45d62cbfbe
Was analyzing Sysmon event 1 image instead of CommandLine. Fixed
2021-10-29 16:17:25 -04:00
350fe3c134
Added # of unique accounts sprayed
2021-10-28 15:15:27 -04:00
d7d8d5eb80
s/Passworg/Password/g
2021-10-28 14:57:37 -04:00
5f2a62cd9c
s/DeepBlueCLI/DeepWhite/g
2021-10-28 12:22:13 -04:00
46fe6b42c5
s/antivrus/antivirus/g
2021-10-28 12:20:45 -04:00
2ae82a296f
Added AV caveat
2021-10-28 12:17:05 -04:00
8b15218ae3
Merge pull request #26 from sans-blue-team/Conrad-test
...
Inclusive language update
2021-10-28 09:07:53 -07:00
15999a1243
Inclusive language update
2021-10-28 12:00:04 -04:00
62d25d9e76
Inclusive language update
2021-10-28 11:58:23 -04:00
46bb325e0d
Inclusive language update
2021-10-28 11:53:59 -04:00
45c21e3821
Changing whitelist to ignorelist
2021-07-01 13:35:58 -04:00
396bbc4e28
Merge pull request #22 from zmbf0r3ns1cs/master
...
Update System EID 104 parsing output to correctly reflect the cleared log name
2021-05-06 19:11:11 +00:00
122d078efe
Update System EID 104 output for DeepBlue.ps1
...
Added in functionality for DeepBlue.ps1 to pull "message" field from EVTX log for System EID 104 log clearing events to properly show the correct log file being cleared.
2021-05-05 16:35:17 -04:00
c2a3840bae
Correct typo in DeepBlue.ps1 hidden service detect
2020-10-13 06:47:30 -04:00
3fae5dbef6
Update to catch services.exe DAC permission change to hide services
2020-09-14 16:37:59 -04:00
bc63790883
Report on cleared Security and System event logs, close #18
2020-09-10 11:08:47 -04:00
486dd1f9ce
Fix Event ID reporting in analysis @scriptedstatement; whitespace cleanup
2020-08-18 08:51:54 -04:00
d004e13d2e
Add .gitignore
2020-08-18 08:48:45 -04:00
29daee42ce
Add simple test case to run all repo EVTX files with DeepBlue.ps1
2020-08-18 08:48:22 -04:00
8cbb39a17d
Fixed typo in Examples section
2020-01-20 11:25:07 -05:00
7294cc4181
Changed multiple failed login alert from 25 to 5 to more accurately reflect password spray attack evidence
2019-12-24 11:09:45 -05:00
5c0c972328
Merge pull request #12 from itpropaul/patch-1
...
typo: fixed "event 4013" to be "event 4103"
2019-07-24 17:01:20 -04:00
ea289ac312
typo: fixed "event 4013" to be "event 4103"
2019-07-24 16:36:34 -04:00
5e796ca588
Updated the events table
2019-05-08 10:47:14 -07:00
9834750e0e
Removed token::elevate from readme
2019-05-08 10:37:03 -07:00
d500632c50
Disable Mimikatz token::elevate detection; I thought I was on to a cool detect, but sadly it's just Windows operating normally with excessive privileges.
2019-05-06 14:40:17 -04:00
612cde1cf3
Disable Metasploit psexec detect due to false-positive conflict with MS Exchange; revise alert for _Multiple admin logons for one account_ to show attempt count instead of unique event IDs
2019-05-06 14:34:31 -04:00
1708e03fc3
Added section link
2019-05-04 17:48:23 -03:00
4eeb1c0bb7
Minor edits
2019-05-04 16:51:44 -03:00
840826359b
Reorganized the READMEs
2019-05-04 12:41:14 -03:00
84e726b99e
Rename Set-ExecutionPolicy.md to READMEs/Set-ExecutionPolicy.md
2019-05-04 12:38:31 -03:00
8d7cb1114e
Delete readme-deepblue.py
2019-05-04 12:38:15 -03:00
3640dc1a1b
Rename README-DeepWhite.md to READMEs/README-DeepWhite.md
2019-05-04 12:37:36 -03:00
af4f55cc2c
Rename README-DeepBlue.py.md to READMEs/README-DeepBlue.py.md
2019-05-04 12:37:13 -03:00
3996c44cd3
Create test.md
2019-05-04 12:36:03 -03:00
5e3108288e
Create Set-ExecutionPolicy.md
2019-05-04 12:34:58 -03:00
7166a8f529
Updated links
2019-05-04 12:04:35 -03:00
4572c78387
Updated link
2019-05-04 12:02:03 -03:00
940d8a25a8
Added mire output options
2019-05-04 11:32:13 -03:00
a5db7c4771
Output table formatting
2019-05-04 10:33:51 -03:00
56178ec0f6
Reformatted output table
2019-05-04 10:33:00 -03:00
3673416cc7
Fixed output table typo
2019-05-04 10:31:50 -03:00
8d2c355718
Added output section
2019-05-04 10:31:10 -03:00
7cbb5748e4
Add Metsploit psexec-specific privilege requests for Event ID 4672 detection, tweak Mimikatz detection message
2019-05-03 11:39:43 -04:00
e3cb0142c6
Updated detected events
2019-05-03 12:21:17 -03:00
712b25e9f4
Fixed table typo
2019-05-03 10:20:11 -03:00
9d9fc47473
Formatting table
2019-05-03 10:09:44 -03:00
7d413ffbda
Update README.md
2019-05-03 10:08:51 -03:00
3f393526e5
Added Mimikatz token::elevate example
2019-05-03 10:07:21 -03:00
bcf0022b60
Merge pull request #11 from joswr1ght/master
...
Add more Mimikatz detection, focusing on token::elevate as a non-admin user
2019-05-03 12:32:00 +00:00
