Was analyzing Sysmon event 1 image instead of CommandLine. Fixed

straysheep-dev · Oct 29, 2021 · 45d62cb · 45d62cb
1 parent 350fe3c
commit 45d62cb
Showing 1 changed file with 1 addition and 1 deletion.
diff --git a/DeepBlue.ps1 b/DeepBlue.ps1
@@ -518,7 +518,7 @@ function Main {
             # Check command lines
             if ($event.id -eq 1){
                 $creator=$eventXML.Event.EventData.Data[14]."#text"
-                $commandline=$eventXML.Event.EventData.Data[4]."#text"
+                $commandline=$eventXML.Event.EventData.Data[10]."#text"
                 if ($commandline){
                     Check-Command -EventID 1
                 }