Download as DOCX, PDF, TXT or read online from Scribd
Download as docx, pdf, or txt
You are on page 1/ 6
DeepBlueCLI
Installation:
- To install you will need “Git” installed on your Windows machine:
(www.git-scm.com - Run Powershell as admin - Clone DeepblueCLI repository: git clone https://github.com/sans-blue-team/DeepBlueCLI.git - Navigate to DeepBlueCLI directory: cd DeppBlueCLI - Import the DeepBlueCLI module: When in DeepBlueCLI, import the module: Import-Module .\DeepBlue.ps1
Analyze Event Logs:
- local Windows security event log:
o .\DeepBlue.ps1 -log security
- local Windows system event log:
o .\DeepBlue.ps1 -log system - Analyze specific event log file (evtx-file) o .\DeepBlue.ps1 "C:\Path\To\Your\EventLog.evtx"
- As the standard output of these logs, doesn’t show a verry readable output, different output views can be choosen: o For example: Grid View: .\DeepBlue.ps1 .\evtx\psattack-security.evtx | Out-GridView: Analysis of sample logs:
- smb-password-guessing-security.evtx: o o The analysis of the security event logs using DeepBlueCLI revealed significant suspicious activity on 19/09/2016, particularly related to failed logon attempts. The high number of failures for the Administrator account and multiple other accounts suggests potential brute force attacks. These findings need further investigation to determine if any accounts were compromised and to implement measures to prevent such attacks in the future.
- many-events-system.evtx o The analysis of these security and system event logs revealed significant suspicious activities, particularly related to suspicious service creations and suspicious service executions. The patterns observed are consistent with brute force attacks and possible exploitation attempts using Metasploit
- disablestop-eventlog.evtx o these 3 system logs are related to log services. The first 2 log don’t raise any concerns. It is mostly log 3 that needs further investigation. In log 3 we see that that system log files are cleared. This may be intentional done by an admin, but alse can be done maliciously. If these log files were cleared unauthorized or on frequent base, it could indicate an attempt to cover up malicious activities (e.g., an attacker erasing traces)
- password-spray.evtx o In this security log, recorded on 30/04/2019, we notice 2 logs that raises some concerns. In the 1st log we can see that 41 possible user accounts are used with explicit credential. This is a so called password spray attack that used to gain acces. We can see that a succesfull login was performed on user “jwrig” from host “DESKTOP-JR78RLP”. o In the second log we can identify that this same user’s account was used to clear log files. How can DeepBlueCLI be used in a real-world forensic investigation? -
