No description, website, or topics provided.
Switch branches/tags
Nothing to show
Clone or download


DeepBlueCLI 2.0

Eric Conrad, Backshore Communications, LLC

deepblue at backshore dot net

Twitter: @eric_conrad

Sample evtx files are in the .\evtx directory

Table of Contents


.\DeepBlue.ps1 <event log name> <evtx filename>

If you see this error:

.\DeepBlue.ps1 : File .\DeepBlue.ps1 cannot be loaded because running scripts is disabled on this system. For more information, see about_Execution_Policies at

You must run Set-ExecutionPolicy as Administrator, here is an example:

Set-ExecutionPolicy RemoteSigned

See get-help Set-ExecutionPolicy for more options.


Process local Windows security event log:



.\DeepBlue.ps1 -log security

Process local Windows system event log:

.\DeepBlue.ps1 -log system


.\DeepBlue.ps1 "" system

Process evtx file:

.\DeepBlue.ps1 .\evtx\new-user-security.evtx


.\DeepBlue.ps1 -file .\evtx\new-user-security.evtx

Windows Event Logs processed

  • Windows Security
  • Windows System
  • Windows Application
  • Windows Powershell
  • Sysmon (new)

Command Lines Logs processed

See 'Logging setup' section below for how to configure these logs

  • Windows Security event ID 4688
  • Windows Powershell event IDs 4103 and 4104
  • Sysmon event ID 1

Logging setup

Security event 4688 (Command line auditing):

Enable Windows command-line auditing:

Security event 4625 (Failed logons):

Requires auditing logon failures:

PowerShell auditing (PowerShell 5.0):

DeepBlueCLI uses module logging (PowerShell event 4013) and script block logging (4104). It does not use transcription.


To get the PowerShell commandline (and not just script block) on Windows 7 through Windows 8.1, add the following to \Windows\System32\WindowsPowerShell\v1.0\profile.ps1

$LogCommandHealthEvent = $true
$LogCommandLifecycleEvent = $true

See the following for more information:

Thank you: @heinzarelli and @HackerHurricane


Install Sysmon from Sysinternals:

DeepBlue and DeepWhite currently use Sysmon events, 1, 6 and 7.

Log SHA256 hashes. Others are fine; DeepBlueCLI will use SHA256.