At RSA Conference 2020, in this video The 5 Most Dangerous New Attack Techniques and How to Counter Them, Ed Skoudis presented a way to look for log anomalies - DeepBlueCLI by Eric Conrad, et al.
The main intent is to make this original DeepBlueCLI - a PowerShell Module for Threat Hunting via Windows Event Logs - from Eric Conrad @eric_conrad:
- available as a PowerShell module contained in a single .psm1 file
- expose a single function with many parameters
- more aligned with what PowerShell can do and other PowerShell coding style standards
Please read what the original DeepBlueCLI can do in its README
Download the zip and unzip it (see known issues).
Stop and please review the content of the module, I mean the code to make sure it's trustworthy :-)
You can also verify that the SHA256 hashes of downloaded files match those stored in the catalog file:
# Verify
$HT = @{
CatalogFilePath = "./DeepBlue.cat"
Path = "./"
Detailed = $true
FilesToSkip = 'README.md'
}
Test-FileCatalog @HTImport the module
# Import the module
Import-Module .\DeepBlue.psd1 -Force -VerboseGet-Command -Module DeepBlueCommandType Name Version Source
----------- ---- ------- ------
Function Get-DeepBlueAnalysis 1.0.0 DeepBlue
# View the syntax
Get-Command Get-DeepBlueAnalysis -SyntaxGet-DeepBlueAnalysis [-Log <string>] [-MaxFailedLogons <Object>] [-MaxAdminLogons <Object>] [-MaxTotalSensPrivUse <Object>] [-AlertAllAdmin] [-CheckUnsigned] [-PassSprayUniqUserMax <Object>] [-PassSprayLoginMax <Object>] [-MinPercent <Object>] [-MaxBinary <Object>] [<CommonParameters>]
Get-DeepBlueAnalysis -File <string> [-MaxFailedLogons <Object>] [-MaxAdminLogons <Object>] [-MaxTotalSensPrivUse <Object>] [-AlertAllAdmin] [-CheckUnsigned] [-PassSprayUniqUserMax <Object>] [-PassSprayLoginMax <Object>] [-MinPercent <Object>] [-MaxBinary <Object>] [<CommonParameters>]
The only difference is the first parameter. It reads either a 'Log' or a 'File'.
It means that the -File parameter makes this module cross-platform.
You can read any exported evtx files on a Linux or MacOS running PowerShell.
The original repo of DeepBlueCLI by Eric Conrad, et al. has a evtx folder with sample files.
# Get examples from the help
Get-Help Get-DeepBlueAnalysis -ExamplesNAME
Get-DeepBlueAnalysis
SYNOPSIS
A PowerShell module for hunt teaming via Windows event logs
-------------------------- EXAMPLE 1 --------------------------
PS C:\>Get-DeepBlueAnalysis
Processes the local Windows security event log.
-------------------------- EXAMPLE 2 --------------------------
PS C:\>Get-DeepBlueAnalysis -Log System
Processes the local Windows system event log.
-------------------------- EXAMPLE 3 --------------------------
PS C:\>Get-DeepBlueAnalysis -File .\evtx\new-user-security.evtx
Processes an evtx file.
Defender (AMSI) detects the regular expressions as Trojan:PowerShell/PSAttackTool.A.
You may need to create an exclusion the file, folder or process or create "allowed threats".
- Eric Conrad @eric_conrad
- Digitally sign the module files.
- Make it available on the PowerShellGallery.
- Document the parameters in the Help.
- Write Pester unit tests for this module.