Skip to content

sans-blue-team/DeepBlueCLI

master
Switch branches/tags

Name already in use

A tag already exists with the provided branch name. Many Git commands accept both tag and branch names, so creating this branch may cause unexpected behavior. Are you sure you want to create this branch?
Code

DeepBlueCLI

DeepBlueCLI - a PowerShell Module for Threat Hunting via Windows Event Logs

Eric Conrad, Backshore Communications, LLC

deepblue at backshore dot net

Twitter: @eric_conrad

http://ericconrad.com

Sample EVTX files are in the .\evtx directory

Note If your antivirus freaks out after downloading DeepBlueCLI: it's likely reacting to the included EVTX files in the .\evtx directory (which contain command-line logs of malicious attacks, among other artifacts). EVTX files are not harmful. You may need to configure your antivirus to ignore the DeepBlueCLI directory.

Table of Contents

Usage:

.\DeepBlue.ps1 <event log name> <evtx filename>

See the Set-ExecutionPolicy Readme if you receive a 'running scripts is disabled on this system' error.

Process local Windows security event log (PowerShell must be run as Administrator):

.\DeepBlue.ps1

or:

.\DeepBlue.ps1 -log security

Process local Windows system event log:

.\DeepBlue.ps1 -log system

Process evtx file:

.\DeepBlue.ps1 .\evtx\new-user-security.evtx

Windows Event Logs processed

  • Windows Security
  • Windows System
  • Windows Application
  • Windows PowerShell
  • Sysmon

Command Line Logs processed

See Logging setup section below for how to configure these logs

  • Windows Security event ID 4688
  • Windows PowerShell event IDs 4103 and 4104
  • Sysmon event ID 1

Detected events

  • Suspicious account behavior
    • User creation
    • User added to local/global/universal groups
    • Password guessing (multiple logon failures, one account)
    • Password spraying via failed logon (multiple logon failures, multiple accounts)
    • Password spraying via explicit credentials
    • Bloodhound (admin privileges assigned to the same account with multiple Security IDs)
  • Command line/Sysmon/PowerShell auditing
    • Long command lines
    • Regex searches
    • Obfuscated commands
    • PowerShell launched via WMIC or PsExec
    • PowerShell Net.WebClient Downloadstring
    • Compressed/Base64 encoded commands (with automatic decompression/decoding)
    • Unsigned EXEs or DLLs
  • Service auditing
    • Suspicious service creation
    • Service creation errors
    • Stopping/starting the Windows Event Log service (potential event log manipulation)
  • Mimikatz
    • lsadump::sam
  • EMET & Applocker Blocks

...and more

Examples

Event Command
Event log manipulation .\DeepBlue.ps1 .\evtx\disablestop-eventlog.evtx
Metasploit native target (security) .\DeepBlue.ps1 .\evtx\metasploit-psexec-native-target-security.evtx
Metasploit native target (system) .\DeepBlue.ps1 .\evtx\metasploit-psexec-native-target-system.evtx
Metasploit PowerShell target (security) .\DeepBlue.ps1 .\evtx\metasploit-psexec-powershell-target-security.evtx
Metasploit PowerShell target (system) .\DeepBlue.ps1 .\evtx\metasploit-psexec-powershell-target-system.evtx
Mimikatz lsadump::sam .\DeepBlue.ps1 .\evtx\mimikatz-privesc-hashdump.evtx
New user creation .\DeepBlue.ps1 .\evtx\new-user-security.evtx
Obfuscation (encoding) .\DeepBlue.ps1 .\evtx\Powershell-Invoke-Obfuscation-encoding-menu.evtx
Obfuscation (string) .\DeepBlue.ps1 .\evtx\Powershell-Invoke-Obfuscation-string-menu.evtx
Password guessing .\DeepBlue.ps1 .\evtx\smb-password-guessing-security.evtx
Password spraying .\DeepBlue.ps1 .\evtx\password-spray.evtx
PowerSploit (security) .\DeepBlue.ps1 .\evtx\powersploit-security.evtx
PowerSploit (system) .\DeepBlue.ps1 .\evtx\powersploit-system.evtx
PSAttack .\DeepBlue.ps1 .\evtx\psattack-security.evtx
User added to administrator group .\DeepBlue.ps1 .\evtx\new-user-security.evtx

Output

DeepBlueCLI outputs in PowerShell objects, allowing a variety of output methods and types, including JSON, HTML, CSV, etc.

For example:

Output Type Syntax
CSV .\DeepBlue.ps1 .\evtx\psattack-security.evtx | ConvertTo-Csv
Format list (default) .\DeepBlue.ps1 .\evtx\psattack-security.evtx | Format-List
Format table .\DeepBlue.ps1 .\evtx\psattack-security.evtx | Format-Table
GridView .\DeepBlue.ps1 .\evtx\psattack-security.evtx | Out-GridView
HTML .\DeepBlue.ps1 .\evtx\psattack-security.evtx | ConvertTo-Html
JSON .\DeepBlue.ps1 .\evtx\psattack-security.evtx | ConvertTo-Json
XML .\DeepBlue.ps1 .\evtx\psattack-security.evtx | ConvertTo-Xml

Logging setup

Security event 4688 (Command line auditing):

Enable Windows command-line auditing: https://support.microsoft.com/en-us/kb/3004375

Security event 4625 (Failed logons):

Requires auditing logon failures: https://technet.microsoft.com/en-us/library/cc976395.aspx

PowerShell auditing (PowerShell 5.0):

DeepBlueCLI uses module logging (PowerShell event 4103) and script block logging (4104). It does not use transcription.

See: https://www.fireeye.com/blog/threat-research/2016/02/greater_visibilityt.html

To get the PowerShell commandline (and not just script block) on Windows 7 through Windows 8.1, add the following to \Windows\System32\WindowsPowerShell\v1.0\profile.ps1

$LogCommandHealthEvent = $true
$LogCommandLifecycleEvent = $true

See the following for more information:

Thank you: @heinzarelli and @HackerHurricane

Sysmon

Install Sysmon from Sysinternals: https://docs.microsoft.com/en-us/sysinternals/downloads/sysmon

DeepBlue and DeepBlueHash currently use Sysmon events, 1, 6 and 7.

Log SHA256 hashes. Others are fine; DeepBlueHash will use SHA256.

About

No description, website, or topics provided.

Resources

License

Stars

Watchers

Forks

Releases

No releases published

Packages

No packages published