From 82cc7131172a19372f0ac8ef946d0bc47ba60e0e Mon Sep 17 00:00:00 2001
From: Eric Conrad <git@zez.me>
Date: Wed, 1 May 2019 09:58:29 -0300
Subject: [PATCH] Mentioned run as administrator for live security log

---
 README.md | 7 ++++---
 1 file changed, 4 insertions(+), 3 deletions(-)

diff --git a/README.md b/README.md
index 5c98c44..dd9be96 100644
--- a/README.md
+++ b/README.md
@@ -44,7 +44,7 @@ Please note that "Set-ExecutionPolicy is not a security control" (quoting @Ben0x
 
 ## Examples:
 
-### Process local Windows security event log:
+### Process local Windows security event log (Powershell must be run as Administrator):
 
 `.\DeepBlue.ps1`
 
@@ -123,8 +123,9 @@ Log SHA256 hashes. Others are fine; DeepBlueCLI will use SHA256.
 * Suspicious account behavior
   * User creation
   * User added to local/global/universal groups
-  * Password guessing (multiple login failures, one account)
-  * Password spraying (multiple login failures, multiple accounts)
+  * Password guessing (multiple logon failures, one account)
+  * Password spraying via failed logon (multiple logon failures, multiple accounts)
+  * Password spraying via explicit credentials
   * Bloodhound (admin privileges assigned to the same account with multiple Security IDs)
 * Command line/Sysmon/Powershell auditing
   * Regex searches