fc670716d6
Rename DeepWhite-collector.ps1 to DeepBlueHash-collector.ps1
2023-06-07 16:54:54 -04:00
ecbc203684
Rename DeepWhite-checker.ps1 to DeepBlueHash-checker.ps1
2023-06-07 16:54:36 -04:00
229010219a
More updates, including more WMI detection
2023-06-07 16:47:34 -04:00
79dd0e6b11
Minor fix
2023-06-07 16:34:15 -04:00
f35415586d
Updated for Sysmon schema 8
2023-06-07 16:17:34 -04:00
ce3c408efa
Minor version update
2023-06-07 16:06:15 -04:00
e07e5aa1de
Rename DeepBlueHash-checker.ps1 to DeepWhite-checker.ps1
...
Temp change to merge old pull request
2023-06-07 15:05:03 -04:00
9369182b49
Rename DeepBlueHash-collector.ps1 to DeepWhite-collector.ps1
...
Temp change to merge old pull request
2023-06-07 14:14:06 -04:00
9e51dd0579
Merge pull request #25 from netscylla/wmi-events
...
Wmi events
2023-06-07 13:41:55 -04:00
2fc4fd599f
Merge pull request #27 from TheNiv/patch-1
...
Fixed windows event log check.
2023-06-07 13:36:07 -04:00
120448c50e
s/White/BlueHash/g
2022-02-13 10:47:58 -05:00
115b4f30b2
Merge pull request #29 from sans-blue-team/Conrad-test
...
s/DeepWhite/DeepBlueHash
2022-01-05 13:51:00 -05:00
0f6a93b2f0
s/DeepWhite/DeepBlueHash
2022-01-05 13:48:58 -05:00
eebd75d029
Merge pull request #28 from n3tl0kr/patch-1
...
Small typographical error in output
2021-11-11 11:11:18 -05:00
f5b844cb1a
Small typographical error in output
2021-11-11 11:10:04 -05:00
ea97820b79
Fixed windows event log check.
...
The output of the start/stop windows event log service was not correct.
After checking the script on the sample file: disablestop-eventlog.evtx I have noticed that the output was not correct and found out it is actually the third parameter that should be checked instead of the second.
2021-11-06 10:11:03 +02:00
cf9411f721
Added another base64 encoding method
2021-10-29 16:37:26 -04:00
e3bf84fe51
Added some ASEPs
2021-10-29 16:25:45 -04:00
45d62cbfbe
Was analyzing Sysmon event 1 image instead of CommandLine. Fixed
2021-10-29 16:17:25 -04:00
350fe3c134
Added # of unique accounts sprayed
2021-10-28 15:15:27 -04:00
d7d8d5eb80
s/Passworg/Password/g
2021-10-28 14:57:37 -04:00
5f2a62cd9c
s/DeepBlueCLI/DeepWhite/g
2021-10-28 12:22:13 -04:00
46fe6b42c5
s/antivrus/antivirus/g
2021-10-28 12:20:45 -04:00
2ae82a296f
Added AV caveat
2021-10-28 12:17:05 -04:00
8b15218ae3
Merge pull request #26 from sans-blue-team/Conrad-test
...
Inclusive language update
2021-10-28 09:07:53 -07:00
15999a1243
Inclusive language update
2021-10-28 12:00:04 -04:00
62d25d9e76
Inclusive language update
2021-10-28 11:58:23 -04:00
46bb325e0d
Inclusive language update
2021-10-28 11:53:59 -04:00
0c7338dd38
Update DeepBlue.ps1
...
fixed indentation
2021-09-16 13:57:35 +01:00
ddb9e3e0fa
Added code to support flagging suspicious wmi filter events, also added sample log file
2021-09-16 13:55:34 +01:00
45c21e3821
Changing whitelist to ignorelist
2021-07-01 13:35:58 -04:00
396bbc4e28
Merge pull request #22 from zmbf0r3ns1cs/master
...
Update System EID 104 parsing output to correctly reflect the cleared log name
2021-05-06 19:11:11 +00:00
122d078efe
Update System EID 104 output for DeepBlue.ps1
...
Added in functionality for DeepBlue.ps1 to pull "message" field from EVTX log for System EID 104 log clearing events to properly show the correct log file being cleared.
2021-05-05 16:35:17 -04:00
c2a3840bae
Correct typo in DeepBlue.ps1 hidden service detect
2020-10-13 06:47:30 -04:00
3fae5dbef6
Update to catch services.exe DAC permission change to hide services
2020-09-14 16:37:59 -04:00
bc63790883
Report on cleared Security and System event logs, close #18
2020-09-10 11:08:47 -04:00
486dd1f9ce
Fix Event ID reporting in analysis @scriptedstatement; whitespace cleanup
2020-08-18 08:51:54 -04:00
d004e13d2e
Add .gitignore
2020-08-18 08:48:45 -04:00
29daee42ce
Add simple test case to run all repo EVTX files with DeepBlue.ps1
2020-08-18 08:48:22 -04:00
8cbb39a17d
Fixed typo in Examples section
2020-01-20 11:25:07 -05:00
7294cc4181
Changed multiple failed login alert from 25 to 5 to more accurately reflect password spray attack evidence
2019-12-24 11:09:45 -05:00
5c0c972328
Merge pull request #12 from itpropaul/patch-1
...
typo: fixed "event 4013" to be "event 4103"
2019-07-24 17:01:20 -04:00
ea289ac312
typo: fixed "event 4013" to be "event 4103"
2019-07-24 16:36:34 -04:00
5e796ca588
Updated the events table
2019-05-08 10:47:14 -07:00
9834750e0e
Removed token::elevate from readme
2019-05-08 10:37:03 -07:00
d500632c50
Disable Mimikatz token::elevate detection; I thought I was on to a cool detect, but sadly it's just Windows operating normally with excessive privileges.
2019-05-06 14:40:17 -04:00
612cde1cf3
Disable Metasploit psexec detect due to false-positive conflict with MS Exchange; revise alert for _Multiple admin logons for one account_ to show attempt count instead of unique event IDs
2019-05-06 14:34:31 -04:00
1708e03fc3
Added section link
2019-05-04 17:48:23 -03:00
4eeb1c0bb7
Minor edits
2019-05-04 16:51:44 -03:00
840826359b
Reorganized the READMEs
2019-05-04 12:41:14 -03:00
