diff --git a/DeepBlue.ps1 b/DeepBlue.ps1 index 6e1ed34..97ef411 100644 --- a/DeepBlue.ps1 +++ b/DeepBlue.ps1 @@ -276,8 +276,14 @@ function Main { ElseIf ($logname -eq "Sysmon"){ # Check command lines if ($event.id -eq 1){ + if ($eventXML.Event.EventData.Data.Count -le 16){ $creator=$eventXML.Event.EventData.Data[14]."#text" $commandline=$eventXML.Event.EventData.Data[4]."#text" + } + Else { + $creator=$eventXML.Event.EventData.Data[19]."#text" + $commandline=$eventXML.Event.EventData.Data[9]."#text" + } if ($commandline){ Check-Command } @@ -287,15 +293,28 @@ function Main { # This can be very chatty, so it's disabled. # Set $checkunsigned to 1 (global variable section) to enable: if ($checkunsigned){ - if ($eventXML.Event.EventData.Data[6]."#text" -eq "false"){ - $obj.Message="Unsigned Image (DLL)" - $image=$eventXML.Event.EventData.Data[3]."#text" - $imageload=$eventXML.Event.EventData.Data[4]."#text" - # $hash=$eventXML.Event.EventData.Data[5]."#text" - $obj.Command=$imageload - $obj.Results= "Loaded by: $image" - Write-Output $obj - } + if ($event.Properties.Count -lt 14){ + if ($eventXML.Event.EventData.Data[6]."#text" -eq "false"){ + $obj.Message="Unsigned Image (DLL)" + $image=$eventXML.Event.EventData.Data[3]."#text" + $imageload=$eventXML.Event.EventData.Data[4]."#text" + # $hash=$eventXML.Event.EventData.Data[5]."#text" + $obj.Command=$imageload + $obj.Results= "Loaded by: $image" + Write-Output $obj + } + } + Else{ + if ($eventXML.Event.EventData.Data[11]."#text" -eq "false"){ + $obj.Message="Unsigned Image (DLL)" + $image=$eventXML.Event.EventData.Data[4]."#text" + $imageload=$eventXML.Event.EventData.Data[5]."#text" + # $hash=$eventXML.Event.EventData.Data[10]."#text" + $obj.Command=$imageload + $obj.Results= "Loaded by: $image" + Write-Output $obj + } + } } } } diff --git a/DeepWhite-collector.ps1 b/DeepWhite-collector.ps1 index 9fd6102..f4bc86a 100644 --- a/DeepWhite-collector.ps1 +++ b/DeepWhite-collector.ps1 @@ -2,19 +2,38 @@ $events = get-winevent @{logname="Microsoft-Windows-Sysmon/Operational";id=1,6,7} ForEach ($event in $events) { if ($event.id -eq 1){ # Process creation - $path=$event.Properties[3].Value # Full path of the file - $hash=$event.Properties[11].Value # Hashes + + if ($event.Properties.Count -le 16){ + $path=$event.Properties[3].Value # Full path of the file + $hash=$event.Properties[11].Value # Hashes + } + Else { + $path=$event.Properties[4].Value # Full path of the file + $hash=$event.Properties[16].Value # Hashes + } } Else{ # Hash and path are part of the message field in Sysmon events 6 and 7. Need to parse the XML $eventXML = [xml]$event.ToXml() If ($event.id -eq 6){ # Driver (.sys) load - $path=$eventxml.Event.EventData.Data[1]."#text" # Full path of the file + if ($event.Properties.Count -le 6){ + $path=$eventXML.Event.EventData.Data[1]."#text" # Full path of the file $hash=$eventXML.Event.EventData.Data[2]."#text" # Hashes + } + Else{ + $path=$eventXML.Event.EventData.Data[2]."#text" # Full path of the file + $hash=$eventXML.Event.EventData.Data[3]."#text" # Hashes + } } ElseIf ($event.id -eq 7){ # Image (.dll) load - $path=$eventxml.Event.EventData.Data[4]."#text" # Full path of the file + if ($event.Properties.Count -lt 14){ + $path=$eventXML.Event.EventData.Data[4]."#text" # Full path of the file $hash=$eventXML.Event.EventData.Data[5]."#text" # Hashes + } + Else{ + $path=$eventXML.Event.EventData.Data[5]."#text" # Full path of the file + $hash=$eventXML.Event.EventData.Data[10]."#text" # Hashes + } } Else{ Out-Host "Logic error 1, should not reach here..." @@ -35,4 +54,4 @@ ForEach ($event in $events) { Else{ Out-Host "No SHA256 hash found. Ensure Sysmon is creating SHA256 hashes" } -} \ No newline at end of file +}