Cookie Consent by Free Privacy Policy Generator ๐Ÿ“Œ DeepBlueCLI - a PowerShell Module for Threat Hunting via Windows Event Logs

๐Ÿ  Team IT Security News

TSecurity.de ist eine Online-Plattform, die sich auf die Bereitstellung von Informationen,alle 15 Minuten neuste Nachrichten, Bildungsressourcen und Dienstleistungen rund um das Thema IT-Sicherheit spezialisiert hat.
Ob es sich um aktuelle Nachrichten, Fachartikel, Blogbeitrรคge, Webinare, Tutorials, oder Tipps & Tricks handelt, TSecurity.de bietet seinen Nutzern einen umfassenden รœberblick รผber die wichtigsten Aspekte der IT-Sicherheit in einer sich stรคndig verรคndernden digitalen Welt.

16.12.2023 - TIP: Wer den Cookie Consent Banner akzeptiert, kann z.B. von Englisch nach Deutsch รผbersetzen, erst Englisch auswรคhlen dann wieder Deutsch!

Google Android Playstore Download Button fรผr Team IT Security



๐Ÿ“š DeepBlueCLI - a PowerShell Module for Threat Hunting via Windows Event Logs


๐Ÿ’ก Newskategorie: IT Security Nachrichten
๐Ÿ”— Quelle: feedproxy.google.com


DeepBlueCLI - a PowerShell Module for Threat Hunting via Windows Event Logs

Eric Conrad, Backshore Communications, LLC

deepblue at backshore dot net

Twitter: @eric_conrad

http://ericconrad.com

Sample evtx files are in the .\evtx directory


Usage:

.\DeepBlue.ps1 <event log name> <evtx filename>

See the Set-ExecutionPolicy Readme if you receive a 'running scripts is disabled on this system' error.


Process local Windows security event log (PowerShell must be run as Administrator):

.\DeepBlue.ps1

or:

.\DeepBlue.ps1 -log security


Process local Windows system event log:

.\DeepBlue.ps1 -log system


Process evtx file:

.\DeepBlue.ps1 .\evtx\new-user-security.evtx


Windows Event Logs processed
  • Windows Security
  • Windows System
  • Windows Application
  • Windows PowerShell
  • Sysmon

Command Line Logs processed

See Logging setup section below for how to configure these logs

  • Windows Security event ID 4688
  • Windows PowerShell event IDs 4103 and 4104
  • Sysmon event ID 1

Detected events
  • Suspicious account behavior
    • User creation
    • User added to local/global/universal groups
    • Password guessing (multiple logon failures, one account)
    • Password spraying via failed logon (multiple logon failures, multiple accounts)
    • Password spraying via explicit credentials
    • Bloodhound (admin privileges assigned to the same account with multiple Security IDs)
  • Command line/Sysmon/PowerShell auditing
    • Long command lines
    • Regex searches
    • Obfuscated commands
    • PowerShell launched via WMIC or PsExec
    • PowerShell Net.WebClient Downloadstring
    • Compressed/Base64 encoded commands (with automatic decompression/decoding)
    • Unsigned EXEs or DLLs
  • Service auditing
    • Suspicious service creation
    • Service creation errors
    • Stopping/starting the Windows Event Log service (potential event log manipulation)
  • Mimikatz
    • lsadump::sam
  • EMET & Applocker Blocks

...and more


Examples
Event Command
Event log manipulation .\DeepBlue.ps1 .\evtx\disablestop-eventlog.evtx
Metasploit native target (security) .\DeepBlue.ps1 .\evtx\metasploit-psexec-native-target-security.evtx
Metasploit native target (system) .\DeepBlue.ps1 .\evtx\metasploit-psexec-native-target-system.evtx
Metasploit PowerShell target (security) .\DeepBlue.ps1 .\evtx\metasploit-psexec-powershell-target-security.evtx
Metasploit PowerShell target (system) .\DeepBlue.ps1 .\evtx\metasploit-psexec-powershell-target-system.evtx
Mimikatz lsadump::sam .\DeepBlue.ps1 .\evtx\mimikatz-privesc-hashdump.evtx
New user creation .\DeepBlue.ps1 .\evtx\new-user-security.evtx
Obfuscation (encoding) .\DeepBlue.ps1 .\evtx\Powershell-Invoke-Obfuscation-encoding-menu.evtx
Obfuscation (string) .\DeepBlue.ps1 .\evtx\Powershell-Invoke-Obfuscation-string-menu.evtx
Password guessing .\DeepBlue.ps1 .\evtx\smb-password-guessing-security.evtx
Password spraying .\DeepBlue.ps1 .\evtx\password-spray.evtx
PowerSploit (security) .\DeepBlue.ps1 .\evtx\powersploit-security.evtx
PowerSploit (system) .\DeepBlue.ps1 .\evtx\powersploit-system.evtx
PSAttack .\DeepBlue.ps1 .\evtx\psattack-security.evtx
User added to administrator group .\DeepBlue.ps1 .\evtx\new-user-security.evtx

Output

DeepBlueCLI outputs in PowerShell objects, allowing a variety of output methods and types, including JSON, HTML, CSV, etc.

For example:

Output Type Syntax
CSV .\DeepBlue.ps1 .\evtx\psattack-security.evtx | ConvertTo-Csv
Format list (default) .\DeepBlue.ps1 .\evtx\psattack-security.evtx | Format-List
Format table .\DeepBlue.ps1 .\evtx\psattack-security.evtx | Format-Table
GridView .\DeepBlue.ps1 .\evtx\psattack-security.evtx | Out-GridView
HTML .\DeepBlue.ps1 .\evtx\psattack-security.evtx | ConvertTo-Html
JSON .\DeepBlue.ps1 .\evtx\psattack-security.evtx | ConvertTo-Json
XML .\DeepBlue.ps1 .\evtx\psattack-security.evtx | ConvertTo-Xml

Logging setup

Security event 4688 (Command line auditing):

Enable Windows command-line auditing: https://support.microsoft.com/en-us/kb/3004375


Security event 4625 (Failed logons):

Requires auditing logon failures: https://technet.microsoft.com/en-us/library/cc976395.aspx


PowerShell auditing (PowerShell 5.0):

DeepBlueCLI uses module logging (PowerShell event 4103) and script block logging (4104). It does not use transcription.

See: https://www.fireeye.com/blog/threat-research/2016/02/greater_visibilityt.html

To get the PowerShell commandline (and not just script block) on Windows 7 through Windows 8.1, add the following to \Windows\System32\WindowsPowerShell\v1.0\profile.ps1

$LogCommandHealthEvent = $true
$LogCommandLifecycleEvent = $true

See the following for more information:

Thank you: @heinzarelli and @HackerHurricane


Sysmon

Install Sysmon from Sysinternals: https://docs.microsoft.com/en-us/sysinternals/downloads/sysmon

DeepBlue and DeepWhite currently use Sysmon events, 1, 6 and 7.

Log SHA256 hashes. Others are fine; DeepBlueCLI will use SHA256.



...



๐Ÿ“Œ DeepBlueCLI - a PowerShell Module for Threat Hunting via Windows Event Logs


๐Ÿ“ˆ 100.54 Punkte

๐Ÿ“Œ DeepBlueCLI: Powershell Threat Hunting, (Tue, Jan 21st)


๐Ÿ“ˆ 64.46 Punkte

๐Ÿ“Œ Threat Hunting: Eight Tactics to Accelerating Threat Hunting


๐Ÿ“ˆ 37.57 Punkte

๐Ÿ“Œ APT-Hunter โ€“ Threat Hunting Tool via Windows Event Log


๐Ÿ“ˆ 34.27 Punkte

๐Ÿ“Œ APT-Hunter โ€“ Threat Hunting Tool via Windows Event Log


๐Ÿ“ˆ 34.27 Punkte

๐Ÿ“Œ APT-Hunter โ€“ Threat Hunting Tool via Windows Event Log


๐Ÿ“ˆ 34.27 Punkte

๐Ÿ“Œ EDRaser - Tool For Remotely Deleting Access Logs, Windows Event Logs, Databases, And Other Files


๐Ÿ“ˆ 33.67 Punkte

๐Ÿ“Œ Get-EventLog: Querying Windows Event Logs with PowerShell


๐Ÿ“ˆ 31.55 Punkte

๐Ÿ“Œ Hunting for the True Meaning of Threat Hunting at RSAC 2019


๐Ÿ“ˆ 30.84 Punkte

๐Ÿ“Œ Douglas-042 - Powershell Script To Help Speed โ€‹โ€‹Up Threat Hunting Incident Response Processes


๐Ÿ“ˆ 29.26 Punkte

๐Ÿ“Œ Foiling RaaS attacks via active threat hunting


๐Ÿ“ˆ 25.8 Punkte

๐Ÿ“Œ Cybershare: Threat Intelligence โ€“ Part 3 Threat Hunting


๐Ÿ“ˆ 25.52 Punkte

๐Ÿ“Œ A first look at threat intelligence and threat hunting tools


๐Ÿ“ˆ 25.52 Punkte

๐Ÿ“Œ Linux Threat Hunting: 'Syslogk' a kernel rootkit found under development in the wild - Avast Threat Labs


๐Ÿ“ˆ 25.52 Punkte

๐Ÿ“Œ Threat Intelligence & Threat Hunting - Chris Cochran - ESW Vault


๐Ÿ“ˆ 25.52 Punkte

๐Ÿ“Œ Threat Hunting Summit Virtual Event NOW LIVE


๐Ÿ“ˆ 25.39 Punkte

๐Ÿ“Œ PSMDATP - PowerShell Module For Managing Microsoft Defender Advanced Threat Protection


๐Ÿ“ˆ 25.2 Punkte

๐Ÿ“Œ How Does an Investigator Overcome Malware/an Attacker That Deletes its Activity and Replaces it With Deleted/Overwritten Logs, or Fake Logs?


๐Ÿ“ˆ 25.2 Punkte

๐Ÿ“Œ 7 VPNs that leaked their logs โ€“ the logs that โ€œdidnโ€™t existโ€


๐Ÿ“ˆ 25.2 Punkte

๐Ÿ“Œ API Calls Expose 770M Logs With GitHub, AWS, Docker Tokens In Travis CI Logs


๐Ÿ“ˆ 25.2 Punkte

๐Ÿ“Œ Using Kubectl Logs | How to view Kubernetes Pod Logs?


๐Ÿ“ˆ 25.2 Punkte

๐Ÿ“Œ Kubectl Logs Tail | How to Tail Kubernetes Logs


๐Ÿ“ˆ 25.2 Punkte

๐Ÿ“Œ NGINX Logging | Configuring Error and Access Logs, Sending Nginx Logs to Syslog & more


๐Ÿ“ˆ 25.2 Punkte

๐Ÿ“Œ FBI Arrests A Cyberstalker After Shady "No-Logs" VPN Provider Shared User Logs


๐Ÿ“ˆ 25.2 Punkte

๐Ÿ“Œ No Logs VPN 2019: Best VPNs That Keep No Logs


๐Ÿ“ˆ 25.2 Punkte

๐Ÿ“Œ Stealer logs #infosecnews #cybersecurity #logs #microsoft #infosec


๐Ÿ“ˆ 25.2 Punkte

๐Ÿ“Œ Logs and more logs, who has time to read them ?


๐Ÿ“ˆ 25.2 Punkte

๐Ÿ“Œ Hackers Distributing PowerShell-based Backdoor Via MS Office document That Shares Stolen Data Via C&C Sever


๐Ÿ“ˆ 24.51 Punkte

๐Ÿ“Œ Hackers Distributing PowerShell-based Backdoor Via MS Office document That Shares Stolen Data Via C&C Sever


๐Ÿ“ˆ 24.51 Punkte

๐Ÿ“Œ Huawei NGFW Module/IPS Module SIP Module SIP Message denial of service


๐Ÿ“ˆ 23.98 Punkte

๐Ÿ“Œ Huawei NGFW Module/IPS Module COPS Module Message memory corruption


๐Ÿ“ˆ 23.98 Punkte

๐Ÿ“Œ Huawei NGFW Module/IPS Module SIP Module SIP Message denial of service


๐Ÿ“ˆ 23.98 Punkte

๐Ÿ“Œ Huawei NGFW Module/IPS Module SIP Module SIP Message denial of service


๐Ÿ“ˆ 23.98 Punkte











matomo