Incident response and Threat hunting using Deepbluecli tool
If you need to hunt for threats or any post incident artifacts that are hiddin in your windows event logs, then go no further. There is tool called deepbluecli created by Mr. Eric Conrad.
During IR and TH activity, we need to equipped with various tools. So let’s see how this tool help us to find malicious activity hidden within in event logs.
From the above link you can download the tool.
Open the powershell in admin mode. Give the following command:
Set-ExecutionPolicy RemoteSigned
or
Set-ExecutionPolicy BypassThis will work in two modes. You either need to provide -log parameter then log name or you need to show the .evtx path.
.\DeepBlue.ps1 -log security
.\DeepBlue.ps1 -log system
.\DeepBlue.ps1 -log application
.\DeepBlue.ps1 -log powershell
.\DeepBlue.ps1 -log sysmon
When you give the above commands then your local system’s above mentioned logs will be analyzed and result will be given. Please note, you need to configure some log settings for this to work. We will discuss that soon. For example, if powershell module logging 4103 and script block logging 4104 is not configured, then events will not come in the result. Same goes for command line auditing event id 4688.
In windows “C:\Windows\System32\winevt\Logs” here the logs are stored in .evtx format. As a sample some .evtx logs are already provided by the author for you in the evtx folder. You can give the following command to access those.
.\DeepBlue.ps1 .\evtx\password-spray.evtx
These are the two ways to fetch and view the results from the logs.
Now let’s see how we can configure some logging settings so that this tool can detect better:
Process creation and Command line auditing 4688:
This log settings is disabled by default.
You can configure this in both ways.
You also need to configure this settings as well.
Security event 4625 (Failed logons):
In the tool’s github page it is also suggested that 4625 event needs to be configured. Don’t worry, Windows has default auditing settings enabled by default that capture certain critical security events, including successful and failed logon attempts, user account creation, deletion etc. These default settings are enabled to help with security monitoring.
PowerShell auditing (PowerShell 5.0):
DeepBlueCLI uses module logging (PowerShell event 4103) and script block logging (4104). It does not use transcription.
See:
The above link will teach you how to configure powershell logging.
To get the PowerShell commandline (and not just script block) on Windows 7 through Windows 8.1, add the following to \Windows\System32\WindowsPowerShell\v1.0\profile.ps1
$LogCommandHealthEvent = $true
$LogCommandLifecycleEvent = $true
Sysmon:
Install sysmon from the Microsoft official site. Soon I will publish detailed blog on sysmon that will help you to get started. Till then use the swiftonsecurity sysmon config file. As of now, only sysmon event id 1, 7 and 8 or 1, 6 and 7 coverd by the author.
You can also configure the above logging settings in your customer’s machine so that if anything happens in future, thus on that time you can investigate deeply.
Thanks. I hope this blog will help you to keep you better equipped during an incident. Please subscribe below.
LinkedIn:
https://www.linkedin.com/in/md-mahimbin-firoj-7b8a5a113/
YouTube:
