
|
||||
$events = get-winevent @{logname="Microsoft-Windows-Sysmon/Operational";id=1,6,7,29}
|
||||
ForEach ($event in $events) {
|
||||
if ($event.id -eq 1){ # Process creation
|
||||
$path=$event.Properties[3].Value # Full path of the file
|
||||
$hash=$event.Properties[11].Value # Hashes
|
||||
if ($event.id -eq 1){ # Process creation
|
||||
if ($event.Properties.Count -le 16){
|
||||
$path=$event.Properties[3].Value # Full path of the file
|
||||
$hash=$event.Properties[11].Value # Hashes
|
||||
}
|
||||
ElseIf ($event.Properties.Count -le 17){
|
||||
$path=$event.Properties[4].Value # Full path of the file
|
||||
$hash=$event.Properties[16].Value # Hashes
|
||||
}
|
||||
Else {
|
||||
$path=$event.Properties[4].Value # Full path of the file
|
||||
$hash=$event.Properties[17].Value # Hashes
|
||||
}
|
||||
}
|
||||
ElseIf ($event.id -eq 29){ # FileExecutableDetected
|
||||
$path=$event.Properties[6].Value # Full path of the file
|
||||
$hash=$event.Properties[7].Value # Hashes
|
||||
}
|
||||
Else{
|
||||
# Hash and path are part of the message field in Sysmon events 6 and 7. Need to parse the XML
|
||||
$eventXML = [xml]$event.ToXml()
|
||||
If ($event.id -eq 6){ # Driver (.sys) load
|
||||
$path=$eventxml.Event.EventData.Data[1]."#text" # Full path of the file
|
||||
$hash=$eventXML.Event.EventData.Data[2]."#text" # Hashes
|
||||
if ($event.Properties.Count -le 6){
|
||||
$path=$eventXML.Event.EventData.Data[1]."#text" # Full path of the file
|
||||
$hash=$eventXML.Event.EventData.Data[2]."#text" # Hashes
|
||||
$hash
|
||||
}
|
||||
Else{
|
||||
$path=$eventXML.Event.EventData.Data[2]."#text" # Full path of the file
|
||||
$hash=$eventXML.Event.EventData.Data[3]."#text" # Hashes
|
||||
}
|
||||
}
|
||||
ElseIf ($event.id -eq 7){ # Image (.dll) load
|
||||
$path=$eventxml.Event.EventData.Data[4]."#text" # Full path of the file
|
||||
$hash=$eventXML.Event.EventData.Data[5]."#text" # Hashes
|
||||
if ($event.Properties.Count -lt 14){
|
||||
$path=$eventXML.Event.EventData.Data[4]."#text" # Full path of the file
|
||||
$hash=$eventXML.Event.EventData.Data[5]."#text" # Hashes
|
||||
}
|
||||
Elseif ($event.Properties.Count -lt 15){
|
||||
$path=$eventXML.Event.EventData.Data[5]."#text" # Full path of the file
|
||||
$hash=$eventXML.Event.EventData.Data[10]."#text" # Hashes
|
||||
}
|
||||
Else{
|
||||
$path=$eventXML.Event.EventData.Data[5]."#text" # Full path of the file
|
||||
$hash=$eventXML.Event.EventData.Data[11]."#text" # Hashes
|
||||
}
|
||||
}
|
||||
Else{
|
||||
Out-Host "Logic error 1, should not reach here..."
|
||||
@ -35,4 +66,4 @@ ForEach ($event in $events) {
|
||||
Else{
|
||||
Out-Host "No SHA256 hash found. Ensure Sysmon is creating SHA256 hashes"
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
204
README.md
204
README.md
@ -1,161 +1,153 @@
|
||||
# DeepBlueCLI
|
||||
|
||||
DeepBlueCLI - a PowerShell Module for Threat Hunting via Windows Event Logs
|
||||
DeepBlueCLI - un module PowerShell pour la chasse aux menaces (Threat Hunting) via les journaux d'événements Windows.
|
||||
|
||||
Eric Conrad, Backshore Communications, LLC
|
||||
https://sahelcyber.com
|
||||
|
||||
deepblue `at` backshore `dot` net
|
||||
Des exemples de fichiers EVTX se trouvent dans le répertoire `.\evtx`.
|
||||
|
||||
Twitter: [@eric_conrad](https://twitter.com/eric_conrad)
|
||||
**Note :** Si votre antivirus s'affole après avoir téléchargé DeepBlueCLI, il réagit probablement aux fichiers EVTX inclus dans le répertoire `.\evtx` (qui contiennent des journaux de lignes de commande d'attaques malveillantes, entre autres artefacts). Les fichiers EVTX sont inoffensifs. Vous devrez peut-être configurer votre antivirus pour qu'il ignore le répertoire de DeepBlueCLI.
|
||||
|
||||
http://ericconrad.com
|
||||
## Table des Matières
|
||||
- [Utilisation](#usage)
|
||||
- [Journaux d'événements Windows traités](#windows-event-logs-processed)
|
||||
- [Événements détectés](#detected-events)
|
||||
- [Exemples](#examples)
|
||||
- [Sortie](#output)
|
||||
- [Configuration de la journalisation](#logging-setup)
|
||||
- Voir le [README de DeepBlue.py](READMEs/README-DeepBlue.py.md) pour les informations sur DeepBlue.py
|
||||
- Voir le [README de DeepBlueHash](READMEs/README-DeepBlueHash.md) pour les informations sur DeepBlueHash (mise en liste blanche via les journaux Sysmon)
|
||||
|
||||
Sample evtx files are in the .\evtx directory
|
||||
## Usage :
|
||||
|
||||
## Table of Contents
|
||||
- [Usage](#usage)
|
||||
- [Windows Event Logs processed](#windows-event-logs-processed)
|
||||
- [Detected events](#detected-events)
|
||||
- [Examples](#examples)
|
||||
- [Output](#output)
|
||||
- [Logging setup](#logging-setup)
|
||||
- See the [DeepBlue.py Readme](READMEs/README-DeepBlue.py.md) for information on DeepBlue.py
|
||||
- See the [DeepBlueHash Readme](READMEs/README-DeepBlueHash.md) for information on DeepBlueHash (detective safelisting using Sysmon event logs)
|
||||
`.\DeepBlue.ps1 <nom_journal_evenements> <nom_fichier_evtx>`
|
||||
|
||||
## Usage:
|
||||
Consultez le [README sur Set-ExecutionPolicy](READMEs/Set-ExecutionPolicy.md) si vous recevez une erreur "l'exécution de scripts est désactivée sur ce système".
|
||||
|
||||
`.\DeepBlue.ps1 <event log name> <evtx filename>`
|
||||
|
||||
See the [Set-ExecutionPolicy Readme](READMEs/Set-ExecutionPolicy.md) if you receive a 'running scripts is
|
||||
disabled on this system' error.
|
||||
|
||||
### Process local Windows security event log (PowerShell must be run as Administrator):
|
||||
### Traiter le journal de sécurité local de Windows (PowerShell doit être exécuté en tant qu'Administrateur) :
|
||||
|
||||
`.\DeepBlue.ps1`
|
||||
|
||||
or:
|
||||
ou :
|
||||
|
||||
`.\DeepBlue.ps1 -log security`
|
||||
|
||||
### Process local Windows system event log:
|
||||
### Traiter le journal système local de Windows :
|
||||
|
||||
`.\DeepBlue.ps1 -log system`
|
||||
|
||||
### Process evtx file:
|
||||
### Traiter un fichier evtx :
|
||||
|
||||
`.\DeepBlue.ps1 .\evtx\new-user-security.evtx`
|
||||
|
||||
## Windows Event Logs processed
|
||||
## Journaux d'événements Windows traités
|
||||
|
||||
- Windows Security
|
||||
- Windows System
|
||||
- Windows Application
|
||||
- Windows PowerShell
|
||||
- Sécurité Windows
|
||||
- Système Windows
|
||||
- Application Windows
|
||||
- Windows PowerShell
|
||||
- Sysmon
|
||||
|
||||
### Command Line Logs processed
|
||||
### Journaux de ligne de commande traités
|
||||
|
||||
See [Logging setup](#logging-setup) section below for how to configure these logs
|
||||
Voir la section [Configuration de la journalisation](#logging-setup) ci-dessous pour savoir comment configurer ces journaux.
|
||||
|
||||
- Windows Security event ID 4688
|
||||
- Windows PowerShell event IDs 4103 and 4104
|
||||
- Sysmon event ID 1
|
||||
- Événement de sécurité Windows ID 4688
|
||||
- Événements Windows PowerShell ID 4103 et 4104
|
||||
- Événement Sysmon ID 1
|
||||
|
||||
## Detected events
|
||||
## Événements détectés
|
||||
|
||||
* Suspicious account behavior
|
||||
* User creation
|
||||
* User added to local/global/universal groups
|
||||
* Password guessing (multiple logon failures, one account)
|
||||
* Password spraying via failed logon (multiple logon failures, multiple accounts)
|
||||
* Password spraying via explicit credentials
|
||||
* Bloodhound (admin privileges assigned to the same account with multiple Security IDs)
|
||||
* Command line/Sysmon/PowerShell auditing
|
||||
* Long command lines
|
||||
* Regex searches
|
||||
* Obfuscated commands
|
||||
* PowerShell launched via WMIC or PsExec
|
||||
* Comportement de compte suspect
|
||||
* Création d'utilisateur
|
||||
* Utilisateur ajouté à des groupes locaux/globaux/universels
|
||||
* Tentatives de deviner le mot de passe (plusieurs échecs de connexion, un seul compte)
|
||||
* Attaque par pulvérisation de mots de passe via échec de connexion (plusieurs échecs, plusieurs comptes)
|
||||
* Attaque par pulvérisation de mots de passe via informations d'identification explicites
|
||||
* Bloodhound (privilèges d'administrateur attribués au même compte avec plusieurs ID de sécurité)
|
||||
* Audit de la ligne de commande/Sysmon/PowerShell
|
||||
* Lignes de commande longues
|
||||
* Recherches par expressions régulières (Regex)
|
||||
* Commandes obfusquées
|
||||
* PowerShell lancé via WMIC ou PsExec
|
||||
* PowerShell Net.WebClient Downloadstring
|
||||
* Compressed/Base64 encoded commands (with automatic decompression/decoding)
|
||||
* Unsigned EXEs or DLLs
|
||||
* Service auditing
|
||||
* Suspicious service creation
|
||||
* Service creation errors
|
||||
* Stopping/starting the Windows Event Log service (potential event log manipulation)
|
||||
* Commandes compressées/encodées en Base64 (avec décompression/décodage automatique)
|
||||
* EXE ou DLL non signés
|
||||
* Audit des services
|
||||
* Création de service suspecte
|
||||
* Erreurs de création de service
|
||||
* Arrêt/démarrage du service Journal d'événements Windows (manipulation potentielle des journaux)
|
||||
* Mimikatz
|
||||
* `lsadump::sam`
|
||||
* EMET & Applocker Blocks
|
||||
* Blocages EMET & Applocker
|
||||
|
||||
...et plus encore.
|
||||
|
||||
...and more
|
||||
## Exemples
|
||||
|
||||
## Examples
|
||||
| Événement | Commande |
|
||||
|---|---|
|
||||
| Manipulation du journal d'événements | `.\DeepBlue.ps1 .\evtx\disablestop-eventlog.evtx` |
|
||||
| Cible native Metasploit (sécurité) | `.\DeepBlue.ps1 .\evtx\metasploit-psexec-native-target-security.evtx` |
|
||||
| Cible native Metasploit (système) | `.\DeepBlue.ps1 .\evtx\metasploit-psexec-native-target-system.evtx` |
|
||||
| Cible PowerShell Metasploit (sécurité) | `.\DeepBlue.ps1 .\evtx\metasploit-psexec-powershell-target-security.evtx` |
|
||||
| Cible PowerShell Metasploit (système) | `.\DeepBlue.ps1 .\evtx\metasploit-psexec-powershell-target-system.evtx` |
|
||||
| Mimikatz `lsadump::sam` | `.\DeepBlue.ps1 .\evtx\mimikatz-privesc-hashdump.evtx` |
|
||||
| Création d'un nouvel utilisateur | `.\DeepBlue.ps1 .\evtx\new-user-security.evtx` |
|
||||
| Obfuscation (encodage) | `.\DeepBlue.ps1 .\evtx\Powershell-Invoke-Obfuscation-encoding-menu.evtx` |
|
||||
| Obfuscation (chaîne de caractères) | `.\DeepBlue.ps1 .\evtx\Powershell-Invoke-Obfuscation-string-menu.evtx` |
|
||||
| Tentatives de deviner le mot de passe | `.\DeepBlue.ps1 .\evtx\smb-password-guessing-security.evtx` |
|
||||
| Attaque par pulvérisation de mots de passe | `.\DeepBlue.ps1 .\evtx\password-spray.evtx` |
|
||||
| PowerSploit (sécurité) | `.\DeepBlue.ps1 .\evtx\powersploit-security.evtx` |
|
||||
| PowerSploit (système) | `.\DeepBlue.ps1 .\evtx\powersploit-system.evtx` |
|
||||
| PSAttack | `.\DeepBlue.ps1 .\evtx\psattack-security.evtx` |
|
||||
| Utilisateur ajouté au groupe administrateur| `.\DeepBlue.ps1 .\evtx\new-user-security.evtx` |
|
||||
|
||||
|Event|Command|
|
||||
|-----|-------|
|
||||
|Event log manipulation|`.\DeepBlue.ps1 .\evtx\disablestop-eventlog.evtx`|
|
||||
|Metasploit native target (security)|`.\DeepBlue.ps1 .\evtx\metasploit-psexec-native-target-security.evtx`|
|
||||
|Metasploit native target (system)|`.\DeepBlue.ps1 .\evtx\metasploit-psexec-native-target-system.evtx`|
|
||||
|Metasploit PowerShell target (security)|` .\DeepBlue.ps1 .\evtx\metasploit-psexec-powershell-target-security.evtx`|
|
||||
|Metasploit PowerShell target (system)|` .\DeepBlue.ps1 .\evtx\metasploit-psexec-powershell-target-system.evtx`|
|
||||
|Mimikatz `lsadump::sam`|`.\DeepBlue.ps1 .\evtx\mimikatz-privesc-hashdump.evtx`|
|
||||
|New user creation|`.\DeepBlue.ps1 .\evtx\new-user-security.evtx`|
|
||||
|Obfuscation (encoding)|`.\DeepBlue.ps1 .\evtx\Powershell-Invoke-Obfuscation-encoding-menu.evtx`|
|
||||
|Obfuscation (string)|`.\DeepBlue.ps1 .\evtx\Powershell-Invoke-Obfuscation-string-menu.evtx`|
|
||||
|Password guessing|`.\DeepBlue.ps1 .\evtx\smb-password-guessing-security.evtx`|
|
||||
|Password spraying|`.\DeepBlue.ps1 .\evtx\password-spray.evtx`|
|
||||
|PowerSploit (security)|`.\DeepBlue.ps1 .\evtx\powersploit-security.evtx`|
|
||||
|PowerSploit (system)|`.\DeepBlue.ps1 .\evtx\powersploit-system.evtx`|
|
||||
|PSAttack|`.\DeepBlue.ps1 .\evtx\psattack-security.evtx`|
|
||||
|User added to administrator group|`.\DeepBlue.ps1 .\evtx\new-user-security.evtx`|
|
||||
## Sortie
|
||||
|
||||
## Output
|
||||
DeepBlueCLI génère des objets PowerShell, permettant une variété de méthodes et de types de sortie, y compris JSON, HTML, CSV, etc.
|
||||
|
||||
DeepBlueCLI outputs in PowerShell objects, allowing a variety of output methods and types, including JSON, HTML, CSV, etc.
|
||||
Par exemple :
|
||||
|
||||
For example:
|
||||
| Type de Sortie | Syntaxe |
|
||||
|---|---|
|
||||
| CSV | `.\DeepBlue.ps1 .\evtx\psattack-security.evtx \| ConvertTo-Csv` |
|
||||
| Format liste (défaut) | `.\DeepBlue.ps1 .\evtx\psattack-security.evtx \| Format-List` |
|
||||
| Format tableau | `.\DeepBlue.ps1 .\evtx\psattack-security.evtx \| Format-Table` |
|
||||
| GridView | `.\DeepBlue.ps1 .\evtx\psattack-security.evtx \| Out-GridView` |
|
||||
| HTML | `.\DeepBlue.ps1 .\evtx\psattack-security.evtx \| ConvertTo-Html` |
|
||||
| JSON | `.\DeepBlue.ps1 .\evtx\psattack-security.evtx \| ConvertTo-Json` |
|
||||
| XML | `.\DeepBlue.ps1 .\evtx\psattack-security.evtx \| ConvertTo-Xml` |
|
||||
|
||||
|Output Type|Syntax|
|
||||
|-----------|------|
|
||||
|CSV|`.\DeepBlue.ps1 .\evtx\psattack-security.evtx \| ConvertTo-Csv`|
|
||||
|Format list (default)|`.\DeepBlue.ps1 .\evtx\psattack-security.evtx \| Format-List`|
|
||||
|Format table|`.\DeepBlue.ps1 .\evtx\psattack-security.evtx \| Format-Table`|
|
||||
|GridView|`.\DeepBlue.ps1 .\evtx\psattack-security.evtx \| Out-GridView`|
|
||||
|HTML|`.\DeepBlue.ps1 .\evtx\psattack-security.evtx \| ConvertTo-Html`|
|
||||
|JSON|`.\DeepBlue.ps1 .\evtx\psattack-security.evtx \| ConvertTo-Json`|
|
||||
|XML|`.\DeepBlue.ps1 .\evtx\psattack-security.evtx \| ConvertTo-Xml`|
|
||||
## Configuration de la journalisation
|
||||
|
||||
## Logging setup
|
||||
### Événement de sécurité 4688 (Audit de la ligne de commande) :
|
||||
|
||||
### Security event 4688 (Command line auditing):
|
||||
Activez l'audit de la ligne de commande Windows : https://support.microsoft.com/fr-fr/kb/3004375
|
||||
|
||||
Enable Windows command-line auditing: https://support.microsoft.com/en-us/kb/3004375
|
||||
### Événement de sécurité 4625 (Échecs de connexion) :
|
||||
|
||||
### Security event 4625 (Failed logons):
|
||||
Nécessite l'audit des échecs de connexion : https://technet.microsoft.com/fr-fr/library/cc976395.aspx
|
||||
|
||||
Requires auditing logon failures: https://technet.microsoft.com/en-us/library/cc976395.aspx
|
||||
### PowerShell auditing (PowerShell 5.0):
|
||||
### Audit PowerShell (PowerShell 5.0) :
|
||||
|
||||
DeepBlueCLI uses module logging (PowerShell event 4103) and script block logging (4104). It does not use transcription.
|
||||
DeepBlueCLI utilise la journalisation des modules (événement PowerShell 4103) et la journalisation des blocs de script (4104). Il n'utilise pas la transcription.
|
||||
|
||||
See: https://www.fireeye.com/blog/threat-research/2016/02/greater_visibilityt.html
|
||||
Voir : https://www.fireeye.com/blog/threat-research/2016/02/greater_visibilityt.html
|
||||
|
||||
To get the PowerShell commandline (and not just script block) on Windows 7 through Windows 8.1, add the following to \Windows\System32\WindowsPowerShell\v1.0\profile.ps1
|
||||
```
|
||||
Pour obtenir la ligne de commande PowerShell (et pas seulement le bloc de script) sur Windows 7 jusqu'à Windows 8.1, ajoutez ce qui suit à `\Windows\System32\WindowsPowerShell\v1.0\profile.ps1` :
|
||||
```powershell
|
||||
$LogCommandHealthEvent = $true
|
||||
$LogCommandLifecycleEvent = $true
|
||||
```
|
||||
See the following for more information:
|
||||
- https://logrhythm.com/blog/powershell-command-line-logging/
|
||||
- http://hackerhurricane.blogspot.com/2014/11/i-powershell-logging-what-everyone.html
|
||||
|
||||
Thank you: [@heinzarelli](https://twitter.com/heinzarelli) and [@HackerHurricane](https://twitter.com/hackerhurricane)
|
||||
Consultez les liens suivants pour plus d'informations :
|
||||
- https://logrhythm.com/blog/powershell-command-line-logging/
|
||||
- http://hackerhurricane.blogspot.com/2014/11/i-powershell-logging-what-everyone.html
|
||||
|
||||
### Sysmon
|
||||
Sysmon
|
||||
|
||||
Install Sysmon from Sysinternals: https://docs.microsoft.com/en-us/sysinternals/downloads/sysmon
|
||||
Installez Sysmon depuis Sysinternals : https://docs.microsoft.com/fr-fr/sysinternals/downloads/sysmon
|
||||
|
||||
DeepBlue and DeepBlueHash currently use Sysmon events, 1, 6 and 7.
|
||||
|
||||
Log SHA256 hashes. Others are fine; DeepBlueCLI will use SHA256.
|
||||
DeepBlue et DeepBlueHash utilisent actuellement les événements Sysmon 1, 6 et 7.
|
||||
|
||||
Journalisez les hachages SHA256. Les autres sont acceptables ; DeepBlueHash utilisera SHA256.
|
||||
@ -1,23 +1,22 @@
|
||||
# DeepBlue.py
|
||||
|
||||
DeepBlueCLI, ported to Python. Designed for parsing evtx files on Unix/Linux.
|
||||
DeepBlueCLI, porté en Python. Conçu pour analyser les fichiers `evtx` sur Unix/Linux.
|
||||
|
||||
Current version: alpha. It supports command line parsing for Security event log 4688, PowerShell log 4014, and Sysmon log 1. Will be porting more functionality from DeepBlueCLI after DerbyCon 7.
|
||||
Version actuelle : alpha. Il supporte l'analyse en ligne de commande pour le journal de sécurité (ID 4688), le journal PowerShell (ID 4014) et le journal Sysmon (ID 1). D'autres fonctionnalités de DeepBlueCLI seront portées après la conférence DerbyCon 7.
|
||||
|
||||
## libevtx
|
||||
|
||||
Requires libevtx: https://github.com/libyal/libevtx
|
||||
Ce projet nécessite `libevtx` pour fonctionner.
|
||||
Lien : https://github.com/libyal/libevtx
|
||||
|
||||
## Other evtx frameworks
|
||||
## Autres frameworks evtx
|
||||
|
||||
Note that I tested a few Unix/Linux/Python evtx frameworks.
|
||||
Notez que j'ai testé plusieurs frameworks `evtx` pour Unix/Linux/Python.
|
||||
|
||||
This is quite popular: https://github.com/williballenthin/python-evtx
|
||||
Celui-ci est assez populaire : https://github.com/williballenthin/python-evtx
|
||||
|
||||
I ran into trouble with *some* .evtx files, where it would crash with this error:
|
||||
J'ai rencontré des problèmes avec *certains* fichiers `.evtx`, où il plantait avec cette erreur :
|
||||
|
||||
```
|
||||
UnicodeDecodeError: 'utf16' codec can't decode bytes in position 0-1: illegal UTF-16 surrogate
|
||||
```
|
||||
|
||||
I found libevtx 'just worked', and had the added benefit of both Python and compiled options.
|
||||
J'ai trouvé que `libevtx` "fonctionnait tout simplement", avec l'avantage supplémentaire d'offrir des options à la fois en Python et compilées.
|
||||
@ -1,69 +1,68 @@
|
||||
# DeepBlueHash
|
||||
|
||||
Detective safelisting using Sysmon event logs.
|
||||
Mise en liste blanche ("safelisting") de type "détective" en utilisant les journaux d'événements Sysmon.
|
||||
|
||||
Parses the Sysmon event logs, grabbing the SHA256 hashes from process creation (event 1), driver load (event 6, sys), and image load (event 7, DLL) events.
|
||||
Ce script analyse les journaux d'événements Sysmon, récupérant les hachages SHA256 des événements de création de processus (événement 1), de chargement de pilote (événement 6, .sys), et de chargement d'image (événement 7, .dll).
|
||||
|
||||
## VirusTotal and Safelisting setup
|
||||
## Configuration de VirusTotal et de la liste blanche
|
||||
|
||||
Setting up VirusTotal hash submissions and safelisting:
|
||||
**Note** : Virustotal a modifié son API gratuite pour certains utilisateurs. Mon ancien compte a cette limitation :
|
||||
|
||||
The hash checker requires Post-VirusTotal:
|
||||
- Quota journalier : 1 requête / jour
|
||||
- Quota mensuel : 31 requêtes / mois
|
||||
|
||||
- https://github.com/darkoperator/Posh-VirusTotal
|
||||
Les nouveaux comptes obtiennent ceci :
|
||||
|
||||
It also requires a VirusTotal API key:
|
||||
- Taux de requêtes : 4 requêtes / min
|
||||
- Quota journalier : 500 requêtes / jour
|
||||
- Quota mensuel : 15 500 requêtes / mois
|
||||
|
||||
- https://www.virustotal.com/en/documentation/public-api/
|
||||
Je ne suis pas sûr de la raison de ce changement, donc c'est pour votre information.
|
||||
|
||||
Then configure your VirusTotal API key:
|
||||
```powershell
|
||||
set-VTAPIKey -APIKey <API Key>
|
||||
```
|
||||
The script assumes a personal API key, and waits 15 seconds between submissions.
|
||||
Mise en place des soumissions de hachages à VirusTotal et de la liste blanche :
|
||||
|
||||
## Sysmon setup
|
||||
Le vérificateur de hachage nécessite VirusTotalAnalyzer : https://github.com/EvotecIT/VirusTotalAnalyzer
|
||||
|
||||
Sysmon is required: https://docs.microsoft.com/en-us/sysinternals/downloads/sysmon
|
||||
Il nécessite également une clé d'API VirusTotal :
|
||||
|
||||
Must log the SHA256 hash, DeepBlueHash will ignore the others.
|
||||
- https://www.virustotal.com/en/documentation/public-api/
|
||||
|
||||
This minimal Sysmon 6.0 config will log the proper events/hashes. Note that image (DLL) logging may create performance issues. This config ignores DLLs signed by Microsoft (which should lighten the load), but please test!
|
||||
Le script suppose une clé d'API personnelle et attend 15 secondes entre les soumissions.
|
||||
|
||||
## Configuration de Sysmon
|
||||
|
||||
Sysmon est requis : https://docs.microsoft.com/fr-fr/sysinternals/downloads/sysmon
|
||||
|
||||
Il doit journaliser le hachage SHA256, DeepBlueHash ignorera les autres.
|
||||
|
||||
Cette configuration minimale de Sysmon 6.0 journalisera les événements/hachages appropriés. Notez que la journalisation des images (.dll) peut créer des problèmes de performance. Cette configuration ignore les DLL signées par Microsoft (ce qui devrait alléger la charge), mais veuillez tester !
|
||||
|
||||
```xml
|
||||
<Sysmon schemaversion="3.3">
|
||||
<!-- Capture SHA256 hashes only -->
|
||||
<HashAlgorithms>SHA256</HashAlgorithms>
|
||||
<EventFiltering>
|
||||
<!-- Log all drivers (.sys) except if the signature contains Microsoft or Windows -->
|
||||
<DriverLoad onmatch="exclude">
|
||||
<Signature condition="contains">microsoft</Signature>
|
||||
<Signature condition="contains">windows</Signature>
|
||||
</DriverLoad>
|
||||
<!-- Log all images (.dll) except if the signature contains Microsoft or Windows -->
|
||||
<!-- Note: this may create a performance issue, please test -->
|
||||
<ImageLoad onmatch="exclude">
|
||||
<Signature condition="contains">microsoft</Signature>
|
||||
<Signature condition="contains">windows</Signature>
|
||||
</ImageLoad>
|
||||
<!-- Do not log process termination -->
|
||||
<ProcessTerminate onmatch="include" />
|
||||
<!-- Log process creation -->
|
||||
<ProcessCreate onmatch="exclude" />
|
||||
</EventFiltering>
|
||||
<HashAlgorithms>SHA256</HashAlgorithms>
|
||||
<EventFiltering>
|
||||
<DriverLoad onmatch="exclude">
|
||||
<Signature condition="contains">microsoft</Signature>
|
||||
<Signature condition="contains">windows</Signature>
|
||||
</DriverLoad>
|
||||
<ImageLoad onmatch="exclude">
|
||||
<Signature condition="contains">microsoft</Signature>
|
||||
<Signature condition="contains">windows</Signature>
|
||||
</ImageLoad>
|
||||
<ProcessTerminate onmatch="include" />
|
||||
<ProcessCreate onmatch="exclude" />
|
||||
</EventFiltering>
|
||||
</Sysmon>
|
||||
```
|
||||
These are the events used by DeepBlueCLI and DeepBlueHash.
|
||||
|
||||
You can go *much* further than this with Sysmon. The Sysinternals Sysmon page has a good basic configuration: https://docs.microsoft.com/en-us/sysinternals/downloads/sysmon
|
||||
Ce sont les événements utilisés par DeepBlueCLI et DeepBlueHash.
|
||||
|
||||
Also see @swiftonsecurity's awesome Sysmon config here: https://github.com/SwiftOnSecurity/sysmon-config
|
||||
Vous pouvez aller beaucoup plus loin que cela avec Sysmon. La page Sysmon de Sysinternals a une bonne configuration de base : https://docs.microsoft.com/fr-fr/sysinternals/downloads/sysmon
|
||||
|
||||
## Generating a Safelist
|
||||
Consultez également l'excellente configuration Sysmon de @swiftonsecurity ici : https://github.com/SwiftOnSecurity/sysmon-config
|
||||
|
||||
Generate a custom safelist on Windows (note: this is optional):
|
||||
Générer une liste blanche (Safelist)
|
||||
Générez une liste blanche personnalisée sur Windows (note : c'est optionnel) :
|
||||
|
||||
```
|
||||
PS C:\> Get-ChildItem c:\windows\system32 -Include '*.exe','*.dll','*.sys','*.com' -Recurse | Get-FileHash| Export-Csv -Path safelist.csv
|
||||
```
|
||||
Note: this will generate (harmless) 'PermissionDenied' warnings for locked files, etc. They may be ignored.
|
||||
|
||||
Note : cela générera des avertissements (inoffensifs) de type 'PermissionDenied' pour les fichiers verrouillés, etc. Ils peuvent être ignorés.
|
||||
@ -1,15 +1,13 @@
|
||||
## Set-ExecutionPolicy
|
||||
|
||||
If you see this error: `.\DeepBlue.ps1 : File .\DeepBlue.ps1 cannot be loaded because running scripts is
|
||||
disabled on this system. For more information, see about_Execution_Policies at
|
||||
http://go.microsoft.com/fwlink/?LinkID=135170.`
|
||||
Si vous rencontrez cette erreur : `.\DeepBlue.ps1 : File .\DeepBlue.ps1 cannot be loaded because running scripts is disabled on this system. For more information, see about_Execution_Policies at http://go.microsoft.com/fwlink/?LinkID=135170.`
|
||||
|
||||
You must run Set-ExecutionPolicy as Administrator, here is an example (this will warn every time you run a ps1 script):
|
||||
Vous devez exécuter `Set-ExecutionPolicy` en tant qu'**Administrateur**. Voici un exemple (cette commande vous avertira à chaque fois que vous exécuterez un script .ps1) :
|
||||
|
||||
`Set-ExecutionPolicy RemoteSigned`
|
||||
|
||||
This command will bypass Set-Execution entirely: `Set-ExecutionPolicy Bypass`
|
||||
Cette commande contournera complètement la politique d'exécution : `Set-ExecutionPolicy Bypass`
|
||||
|
||||
See `get-help Set-ExecutionPolicy` for more options.
|
||||
Consultez `get-help Set-ExecutionPolicy` pour plus d'options.
|
||||
|
||||
Please note that "Set-ExecutionPolicy is not a security control" (quoting [@Ben0xA](https://twitter.com/ben0xa))
|
||||
Veuillez noter que "Set-ExecutionPolicy n'est pas un contrôle de sécurité" (citation de [@Ben0xA](https://twitter.com/ben0xa)).
|
||||
BIN
evtx/metasploit-sysmon.evtx
Normal file
BIN
evtx/metasploit-sysmon.evtx
Normal file
Binary file not shown.
BIN
evtx/sliver-security.evtx
Normal file
BIN
evtx/sliver-security.evtx
Normal file
Binary file not shown.
BIN
evtx/sliver-sysmon.evtx
Normal file
BIN
evtx/sliver-sysmon.evtx
Normal file
Binary file not shown.
BIN
evtx/wmi-event-filter-persistance.evtx
Normal file
BIN
evtx/wmi-event-filter-persistance.evtx
Normal file
Binary file not shown.
4
regexes.txt
Normal file → Executable file
4
regexes.txt
Normal file → Executable file
@ -23,5 +23,9 @@ Type,regex,string
|
||||
# Generic cvtres.exe alert, comment out if experiencing false positives
|
||||
0,\\cvtres\.exe.*,Resource File To COFF Object Conversion Utility cvtres.exe
|
||||
0,\\cvtres\.exe.*\\AppData\\Local\\Temp\\[A-Z0-9]{7}\.tmp,PSAttack-style command via cvtres.exe
|
||||
0,Register-ScheduledTask,Command referencing Register-ScheduledTask (possible ASEP)
|
||||
0,Software\\Microsoft\\Windows\\CurrentVersion\\Run,Reference to registry run key (possible ASEP)
|
||||
0,reg *add,Registry addition (possible ASEP)
|
||||
0,cmd.exe.*\\ADMIN\$\\,cmd.exe accessing the ADMIN$ share
|
||||
1,^[a-zA-Z]{22}$,Metasploit-style service name: 22 characters, [A-Za-z]
|
||||
1,^[a-zA-Z]{16}$,Metasploit-style service name: 16 characters, [A-Za-z]
|
||||
|
||||
2
safelist.txt
Normal file → Executable file
2
safelist.txt
Normal file → Executable file
@ -7,3 +7,5 @@
|
||||
regex
|
||||
^"C:\\Program Files\\Google\\Chrome\\Application\\chrome\.exe"
|
||||
^"C:\\Program Files\\Google\\Update\\GoogleUpdate\.exe"
|
||||
^"C:\\Program Files \(x86\)\\Google\\Update\\GoogleUpdate\.exe"
|
||||
"\\AppData\\Local\\Microsoft\\EdgeUpdate\\MicrosoftEdgeUpdate\.exe"
|
||||
|
||||
Reference in New Issue
Block a user