BlueSploit is the Metasploit of the Blue Team, because I was tired of seing Red Team frameworks, I created Bluesploit. I am using cmd2 module to create a Metasploit like environment.
BlueSploit is a DFIR framework with the main purpose being to quickly capture artifacts for later review.
Most of the commands used are OS native commands. Native commands have their limitations, therefore, some executables will be used. I will reference all executables that are used on the bottom of this page along with links to their github page.
The current implementation is focused on Windows environments. Some of the powershell commands will not work with windows 7 due to lack of backwards compatibility.
Download the latest release for windows.
Current stage of the project: Beta
Upcoming Features:
- ☑ Investigating registry keys
- ☑ Memory captures
- ☑ Live packet cptures
- ☑ Use of Strings to inspect executables
- ☑ Short term re-mediation of malicious artifact
- ☑ Blocking/Unblocking IPs
- ☑ Create timeline of events & and collect information for prefetch files (Using Nirsoft's tools)
- ☑ Collect ShellBags of specified user (Using Eric Zimmerman's SBECmd tool)
- ☑ Collect Browsing history (Using Using Nirsoft's tools)
- ☑ Searching for malicious documents using Yara
- ☑ Extract/Defang IOCs
- ☐ Killing malicious processes/services found
- ☐ Investigate suspicious network connections
- ☐ Dump all Log-On/Off events
Feel free to contribute! I will try to keep the code clean and easy to read.
A big thanks to the below projects for their contribution to the InfoSec community:
- DeepBlueCLI from Sans (https://github.com/sans-blue-team/DeepBlueCLI)
- Nirsoft for the amazing collection of tools (https://www.nirsoft.net)
- Eric Zimmerman for his contribution with the forensic tools (https://ericzimmerman.github.io)
Disclaimer
Comments,suggestions and constructive criticism are welcome. I am not a developer, I am an InfoSec analyst so any help with this project from all the developers(or hobbysist programmers) out there is very much appreciated.