Repository files navigation

DeepBlueCLI - a PowerShell Module for Threat Hunting via Windows Event Logs

Eric Conrad, Backshore Communications, LLC

deepblueat backshoredot net

Twitter:@eric_conrad

http://ericconrad.com

Sample EVTX files are in the .\evtx directory

Note If your antivirus freaks out after downloading DeepBlueCLI: it's likely reacting to the included EVTX files in the .\evtx directory (which contain command-line logs of malicious attacks, among other artifacts). EVTX files are not harmful. You may need to configure your antivirus to ignore the DeepBlueCLI directory.

• Usage
• Windows Event Logs processed
• Detected events
• Examples
• Output
• Logging setup
• See theDeepBlue.py Readme for information on DeepBlue.py
• See theDeepBlueHash Readme for information on DeepBlueHash (detective safelisting using Sysmon event logs)

.\DeepBlue.ps1 <event log name> <evtx filename>

See theSet-ExecutionPolicy Readme if you receive a 'running scripts isdisabled on this system' error.

.\DeepBlue.ps1

or:

.\DeepBlue.ps1 -log security

.\DeepBlue.ps1 -log system

.\DeepBlue.ps1 .\evtx\new-user-security.evtx

• Windows Security
• Windows System
• Windows Application
• Windows PowerShell
• Sysmon

SeeLogging setup section below for how to configure these logs

• Windows Security event ID 4688
• Windows PowerShell event IDs 4103 and 4104
• Sysmon event ID 1

• Suspicious account behavior
  • User creation
  • User added to local/global/universal groups
  • Password guessing (multiple logon failures, one account)
  • Password spraying via failed logon (multiple logon failures, multiple accounts)
  • Password spraying via explicit credentials
  • Bloodhound (admin privileges assigned to the same account with multiple Security IDs)
• Command line/Sysmon/PowerShell auditing
  • Long command lines
  • Regex searches
  • Obfuscated commands
  • PowerShell launched via WMIC or PsExec
  • PowerShell Net.WebClient Downloadstring
  • Compressed/Base64 encoded commands (with automatic decompression/decoding)
  • Unsigned EXEs or DLLs
• Service auditing
  • Suspicious service creation
  • Service creation errors
  • Stopping/starting the Windows Event Log service (potential event log manipulation)
• Mimikatz
  • lsadump::sam
• EMET & Applocker Blocks

...and more

DeepBlueCLI outputs in PowerShell objects, allowing a variety of output methods and types, including JSON, HTML, CSV, etc.

For example:

Enable Windows command-line auditing:https://support.microsoft.com/en-us/kb/3004375

Requires auditing logon failures:https://technet.microsoft.com/en-us/library/cc976395.aspx

DeepBlueCLI uses module logging (PowerShell event 4103) and script block logging (4104). It does not use transcription.

See:https://www.fireeye.com/blog/threat-research/2016/02/greater_visibilityt.html

To get the PowerShell commandline (and not just script block) on Windows 7 through Windows 8.1, add the following to \Windows\System32\WindowsPowerShell\v1.0\profile.ps1

$LogCommandHealthEvent = $true$LogCommandLifecycleEvent = $true

See the following for more information:

• https://logrhythm.com/blog/powershell-command-line-logging/
• http://hackerhurricane.blogspot.com/2014/11/i-powershell-logging-what-everyone.html

Thank you:@heinzarelli and@HackerHurricane

Install Sysmon from Sysinternals:https://docs.microsoft.com/en-us/sysinternals/downloads/sysmon

DeepBlue and DeepBlueHash currently use Sysmon events, 1, 6 and 7.

Log SHA256 hashes. Others are fine; DeepBlueHash will use SHA256.