Cyberdefense/DeepBlueCLI
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Update README.md

Browse Source
This commit is contained in:
Eric Conrad
2017-09-02 10:30:28 -04:00
committed by GitHub
parent 4281b65bd6
commit ef595683ed
1 changed files with 17 additions and 1 deletions
Download Patch File Download Diff File Expand all files Collapse all files

18
README.md
View File

@ -55,6 +55,22 @@ or:
`.\DeepBlue.ps1 -file .\evtx\new-user-security.evtx` `.\DeepBlue.ps1 -file .\evtx\new-user-security.evtx`
## Windows Event Logs processed
- Windows Security
- Windows System
- Windows Application
- Windows Powershell
- Sysmon (new)
### Command Lines Logs processed
See 'Logging setup' section below for how to configure these logs
- Windows Security event ID 4688
- Windows Powershell event IDs 4103 and 4104
- Sysmon event ID 1
## Logging setup ## Logging setup
### Security event 4688 (Command line auditing): ### Security event 4688 (Command line auditing):
@ -67,7 +83,7 @@ DeepBlueCLI uses module logging (PowerShell event 4013) and script block logging
See: https://www.fireeye.com/blog/threat-research/2016/02/greater_visibilityt.html See: https://www.fireeye.com/blog/threat-research/2016/02/greater_visibilityt.html
To get the PowerShell commandline (and not just script block), add the following to \Windows\System32\WindowsPowerShell\v1.0\profile.ps1 To get the PowerShell commandline (and not just script block) on Windows 7 through Windows 8.1, add the following to \Windows\System32\WindowsPowerShell\v1.0\profile.ps1
``` ```
$LogCommandHealthEvent = $true $LogCommandHealthEvent = $true
$LogCommandLifecycleEvent = $true $LogCommandLifecycleEvent = $true