Happy New Year! Those among you who participated in the SANS Holiday Hack Challenge, also known as Kringlecon 2, this holiday season may have found themselves exposed to new tools or the opportunity to utilize one or two that had not hit your radar prior. Such was the case for me with DeepBlueCLI, a PowerShell module for threat hunting via Windows Event Logs. While others such as EQL and stoQ (an automation framework that helps to simplify the mundane and repetitive tasks an analyst is required to do) come to light, I also reveled in a chance to use RITA for Zeek logs analysis. I covered RITA in 2015 for toolsmith #111, and have really enjoyed its evolution. I found the answer to the related Kringlecon challenge with the current iteration of RITA in two steps. Alas, this is an opportunity to highlight the benefits of yet another cool SANS-related offering in DeepBlueCLI. While the wild man and SANS veteran we all know and love as John Strand is party to RITA, the cool and collected Eric Conrad and the SANS Blue Team bring us DeepBlueCLI.
I'll run through a number of the examples via the sample EVTX files provided via the project download and share with you a variety of results. We'll also crank out some output options based on said results. Note: Run PowerShell as admin for best the required effect. Also be sure to review the Set-ExecutionPolicy Readme if you receive a running scripts is disabled on this system error. Also read the project documentation to ensure proper logging configurations for your target systems, this is quite important to ensure effective coverage and positive results. Figure 1: Event log manipulation Clearly Figure 1 shows a stop and start of the Event Log Service. Figure 2: Metasploit native target (security) Someone has definitely run Metasploit on this system, per Figure 2. Note that when “ Figure 3: Metasploit native target (system) Sure enough, we yield Event IDs 7036 (Service Control Manager) and 7045 (A new service was installed in the system), the commands for which are clearly “Metasploit-style”. Figure 4: Password guessing and spray As a fond PowerSploit user, I appreciate the PowerSploit (security) and (system) checks, again decoding related 4688 events, as does the PSAttack check. For User added to administrator group Finally, let's generate a bit of proper output. You can expect CSV, Format list, Format table, GridView, HTML, JSON, and XML as output options, but I'm particularly fond of GridView when you're in the midst of a down and dirty firefight. Figure 5: GridView output DeepBlueCLI is DFIR smoke jumper must-have. Eric and team really have built a useful and efficent framework that has been added to my preferred arsenal thanks to Kringlecon. Cheers…until next time. |
Russ McRee 204 Posts ISC Handler Jan 21st 2020 |
Thread locked Subscribe |
Jan 21st 2020 2 years ago |
DeepBlue is a great tool. There is nothing like sample logs to show new analyst what to look for. Here is a simple script to use DeepBlueCLI to parse multiple outputs from SekoiaLab/Fastir. See https://github.com/johnfranolich/Hunting-Scripts/blob/master/DeepPurple.ps1
|
Anonymous |
Quote |
Jan 26th 2020 2 years ago |
Sign Up for Free or Log In to start participating in the conversation!