DeepBlueCLI is a PowerShell Module for Threat Hunting via Windows Event Logs.
Usage
.\DeepBlue.ps1 <event log name> <evtx filename>
See the Set-ExecutionPolicy Readme if you receive a ‘running scripts is disabled on this system’ error.
.\DeepBlue.ps1
or:.\DeepBlue.ps1 -log security
.\DeepBlue.ps1 -log system
.\DeepBlue.ps1 .\evtx\new-user-security.evtx
Windows Event Logs Processed
Command Line Logs Processed
See Logging setup section below for how to configure these logs
Detected Events
lsadump::sam
…and more
Examples
Event | Command |
---|---|
Event log manipulation | .\DeepBlue.ps1 .\evtx\disablestop-eventlog.evtx |
Metasploit native target (security) | .\DeepBlue.ps1 .\evtx\metasploit-psexec-native-target-security.evtx |
Metasploit native target (system) | .\DeepBlue.ps1 .\evtx\metasploit-psexec-native-target-system.evtx |
Metasploit PowerShell target (security) | .\DeepBlue.ps1 .\evtx\metasploit-psexec-powershell-target-security.evtx |
Metasploit PowerShell target (system) | .\DeepBlue.ps1 .\evtx\metasploit-psexec-powershell-target-system.evtx |
Mimikatz lsadump::sam | .\DeepBlue.ps1 .\evtx\mimikatz-privesc-hashdump.evtx |
New user creation | .\DeepBlue.ps1 .\evtx\new-user-security.evtx |
Obfuscation (encoding) | .\DeepBlue.ps1 .\evtx\Powershell-Invoke-Obfuscation-encoding-menu.evtx |
Obfuscation (string) | .\DeepBlue.ps1 .\evtx\Powershell-Invoke-Obfuscation-string-menu.evtx |
Password guessing | .\DeepBlue.ps1 .\evtx\smb-password-guessing-security.evtx |
Password spraying | .\DeepBlue.ps1 .\evtx\password-spray.evtx |
PowerSploit (security) | .\DeepBlue.ps1 .\evtx\powersploit-security.evtx |
PowerSploit (system) | .\DeepBlue.ps1 .\evtx\powersploit-system.evtx |
PSAttack | .\DeepBlue.ps1 .\evtx\psattack-security.evtx |
User added to administrator group | .\DeepBlue.ps1 .\evtx\new-user-security.evtx |
Output
DeepBlueCLI outputs in PowerShell objects, allowing a variety of output methods and types, including JSON, HTML, CSV, etc.
For example:
Output Type | Syntax |
---|---|
CSV | .\DeepBlue.ps1 .\evtx\psattack-security.evtx | ConvertTo-Csv |
Format list (default) | .\DeepBlue.ps1 .\evtx\psattack-security.evtx | Format-List |
Format table | .\DeepBlue.ps1 .\evtx\psattack-security.evtx | Format-Table |
GridView | .\DeepBlue.ps1 .\evtx\psattack-security.evtx | Out-GridView |
HTML | .\DeepBlue.ps1 .\evtx\psattack-security.evtx | ConvertTo-Html |
JSON | .\DeepBlue.ps1 .\evtx\psattack-security.evtx | ConvertTo-Json |
XML | .\DeepBlue.ps1 .\evtx\psattack-security.evtx | ConvertTo-Xml |
Logging Setup
Enable Windows command-line auditing: https://support.microsoft.com/en-us/kb/3004375
Requires auditing logon failures: https://technet.microsoft.com/en-us/library/cc976395.aspx
DeepBlueCLI uses module logging (PowerShell event 4103) and script block logging (4104). It does not use transcription.
See: https://www.fireeye.com/blog/threat-research/2016/02/greater_visibilityt.html
To get the PowerShell commandline (and not just script block) on Windows 7 through Windows 8.1, add the following to \Windows\System32\WindowsPowerShell\v1.0\profile.ps1
$LogCommandHealthEvent = $true
$LogCommandLifecycleEvent = $true
See the following for more information:
Thank you: @heinzarelli and @HackerHurricane
Sysmon
Got it! Below is the updated README.md file with instructions for downloading the project on…
Termo-Kali bridges the gap between powerful Linux capabilities and the convenience of mobile devices by…
Welcome to the Ethical Hacking Quiz Application, designed to help learners test their knowledge of…
The WPA2 Handshake Automation Tool is a Python3 script designed to simplify the process of setting up…
A custom bash script designed to streamline your startup process and enhance your scripting skills.…
Welcome to the Cybersecurity Toolkit, a collection of essential Python tools designed for penetration testing…