DeepBlueCLI is a PowerShell Module for Threat Hunting via Windows Event Logs.
Usage
.\DeepBlue.ps1 <event log name> <evtx filename>
See the Set-ExecutionPolicy Readme if you receive a ‘running scripts is disabled on this system’ error.
.\DeepBlue.ps1
or:.\DeepBlue.ps1 -log security
.\DeepBlue.ps1 -log system
.\DeepBlue.ps1 .\evtx\new-user-security.evtx
Windows Event Logs Processed
Command Line Logs Processed
See Logging setup section below for how to configure these logs
Detected Events
lsadump::sam
…and more
Examples
Event | Command |
---|---|
Event log manipulation | .\DeepBlue.ps1 .\evtx\disablestop-eventlog.evtx |
Metasploit native target (security) | .\DeepBlue.ps1 .\evtx\metasploit-psexec-native-target-security.evtx |
Metasploit native target (system) | .\DeepBlue.ps1 .\evtx\metasploit-psexec-native-target-system.evtx |
Metasploit PowerShell target (security) | .\DeepBlue.ps1 .\evtx\metasploit-psexec-powershell-target-security.evtx |
Metasploit PowerShell target (system) | .\DeepBlue.ps1 .\evtx\metasploit-psexec-powershell-target-system.evtx |
Mimikatz lsadump::sam | .\DeepBlue.ps1 .\evtx\mimikatz-privesc-hashdump.evtx |
New user creation | .\DeepBlue.ps1 .\evtx\new-user-security.evtx |
Obfuscation (encoding) | .\DeepBlue.ps1 .\evtx\Powershell-Invoke-Obfuscation-encoding-menu.evtx |
Obfuscation (string) | .\DeepBlue.ps1 .\evtx\Powershell-Invoke-Obfuscation-string-menu.evtx |
Password guessing | .\DeepBlue.ps1 .\evtx\smb-password-guessing-security.evtx |
Password spraying | .\DeepBlue.ps1 .\evtx\password-spray.evtx |
PowerSploit (security) | .\DeepBlue.ps1 .\evtx\powersploit-security.evtx |
PowerSploit (system) | .\DeepBlue.ps1 .\evtx\powersploit-system.evtx |
PSAttack | .\DeepBlue.ps1 .\evtx\psattack-security.evtx |
User added to administrator group | .\DeepBlue.ps1 .\evtx\new-user-security.evtx |
Output
DeepBlueCLI outputs in PowerShell objects, allowing a variety of output methods and types, including JSON, HTML, CSV, etc.
For example:
Output Type | Syntax |
---|---|
CSV | .\DeepBlue.ps1 .\evtx\psattack-security.evtx | ConvertTo-Csv |
Format list (default) | .\DeepBlue.ps1 .\evtx\psattack-security.evtx | Format-List |
Format table | .\DeepBlue.ps1 .\evtx\psattack-security.evtx | Format-Table |
GridView | .\DeepBlue.ps1 .\evtx\psattack-security.evtx | Out-GridView |
HTML | .\DeepBlue.ps1 .\evtx\psattack-security.evtx | ConvertTo-Html |
JSON | .\DeepBlue.ps1 .\evtx\psattack-security.evtx | ConvertTo-Json |
XML | .\DeepBlue.ps1 .\evtx\psattack-security.evtx | ConvertTo-Xml |
Logging Setup
Enable Windows command-line auditing: https://support.microsoft.com/en-us/kb/3004375
Requires auditing logon failures: https://technet.microsoft.com/en-us/library/cc976395.aspx
DeepBlueCLI uses module logging (PowerShell event 4103) and script block logging (4104). It does not use transcription.
See: https://www.fireeye.com/blog/threat-research/2016/02/greater_visibilityt.html
To get the PowerShell commandline (and not just script block) on Windows 7 through Windows 8.1, add the following to \Windows\System32\WindowsPowerShell\v1.0\profile.ps1
$LogCommandHealthEvent = $true
$LogCommandLifecycleEvent = $true
See the following for more information:
Thank you: @heinzarelli and @HackerHurricane
Sysmon
GPOHunter is a comprehensive tool designed to analyze and identify security misconfigurations in Active Directory…
Across small-to-medium enterprises (SMEs) and managed service providers (MSPs), the top priority for cybersecurity leaders…
The free and open-source security platform SecHub, provides a central API to test software with…
Don't worry if there are any bugs in the tool, we will try to fix…
hrtng IDA plugin is a collection of tools, ideas and experiments from different sources I've…
A stealthy command line tool to create TCP-over-CDN(http) tunnels that keep your connections cozy and…