An IOC framework written in PowerShell
Switch branches/tags
Nothing to show
Clone or download
Fetching latest commit…
Cannot retrieve the latest commit at this time.
Permalink
Failed to load latest commit information.
BlueSpectrum
Screenshots
BlueSpectrum_Process_Call.ps1 v2 Jan 3, 2017
LICENSE
README.md

README.md

Alt text

BlueSpectrum is an IOC framework written in PowerShell. It searches for Indicators of Compromise (IOC) in Registry keys\values, network connections, file metadata, and or hashes on local or remote systems using WMI as the remote process caller. This script works with PowerShell v2 and newer.

Adding IOCs:

Open one of the five IOC files and input an applicable indicator on each line. Please see the folder labled "IOC_Examples" for how an indicator should look in the file.

Usage:

1)* Download this repository and unzip it.
2) Add applicable IOCs to the indicator files.
3) Change applicable variables.
    - BlueSpectrum_Process_Call.ps1 -- Lines 18, 21, 24, and 27
    - BlueSpectrum.ps1 -- Line 46
4) Run BlueSpectrum_Process_Call.ps1 from a PS console.
5) Review findings in the "Results" folder.


Remote Usage:

There are a few ways to run BlueSpectrum remotely to include using PSRemoting, PSEXEC, and/or WMI. We only address running it locally.

Screenshots

Indicators

Alt text

Process Call in action with status updates

Alt text

Results are returned to the local machine and begin with the IP or hostname of the system it came from.

Alt text

Connection scan hits

Alt text

Registry scan hits

Alt text

Hash scan hits hits

Alt text

File size scan hits

Alt text

Filename scan hits

Alt text