Ecosyste.ms: Awesome

An open API service indexing awesome lists of open source software.
Awesome Lists | Featured Topics | Projects
https://github.com/sans-blue-team/deepbluecli

Last synced: about 2 months ago
JSON representation
Host: GitHub
URL: https://github.com/sans-blue-team/deepbluecli
Owner: sans-blue-team
License: gpl-3.0
Created: 2016-09-20T16:06:06.000Z (about 8 years ago)
Default Branch: master
Last Pushed: 2023-10-14T17:06:57.000Z (11 months ago)
Last Synced: 2024-04-13T12:48:25.170Z (5 months ago)
Language: PowerShell
Size: 5.66 MB
Stars: 2,072
Watchers: 128
Forks: 340
Open Issues: 14
Metadata Files:
- Readme: README.md
- License: LICENSE
Awesome Lists containing this project

README

        # DeepBlueCLI

DeepBlueCLI - a PowerShell Module for Threat Hunting via Windows Event Logs

Eric Conrad, Backshore Communications, LLC

deepblue `at` backshore `dot` net

Twitter: [@eric_conrad](https://twitter.com/eric_conrad)

http://ericconrad.com

Sample EVTX files are in the .\evtx directory

**Note** If your antivirus freaks out after downloading DeepBlueCLI: it's likely reacting to the included EVTX files in the .\evtx directory (which contain command-line logs of malicious attacks, among other artifacts). EVTX files are not harmful. You may need to configure your antivirus to ignore the DeepBlueCLI directory.

## Table of Contents  

- [Usage](#usage)  

- [Windows Event Logs processed](#windows-event-logs-processed)

- [Detected events](#detected-events)

- [Examples](#examples)

- [Output](#output)

- [Logging setup](#logging-setup)

- See the [DeepBlue.py Readme](READMEs/README-DeepBlue.py.md) for information on DeepBlue.py

- See the [DeepBlueHash Readme](READMEs/README-DeepBlueHash.md) for information on DeepBlueHash (detective safelisting using Sysmon event logs)

## Usage:

`.\DeepBlue.ps1  `

See the [Set-ExecutionPolicy Readme](READMEs/Set-ExecutionPolicy.md) if you receive a 'running scripts is

disabled on this system' error.

### Process local Windows security event log (PowerShell must be run as Administrator):

`.\DeepBlue.ps1`

or:

`.\DeepBlue.ps1 -log security`

### Process local Windows system event log:

`.\DeepBlue.ps1 -log system`

### Process evtx file:

`.\DeepBlue.ps1 .\evtx\new-user-security.evtx`

## Windows Event Logs processed

- Windows Security 

- Windows System

- Windows Application

- Windows PowerShell 

- Sysmon

### Command Line Logs processed

See [Logging setup](#logging-setup) section below for how to configure these logs

- Windows Security event ID 4688 

- Windows PowerShell event IDs 4103 and 4104

- Sysmon event ID 1

## Detected events

* Suspicious account behavior

  * User creation

  * User added to local/global/universal groups

  * Password guessing (multiple logon failures, one account)

  * Password spraying via failed logon (multiple logon failures, multiple accounts)

  * Password spraying via explicit credentials

  * Bloodhound (admin privileges assigned to the same account with multiple Security IDs)

* Command line/Sysmon/PowerShell auditing

  * Long command lines

  * Regex searches

  * Obfuscated commands

  * PowerShell launched via WMIC or PsExec

  * PowerShell Net.WebClient Downloadstring

  * Compressed/Base64 encoded commands (with automatic decompression/decoding)

  * Unsigned EXEs or DLLs

* Service auditing

  * Suspicious service creation

  * Service creation errors

  * Stopping/starting the Windows Event Log service (potential event log manipulation)

* Mimikatz

  * `lsadump::sam`

* EMET & Applocker Blocks

...and more

## Examples

|Event|Command|

|-----|-------|

|Event log manipulation|`.\DeepBlue.ps1 .\evtx\disablestop-eventlog.evtx`|

|Metasploit native target (security)|`.\DeepBlue.ps1 .\evtx\metasploit-psexec-native-target-security.evtx`|

|Metasploit native target (system)|`.\DeepBlue.ps1 .\evtx\metasploit-psexec-native-target-system.evtx`|

|Metasploit PowerShell target (security)|` .\DeepBlue.ps1 .\evtx\metasploit-psexec-powershell-target-security.evtx`|

|Metasploit PowerShell target (system)|` .\DeepBlue.ps1 .\evtx\metasploit-psexec-powershell-target-system.evtx`|

|Mimikatz `lsadump::sam`|`.\DeepBlue.ps1 .\evtx\mimikatz-privesc-hashdump.evtx`|

|New user creation|`.\DeepBlue.ps1 .\evtx\new-user-security.evtx`|

|Obfuscation (encoding)|`.\DeepBlue.ps1 .\evtx\Powershell-Invoke-Obfuscation-encoding-menu.evtx`|

|Obfuscation (string)|`.\DeepBlue.ps1 .\evtx\Powershell-Invoke-Obfuscation-string-menu.evtx`|

|Password guessing|`.\DeepBlue.ps1 .\evtx\smb-password-guessing-security.evtx`|

|Password spraying|`.\DeepBlue.ps1 .\evtx\password-spray.evtx`|

|PowerSploit (security)|`.\DeepBlue.ps1 .\evtx\powersploit-security.evtx`|

|PowerSploit (system)|`.\DeepBlue.ps1 .\evtx\powersploit-system.evtx`|

|PSAttack|`.\DeepBlue.ps1 .\evtx\psattack-security.evtx`|

|User added to administrator group|`.\DeepBlue.ps1 .\evtx\new-user-security.evtx`|

## Output

DeepBlueCLI outputs in PowerShell objects, allowing a variety of output methods and types, including JSON, HTML, CSV, etc.

For example:

|Output Type|Syntax|

|-----------|------|

|CSV|`.\DeepBlue.ps1 .\evtx\psattack-security.evtx \| ConvertTo-Csv`|

|Format list (default)|`.\DeepBlue.ps1 .\evtx\psattack-security.evtx \| Format-List`|

|Format table|`.\DeepBlue.ps1 .\evtx\psattack-security.evtx \| Format-Table`|

|GridView|`.\DeepBlue.ps1 .\evtx\psattack-security.evtx \| Out-GridView`|

|HTML|`.\DeepBlue.ps1 .\evtx\psattack-security.evtx \| ConvertTo-Html`|

|JSON|`.\DeepBlue.ps1 .\evtx\psattack-security.evtx \| ConvertTo-Json`|

|XML|`.\DeepBlue.ps1 .\evtx\psattack-security.evtx \| ConvertTo-Xml`|

## Logging setup

### Security event 4688 (Command line auditing):

Enable Windows command-line auditing: https://support.microsoft.com/en-us/kb/3004375 

### Security event 4625 (Failed logons):

Requires auditing logon failures: https://technet.microsoft.com/en-us/library/cc976395.aspx

### PowerShell auditing (PowerShell 5.0):

DeepBlueCLI uses module logging (PowerShell event 4103) and script block logging (4104). It does not use transcription.

See: https://www.fireeye.com/blog/threat-research/2016/02/greater_visibilityt.html

To get the PowerShell commandline (and not just script block) on Windows 7 through Windows 8.1, add the following to \Windows\System32\WindowsPowerShell\v1.0\profile.ps1

```

$LogCommandHealthEvent = $true

$LogCommandLifecycleEvent = $true

```

See the following for more information:

 - https://logrhythm.com/blog/powershell-command-line-logging/

 - http://hackerhurricane.blogspot.com/2014/11/i-powershell-logging-what-everyone.html

Thank you: [@heinzarelli](https://twitter.com/heinzarelli) and [@HackerHurricane](https://twitter.com/hackerhurricane)

### Sysmon

Install Sysmon from Sysinternals: https://docs.microsoft.com/en-us/sysinternals/downloads/sysmon

DeepBlue and DeepBlueHash currently use Sysmon events, 1, 6 and 7.

Log SHA256 hashes. Others are fine; DeepBlueHash will use SHA256.