DeepBlueCLI
DeepBlueCLI 2.01
Eric Conrad, Backshore Communications, LLC
deepblue at backshore dot net
Twitter: @eric_conrad
Sample evtx files are in the .\evtx directory
Table of Contents
- Usage
- Examples
- Logging setup
- Detected events
- See the DeepBlue.py Readme for information on DeepBlue.py
- See the DeepWhite Readme for information on DeepWhite (detective whitelisting using Sysmon event logs)
Usage:
.\DeepBlue.ps1 <event log name> <evtx filename>
If you see this error:
.\DeepBlue.ps1 : File .\DeepBlue.ps1 cannot be loaded because running scripts is disabled on this system. For more information, see about_Execution_Policies at http://go.microsoft.com/fwlink/?LinkID=135170.
You must run Set-ExecutionPolicy as Administrator, here is an example (this will warn every time you run a ps1 script):
Set-ExecutionPolicy RemoteSigned
This command will bypass Set-Execution entirely:
Set-ExecutionPolicy Bypass
See get-help Set-ExecutionPolicy for more options.
Please note that "Set-ExecutionPolicy is not a security control" (quoting @Ben0xA)
Examples:
Process local Windows security event log:
.\DeepBlue.ps1
or:
.\DeepBlue.ps1 -log security
Process local Windows system event log:
.\DeepBlue.ps1 -log system
or:
.\DeepBlue.ps1 "" system
Process evtx file:
.\DeepBlue.ps1 .\evtx\new-user-security.evtx
or:
.\DeepBlue.ps1 -file .\evtx\new-user-security.evtx
Windows Event Logs processed
- Windows Security
- Windows System
- Windows Application
- Windows Powershell
- Sysmon (new)
Command Lines Logs processed
See 'Logging setup' section below for how to configure these logs
- Windows Security event ID 4688
- Windows Powershell event IDs 4103 and 4104
- Sysmon event ID 1
Logging setup
Security event 4688 (Command line auditing):
Enable Windows command-line auditing: https://support.microsoft.com/en-us/kb/3004375
Security event 4625 (Failed logons):
Requires auditing logon failures: https://technet.microsoft.com/en-us/library/cc976395.aspx
PowerShell auditing (PowerShell 5.0):
DeepBlueCLI uses module logging (PowerShell event 4013) and script block logging (4104). It does not use transcription.
See: https://www.fireeye.com/blog/threat-research/2016/02/greater_visibilityt.html
To get the PowerShell commandline (and not just script block) on Windows 7 through Windows 8.1, add the following to \Windows\System32\WindowsPowerShell\v1.0\profile.ps1
$LogCommandHealthEvent = $true
$LogCommandLifecycleEvent = $true
See the following for more information:
- https://logrhythm.com/blog/powershell-command-line-logging/
- http://hackerhurricane.blogspot.com/2014/11/i-powershell-logging-what-everyone.html
Thank you: @heinzarelli and @HackerHurricane
Sysmon
Install Sysmon from Sysinternals: https://docs.microsoft.com/en-us/sysinternals/downloads/sysmon
DeepBlue and DeepWhite currently use Sysmon events, 1, 6 and 7.
Log SHA256 hashes. Others are fine; DeepBlueCLI will use SHA256.
Detected events
- Suspicious account behavior
- User creation
- User added to local/global/universal groups
- Password guessing (multiple login failures, one account)
- Password spraying (multiple login failures, multiple accounts)
- Bloodhound (admin privileges assigned to the same account with multiple Security IDs)
- Command line/Sysmon/Powershell auditing
- Regex searches
- Obfuscated commands
- Powershell launched via WMIC or PsExec
- Compressed/Base64 encoded commands (with automatic decompression/decoding)
- Unsigned EXEs or DLLs
- Service auditing
- Suspicious service creation
- Service creation errors
- Stopping/starting the Windows Event Log service (potential event log manipulation)
- EMET & Applocker Blocks
- Sensitive Privilege Use (Mimikatz)
...and more