{"id":13387904,"url":"https://github.com/sans-blue-team/deepbluecli","last_synced_at":"2025-03-13T12:32:12.233Z","repository":{"id":41203231,"uuid":"68729413","full_name":"sans-blue-team/DeepBlueCLI","owner":"sans-blue-team","description":null,"archived":false,"fork":false,"pushed_at":"2023-10-14T17:06:57.000Z","size":5939,"stargazers_count":2182,"open_issues_count":14,"forks_count":356,"subscribers_count":129,"default_branch":"master","last_synced_at":"2024-10-26T07:39:24.497Z","etag":null,"topics":[],"latest_commit_sha":null,"homepage":null,"language":"PowerShell","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"gpl-3.0","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/sans-blue-team.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null}},"created_at":"2016-09-20T16:06:06.000Z","updated_at":"2024-10-25T15:17:27.000Z","dependencies_parsed_at":"2022-07-14T10:31:21.365Z","dependency_job_id":"1ba9925a-14fb-4efb-b3ed-6c393f96581f","html_url":"https://github.com/sans-blue-team/DeepBlueCLI","commit_stats":null,"previous_names":[],"tags_count":0,"template":false,"template_full_name":null,"repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/sans-blue-team%2FDeepBlueCLI","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/sans-blue-team%2FDeepBlueCLI/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/sans-blue-team%2FDeepBlueCLI/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/sans-blue-team%2FDeepBlueCLI/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/sans-blue-team","download_url":"https://codeload.github.com/sans-blue-team/DeepBlueCLI/tar.gz/refs/heads/master","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":243405372,"owners_count":20285747,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":[],"created_at":"2024-07-30T12:01:37.858Z","updated_at":"2025-03-13T12:32:11.102Z","avatar_url":"https://github.com/sans-blue-team.png","language":"PowerShell","funding_links":[],"categories":["\u003ca id=\"ac43a3ce5a889d8b18cf22acb6c31a72\"\u003e\u003c/a\u003eETW"],"sub_categories":["\u003ca id=\"0af4bd8ca0fd27c9381a2d1fa8b71a1f\"\u003e\u003c/a\u003e工具"],"readme":"# DeepBlueCLI\n\nDeepBlueCLI - a PowerShell Module for Threat Hunting via Windows Event Logs\n\nEric Conrad, Backshore Communications, LLC\n\ndeepblue `at` backshore `dot` net\n\nTwitter: [@eric_conrad](https://twitter.com/eric_conrad)\n\nhttp://ericconrad.com\n\nSample EVTX files are in the .\\evtx directory\n\n**Note** If your antivirus freaks out after downloading DeepBlueCLI: it's likely reacting to the included EVTX files in the .\\evtx directory (which contain command-line logs of malicious attacks, among other artifacts). EVTX files are not harmful. You may need to configure your antivirus to ignore the DeepBlueCLI directory.\n\n## Table of Contents  \n- [Usage](#usage)  \n- [Windows Event Logs processed](#windows-event-logs-processed)\n- [Detected events](#detected-events)\n- [Examples](#examples)\n- [Output](#output)\n- [Logging setup](#logging-setup)\n- See the [DeepBlue.py Readme](READMEs/README-DeepBlue.py.md) for information on DeepBlue.py\n- See the [DeepBlueHash Readme](READMEs/README-DeepBlueHash.md) for information on DeepBlueHash (detective safelisting using Sysmon event logs)\n\n## Usage:\n\n`.\\DeepBlue.ps1 \u003cevent log name\u003e \u003cevtx filename\u003e`\n\nSee the [Set-ExecutionPolicy Readme](READMEs/Set-ExecutionPolicy.md) if you receive a 'running scripts is\ndisabled on this system' error.\n\n### Process local Windows security event log (PowerShell must be run as Administrator):\n\n`.\\DeepBlue.ps1`\n\nor:\n\n`.\\DeepBlue.ps1 -log security`\n\n### Process local Windows system event log:\n\n`.\\DeepBlue.ps1 -log system`\n\n### Process evtx file:\n\n`.\\DeepBlue.ps1 .\\evtx\\new-user-security.evtx`\n\n## Windows Event Logs processed\n\n- Windows Security \n- Windows System\n- Windows Application\n- Windows PowerShell \n- Sysmon\n\n### Command Line Logs processed\n\nSee [Logging setup](#logging-setup) section below for how to configure these logs\n\n- Windows Security event ID 4688 \n- Windows PowerShell event IDs 4103 and 4104\n- Sysmon event ID 1\n\n## Detected events\n\n* Suspicious account behavior\n  * User creation\n  * User added to local/global/universal groups\n  * Password guessing (multiple logon failures, one account)\n  * Password spraying via failed logon (multiple logon failures, multiple accounts)\n  * Password spraying via explicit credentials\n  * Bloodhound (admin privileges assigned to the same account with multiple Security IDs)\n* Command line/Sysmon/PowerShell auditing\n  * Long command lines\n  * Regex searches\n  * Obfuscated commands\n  * PowerShell launched via WMIC or PsExec\n  * PowerShell Net.WebClient Downloadstring\n  * Compressed/Base64 encoded commands (with automatic decompression/decoding)\n  * Unsigned EXEs or DLLs\n* Service auditing\n  * Suspicious service creation\n  * Service creation errors\n  * Stopping/starting the Windows Event Log service (potential event log manipulation)\n* Mimikatz\n  * `lsadump::sam`\n* EMET \u0026 Applocker Blocks\n\n\n...and more\n\n## Examples\n\n|Event|Command|\n|-----|-------|\n|Event log manipulation|`.\\DeepBlue.ps1 .\\evtx\\disablestop-eventlog.evtx`|\n|Metasploit native target (security)|`.\\DeepBlue.ps1 .\\evtx\\metasploit-psexec-native-target-security.evtx`|\n|Metasploit native target (system)|`.\\DeepBlue.ps1 .\\evtx\\metasploit-psexec-native-target-system.evtx`|\n|Metasploit PowerShell target (security)|` .\\DeepBlue.ps1 .\\evtx\\metasploit-psexec-powershell-target-security.evtx`|\n|Metasploit PowerShell target (system)|` .\\DeepBlue.ps1 .\\evtx\\metasploit-psexec-powershell-target-system.evtx`|\n|Mimikatz `lsadump::sam`|`.\\DeepBlue.ps1 .\\evtx\\mimikatz-privesc-hashdump.evtx`|\n|New user creation|`.\\DeepBlue.ps1 .\\evtx\\new-user-security.evtx`|\n|Obfuscation (encoding)|`.\\DeepBlue.ps1 .\\evtx\\Powershell-Invoke-Obfuscation-encoding-menu.evtx`|\n|Obfuscation (string)|`.\\DeepBlue.ps1 .\\evtx\\Powershell-Invoke-Obfuscation-string-menu.evtx`|\n|Password guessing|`.\\DeepBlue.ps1 .\\evtx\\smb-password-guessing-security.evtx`|\n|Password spraying|`.\\DeepBlue.ps1 .\\evtx\\password-spray.evtx`|\n|PowerSploit (security)|`.\\DeepBlue.ps1 .\\evtx\\powersploit-security.evtx`|\n|PowerSploit (system)|`.\\DeepBlue.ps1 .\\evtx\\powersploit-system.evtx`|\n|PSAttack|`.\\DeepBlue.ps1 .\\evtx\\psattack-security.evtx`|\n|User added to administrator group|`.\\DeepBlue.ps1 .\\evtx\\new-user-security.evtx`|\n\n## Output\n\nDeepBlueCLI outputs in PowerShell objects, allowing a variety of output methods and types, including JSON, HTML, CSV, etc.\n\nFor example:\n\n|Output Type|Syntax|\n|-----------|------|\n|CSV|`.\\DeepBlue.ps1 .\\evtx\\psattack-security.evtx \\| ConvertTo-Csv`|\n|Format list (default)|`.\\DeepBlue.ps1 .\\evtx\\psattack-security.evtx \\| Format-List`|\n|Format table|`.\\DeepBlue.ps1 .\\evtx\\psattack-security.evtx \\| Format-Table`|\n|GridView|`.\\DeepBlue.ps1 .\\evtx\\psattack-security.evtx \\| Out-GridView`|\n|HTML|`.\\DeepBlue.ps1 .\\evtx\\psattack-security.evtx \\| ConvertTo-Html`|\n|JSON|`.\\DeepBlue.ps1 .\\evtx\\psattack-security.evtx \\| ConvertTo-Json`|\n|XML|`.\\DeepBlue.ps1 .\\evtx\\psattack-security.evtx \\| ConvertTo-Xml`|\n\n## Logging setup\n\n### Security event 4688 (Command line auditing):\n\nEnable Windows command-line auditing: https://support.microsoft.com/en-us/kb/3004375 \n\n### Security event 4625 (Failed logons):\n\nRequires auditing logon failures: https://technet.microsoft.com/en-us/library/cc976395.aspx\n### PowerShell auditing (PowerShell 5.0):\n\nDeepBlueCLI uses module logging (PowerShell event 4103) and script block logging (4104). It does not use transcription.\n\nSee: https://www.fireeye.com/blog/threat-research/2016/02/greater_visibilityt.html\n\nTo get the PowerShell commandline (and not just script block) on Windows 7 through Windows 8.1, add the following to \\Windows\\System32\\WindowsPowerShell\\v1.0\\profile.ps1\n```\n$LogCommandHealthEvent = $true\n$LogCommandLifecycleEvent = $true\n```\nSee the following for more information:\n - https://logrhythm.com/blog/powershell-command-line-logging/\n - http://hackerhurricane.blogspot.com/2014/11/i-powershell-logging-what-everyone.html\n\nThank you: [@heinzarelli](https://twitter.com/heinzarelli) and [@HackerHurricane](https://twitter.com/hackerhurricane)\n\n### Sysmon\n\nInstall Sysmon from Sysinternals: https://docs.microsoft.com/en-us/sysinternals/downloads/sysmon\n\nDeepBlue and DeepBlueHash currently use Sysmon events, 1, 6 and 7.\n\nLog SHA256 hashes. Others are fine; DeepBlueHash will use SHA256.\n\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fsans-blue-team%2Fdeepbluecli","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fsans-blue-team%2Fdeepbluecli","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fsans-blue-team%2Fdeepbluecli/lists"}