add DeepBlueCLI Rule(7 Sysmon) #30

Yamato-Security · Sep 18, 2021 · 8eb1324 · 8eb1324
1 parent a59e1a1
commit 8eb1324
Showing 1 changed file with 29 additions and 0 deletions.
diff --git a/Rules/WELA-Rules/Sysmon/7-UnsignedDLLImage.ps1 b/Rules/WELA-Rules/Sysmon/7-UnsignedDLLImage.ps1
@@ -0,0 +1,29 @@
+
+function Add-Rule {
+    $ruleName = "7-UnsignedDLLImage";
+    # This can be very chatty, so Recommend disabled.
+    $detectedMessage = "detected Sysmon Unsigned Image(DLL) on DeepBlueCLI Rule";
+
+    $detectRule = {
+        function Search-DetectableEvents {
+            param (
+                $event
+            )
+            $target = $event | where { $_.ID -eq 7 -and $_.ProviderName -eq "Microsoft-Windows-Sysmon/Operational" }
+
+            foreach ($record in $target) {
+                $eventXML = [xml] $record.ToXml()
+                if ($eventXML.Event.EventData.Data[6]."#text" -eq "false") {
+                    $image = $eventXML.Event.EventData.Data[3]."#text"
+                    $result = "Loaded by: $image"
+                    Write-Host
+                    Write-Host "Detected! RuleName:$ruleName";
+                    Write-Host $detectedMessage;
+                    Write-Output $result
+                }
+            }
+        };
+        Search-DetectableEvents $args[0];
+    };
+    $Global:ruleStack.Add($ruleName, $detectRule);
+}