DeepBlueCLI: PowerShell Module for Threat Hunting via Windows Event Logs
DeepBlueCLI
DeepBlueCLI – a PowerShell Module for Threat Hunting via Windows Event Logs.
Windows Event Logs processed
- Windows Security
- Windows System
- Windows Application
- Windows PowerShell
- Sysmon
Command Line Logs processed
See Logging setup section below for how to configure these logs
- Windows Security event ID 4688
- Windows PowerShell event IDs 4103 and 4104
- Sysmon event ID 1
Detected events
- Suspicious account behavior
- User creation
- User added to local/global/universal groups
- Password guessing (multiple logon failures, one account)
- Password spraying via failed logon (multiple logon failures, multiple accounts)
- Password spraying via explicit credentials
- Bloodhound (admin privileges assigned to the same account with multiple Security IDs)
- Command-line/Sysmon/PowerShell auditing
- Long command lines
- Regex searches
- Obfuscated commands
- PowerShell launched via WMIC or PsExec
- PowerShell Net.WebClient Downloadstring
- Compressed/Base64 encoded commands (with automatic decompression/decoding)
- Unsigned EXEs or DLLs
- Service auditing
- Suspicious service creation
- Service creation errors
- Stopping/starting the Windows Event Log service (potential event log manipulation)
- Mimikatz
- lsadump::sam
- EMET & Applocker Blocks
…and more
Download & Use
Copyright (C) 2016 Eric Conrad, Backshore Communications, LLC
