Cyberdefense/DeepBlueCLI
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Mentioned run as administrator for live security log

Browse Source
This commit is contained in:
Eric Conrad
2019-05-01 09:58:29 -03:00
committed by GitHub
parent ac077b145c
commit 82cc713117
1 changed files with 4 additions and 3 deletions
Download Patch File Download Diff File Expand all files Collapse all files

7
README.md
View File

@ -44,7 +44,7 @@ Please note that "Set-ExecutionPolicy is not a security control" (quoting @Ben0x
## Examples:
### Process local Windows security event log:
### Process local Windows security event log (Powershell must be run as Administrator):
`.\DeepBlue.ps1`
@ -123,8 +123,9 @@ Log SHA256 hashes. Others are fine; DeepBlueCLI will use SHA256.
* Suspicious account behavior
* User creation
* User added to local/global/universal groups
* Password guessing (multiple login failures, one account)
* Password spraying (multiple login failures, multiple accounts)
* Password guessing (multiple logon failures, one account)
* Password spraying via failed logon (multiple logon failures, multiple accounts)
* Password spraying via explicit credentials
* Bloodhound (admin privileges assigned to the same account with multiple Security IDs)
* Command line/Sysmon/Powershell auditing
* Regex searches