Cyberdefense/DeepBlueCLI
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Commit Graph

  • 4188efbe70 Merge pull request 'Ajout de la personnalisation X à DeepBlueHash' (#1) from modifs into master master Mouktar KimBA 2025-07-07 14:09:29 +00:00
  • 48a8d826e9 Ajout de la personnalisation X à DeepBlueHash moxi 2025-07-07 16:02:16 +02:00
  • 2eecc65698 New Sliver and Metasploit EVTX files including cmd.exe writing to ADMIN$, and suspicious remote threads Eric Conrad 2023-06-28 16:33:55 -04:00
  • 8e510aaaef Update safelist.txt Eric Conrad 2023-06-28 16:21:07 -04:00
  • 50d2ca9ef9 Added Sysmon event 8 (Suspicious remote thread) Eric Conrad 2023-06-28 16:20:32 -04:00
  • ac1a9991fd Added event 29, updated for new Sysmon schema Eric Conrad 2023-06-28 14:21:01 -04:00
  • 9e5979fca2 Update DeepBlueHash-checker.ps1 Eric Conrad 2023-06-28 13:30:16 -04:00
  • e9fc13a57b Update README-DeepBlueHash.md Eric Conrad 2023-06-28 13:29:22 -04:00
  • 7fb41280a2 Updated for Virustotal Key v3 Eric Conrad 2023-06-28 13:27:39 -04:00
  • 41fe88f2e4 Update DeepBlueHash-collector.ps1 Eric Conrad 2023-06-28 13:23:46 -04:00
  • 3c8fa15e28 Update DeepBlueHash-checker.ps1 Eric Conrad 2023-06-28 13:23:02 -04:00
  • cd3e304f27 Update README-DeepBlueHash.md Eric Conrad 2023-06-27 17:18:20 -04:00
  • a99c412a73 Update README-DeepBlueHash.md Eric Conrad 2023-06-27 14:37:24 -04:00
  • 1699dfc5cf Update README-DeepBlueHash.md Eric Conrad 2023-06-27 14:37:10 -04:00
  • fc670716d6 Rename DeepWhite-collector.ps1 to DeepBlueHash-collector.ps1 Eric Conrad 2023-06-07 16:54:54 -04:00
  • ecbc203684 Rename DeepWhite-checker.ps1 to DeepBlueHash-checker.ps1 Eric Conrad 2023-06-07 16:54:36 -04:00
  • 229010219a More updates, including more WMI detection Eric Conrad 2023-06-07 16:47:34 -04:00
  • 79dd0e6b11 Minor fix Eric Conrad 2023-06-07 16:34:15 -04:00
  • f35415586d Updated for Sysmon schema 8 Eric Conrad 2023-06-07 16:17:34 -04:00
  • ce3c408efa Minor version update Eric Conrad 2023-06-07 16:06:15 -04:00
  • e07e5aa1de Rename DeepBlueHash-checker.ps1 to DeepWhite-checker.ps1 Eric Conrad 2023-06-07 15:05:03 -04:00
  • 9369182b49 Rename DeepBlueHash-collector.ps1 to DeepWhite-collector.ps1 Eric Conrad 2023-06-07 14:14:06 -04:00
  • 9e51dd0579 Merge pull request #25 from netscylla/wmi-events Eric Conrad 2023-06-07 13:41:55 -04:00
  • 2fc4fd599f Merge pull request #27 from TheNiv/patch-1 Eric Conrad 2023-06-07 13:36:07 -04:00
  • 120448c50e s/White/BlueHash/g Eric Conrad 2022-02-13 10:47:58 -05:00
  • 115b4f30b2 Merge pull request #29 from sans-blue-team/Conrad-test Eric Conrad 2022-01-05 13:51:00 -05:00
  • 0f6a93b2f0 s/DeepWhite/DeepBlueHash Conrad-test Eric Conrad 2022-01-05 13:48:58 -05:00
  • eebd75d029 Merge pull request #28 from n3tl0kr/patch-1 Eric Conrad 2021-11-11 11:11:18 -05:00
  • f5b844cb1a Small typographical error in output Paul Goffar 2021-11-11 11:10:04 -05:00
  • ea97820b79 Fixed windows event log check. TheNiv 2021-11-06 10:11:03 +02:00
  • cf9411f721 Added another base64 encoding method Eric Conrad 2021-10-29 16:37:26 -04:00
  • e3bf84fe51 Added some ASEPs Eric Conrad 2021-10-29 16:25:45 -04:00
  • 45d62cbfbe Was analyzing Sysmon event 1 image instead of CommandLine. Fixed Eric Conrad 2021-10-29 16:17:25 -04:00
  • 350fe3c134 Added # of unique accounts sprayed Eric Conrad 2021-10-28 15:15:27 -04:00
  • d7d8d5eb80 s/Passworg/Password/g Eric Conrad 2021-10-28 14:57:37 -04:00
  • 5f2a62cd9c s/DeepBlueCLI/DeepWhite/g Eric Conrad 2021-10-28 12:22:13 -04:00
  • 46fe6b42c5 s/antivrus/antivirus/g Eric Conrad 2021-10-28 12:20:45 -04:00
  • 2ae82a296f Added AV caveat Eric Conrad 2021-10-28 12:17:05 -04:00
  • 8b15218ae3 Merge pull request #26 from sans-blue-team/Conrad-test Eric Conrad 2021-10-28 09:07:53 -07:00
  • 15999a1243 Inclusive language update Eric Conrad 2021-10-28 12:00:04 -04:00
  • 62d25d9e76 Inclusive language update Eric Conrad 2021-10-28 11:58:23 -04:00
  • 46bb325e0d Inclusive language update Eric Conrad 2021-10-28 11:53:59 -04:00
  • 0c7338dd38 Update DeepBlue.ps1 Netscylla 2021-09-16 13:57:35 +01:00
  • ddb9e3e0fa Added code to support flagging suspicious wmi filter events, also added sample log file netscylla 2021-09-16 13:55:34 +01:00
  • 45c21e3821 Changing whitelist to ignorelist Eric Conrad 2021-07-01 13:35:58 -04:00
  • 396bbc4e28 Merge pull request #22 from zmbf0r3ns1cs/master Joshua Wright 2021-05-06 19:11:11 +00:00
  • 122d078efe Update System EID 104 output for DeepBlue.ps1 Zach Burnham 2021-05-05 16:35:17 -04:00
  • c2a3840bae Correct typo in DeepBlue.ps1 hidden service detect Joshua Wright 2020-10-13 06:47:30 -04:00
  • 3fae5dbef6 Update to catch services.exe DAC permission change to hide services Joshua Wright 2020-09-14 16:37:59 -04:00
  • bc63790883 Report on cleared Security and System event logs, close #18 Joshua Wright 2020-09-10 11:08:38 -04:00
  • 486dd1f9ce Fix Event ID reporting in analysis @scriptedstatement; whitespace cleanup Joshua Wright 2020-08-18 08:51:54 -04:00
  • d004e13d2e Add .gitignore Joshua Wright 2020-08-18 08:48:45 -04:00
  • 29daee42ce Add simple test case to run all repo EVTX files with DeepBlue.ps1 Joshua Wright 2020-08-18 08:48:22 -04:00
  • 8cbb39a17d Fixed typo in Examples section Eric Conrad 2020-01-20 11:25:07 -05:00
  • 7294cc4181 Changed multiple failed login alert from 25 to 5 to more accurately reflect password spray attack evidence Joshua Wright 2019-12-24 11:09:45 -05:00
  • 5c0c972328 Merge pull request #12 from itpropaul/patch-1 Eric Conrad 2019-07-24 17:01:20 -04:00
  • ea289ac312 typo: fixed "event 4013" to be "event 4103" Paul Masek 2019-07-24 16:36:34 -04:00
  • 5e796ca588 Updated the events table Eric Conrad 2019-05-08 10:47:14 -07:00
  • 9834750e0e Removed token::elevate from readme Eric Conrad 2019-05-08 10:37:03 -07:00
  • d500632c50 Disable Mimikatz token::elevate detection; I thought I was on to a cool detect, but sadly it's just Windows operating normally with excessive privileges. Joshua Wright 2019-05-06 14:40:17 -04:00
  • 612cde1cf3 Disable Metasploit psexec detect due to false-positive conflict with MS Exchange; revise alert for _Multiple admin logons for one account_ to show attempt count instead of unique event IDs Joshua Wright 2019-05-06 14:34:31 -04:00
  • 1708e03fc3 Added section link Eric Conrad 2019-05-04 17:48:23 -03:00
  • 4eeb1c0bb7 Minor edits Eric Conrad 2019-05-04 16:51:44 -03:00
  • 840826359b Reorganized the READMEs Eric Conrad 2019-05-04 12:41:14 -03:00
  • 84e726b99e Rename Set-ExecutionPolicy.md to READMEs/Set-ExecutionPolicy.md Eric Conrad 2019-05-04 12:38:31 -03:00
  • 8d7cb1114e Delete readme-deepblue.py Eric Conrad 2019-05-04 12:38:15 -03:00
  • 3640dc1a1b Rename README-DeepWhite.md to READMEs/README-DeepWhite.md Eric Conrad 2019-05-04 12:37:36 -03:00
  • af4f55cc2c Rename README-DeepBlue.py.md to READMEs/README-DeepBlue.py.md Eric Conrad 2019-05-04 12:37:13 -03:00
  • 3996c44cd3 Create test.md Eric Conrad 2019-05-04 12:36:03 -03:00
  • 5e3108288e Create Set-ExecutionPolicy.md Eric Conrad 2019-05-04 12:34:58 -03:00
  • 7166a8f529 Updated links Eric Conrad 2019-05-04 12:04:35 -03:00
  • 4572c78387 Updated link Eric Conrad 2019-05-04 12:02:03 -03:00
  • 940d8a25a8 Added mire output options Eric Conrad 2019-05-04 11:32:13 -03:00
  • a5db7c4771 Output table formatting Eric Conrad 2019-05-04 10:33:51 -03:00
  • 56178ec0f6 Reformatted output table Eric Conrad 2019-05-04 10:33:00 -03:00
  • 3673416cc7 Fixed output table typo Eric Conrad 2019-05-04 10:31:50 -03:00
  • 8d2c355718 Added output section Eric Conrad 2019-05-04 10:31:10 -03:00
  • 7cbb5748e4 Add Metsploit psexec-specific privilege requests for Event ID 4672 detection, tweak Mimikatz detection message Joshua Wright 2019-05-03 11:39:43 -04:00
  • e3cb0142c6 Updated detected events Eric Conrad 2019-05-03 12:21:17 -03:00
  • 712b25e9f4 Fixed table typo Eric Conrad 2019-05-03 10:20:11 -03:00
  • 9d9fc47473 Formatting table Eric Conrad 2019-05-03 10:09:44 -03:00
  • 7d413ffbda Update README.md Eric Conrad 2019-05-03 10:08:51 -03:00
  • 3f393526e5 Added Mimikatz token::elevate example Eric Conrad 2019-05-03 10:07:21 -03:00
  • bcf0022b60 Merge pull request #11 from joswr1ght/master Eric Conrad 2019-05-03 12:32:00 +00:00
  • 9a293b974e Add more Mimikatz detection, focusing on token::elevate as a non-admin user Joshua Wright 2019-05-03 06:33:20 -04:00
  • c2dfa045ff Added event log example Eric Conrad 2019-05-01 16:59:17 -03:00
  • 2aa4cfe191 Minor formatting Eric Conrad 2019-05-01 16:15:55 -03:00
  • 8ca0df7a0e Menu cleanup Eric Conrad 2019-05-01 11:51:14 -03:00
  • 7c8e3eef00 Cleaned up the menus Eric Conrad 2019-05-01 11:46:43 -03:00
  • 7557597acb Updated intro Eric Conrad 2019-05-01 11:31:02 -03:00
  • 12238e78e5 s/Lines/Line/g Eric Conrad 2019-05-01 11:23:47 -03:00
  • 68d482ac56 More examples Eric Conrad 2019-05-01 11:00:42 -03:00
  • ecd1a6be47 Updated the examples table Eric Conrad 2019-05-01 10:57:29 -03:00
  • 3d3e0b281b Added initial examples menu Eric Conrad 2019-05-01 10:51:42 -03:00
  • f453ede47c s/Powershell/PowerShell/g Eric Conrad 2019-05-01 10:31:09 -03:00
  • 82cc713117 Mentioned run as administrator for live security log Eric Conrad 2019-05-01 09:58:29 -03:00
  • ac077b145c Merge pull request #10 from joswr1ght/master Eric Conrad 2019-04-30 21:26:54 +00:00
  • f17d32491e Add password spray detection, sample evtx Joshua Wright 2019-04-30 17:11:56 -04:00
  • cd44a63604 Added list of detected events Eric Conrad 2019-04-30 17:29:44 -03:00
  • 4514af7f4a Minor update, added Set-ExecutionPolicy bypass example Eric Conrad 2019-04-30 17:12:51 -03:00