More updates, including more WMI detection

sans-blue-team · Jun 7, 2023 · 2290102 · 2290102
1 parent 79dd0e6
commit 2290102
Show file tree

Hide file tree

Showing 3 changed files with 10 additions and 0 deletions.
diff --git a/DeepBlue.ps1 b/DeepBlue.ps1
@@ -824,6 +824,14 @@ function Check-Creator($command,$creator){
                 $creatortext += "PowerShell launched via WMI: $creator`n"
             }
         }
+        ElseIf ($command -Match "cmd.exe"){
+            if ($creator -Match "PSEXESVC"){
+                $creatortext += "cmd.exe launched via PsExec: $creator`n"
+            }
+            ElseIf($creator -Match "WmiPrvSE"){
+                $creatortext += "cmd.exe launched via WMI: $creator`n"
+            }
+        }
     }
     return $creatortext
 }

diff --git a/regexes.txt b/regexes.txt
@@ -26,5 +26,6 @@ Type,regex,string
 0,Register-ScheduledTask,Command referencing Register-ScheduledTask (possible ASEP)
 0,Software\\Microsoft\\Windows\\CurrentVersion\\Run,Reference to registry run key (possible ASEP)
 0,reg *add,Registry addition (possible ASEP)
+0,cmd.exe.*\\ADMIN\$\\,cmd.exe accessing the ADMIN$ share
 1,^[a-zA-Z]{22}$,Metasploit-style service name: 22 characters, [A-Za-z]
 1,^[a-zA-Z]{16}$,Metasploit-style service name: 16 characters, [A-Za-z]
diff --git a/safelist.txt b/safelist.txt
@@ -7,3 +7,4 @@
 regex
 ^"C:\\Program Files\\Google\\Chrome\\Application\\chrome\.exe"
 ^"C:\\Program Files\\Google\\Update\\GoogleUpdate\.exe"
+^"C:\\Program Files \(x86\)\\Google\\Update\\GoogleUpdate\.exe"