Deepbluecli
Author: Stefan Waldvogel
DeepBlueCLI
Overview
DeepBlueCLI is a tool to log PowerShell events. Tools like PowerSploit, PowerShell Empire and Bloodhound use PowerShell and without logging, an attacker can use these tools without being captured.
Prequisites:
This tool requires advanced logging on your target machine and you can set it up here:
Overview
DeepBlueCLI is a tool to log PowerShell events. Tools like PowerSploit, PowerShell Empire and Bloodhound use PowerShell and without logging, an attacker can use these tools without being captured.
Prequisites:
This tool requires advanced logging on your target machine and you can set it up here:
GitHub link:
https://github.com/sans-blue-team/DeepBlueCLI
Installation
Visit the GitHub website and download the zip file. Windows will mark it as unwanted, but you can download it.
https://github.com/sans-blue-team/DeepBlueCLI
Installation
Visit the GitHub website and download the zip file. Windows will mark it as unwanted, but you can download it.
|
|
Extract the files to a wanted folder.
|
|
Open a PowerShell as administrator and point it to your DeepBlueCLI folder.
|
|
It is imprtant to know what we can do with this program. The syntax to run DeepBlueCLI is simple:
.\DeepBlue.ps1 <event log name> <evtx filename>
The "event log name" is not necassary, but the evtx file. An evtx file is a config file and you can find all of them in the evtx folder. Later we can use mimikatz and see if we can catch us.
Before we can run a command, we have to set PowerShell to Unrestricted with the command:
Set-ExecutionPolicy Unrestricted
.\DeepBlue.ps1 <event log name> <evtx filename>
The "event log name" is not necassary, but the evtx file. An evtx file is a config file and you can find all of them in the evtx folder. Later we can use mimikatz and see if we can catch us.
Before we can run a command, we have to set PowerShell to Unrestricted with the command:
Set-ExecutionPolicy Unrestricted
|
|
The easiest way to test the configuration is via an encoded PowerShell command. We can use the command;
.\DeepBlue.ps1 .\evtx\PowerShell-Invoke-Obfuscation-encoding-menu.evtx
You can use tap to autocomplete and press R.
.\DeepBlue.ps1 .\evtx\PowerShell-Invoke-Obfuscation-encoding-menu.evtx
You can use tap to autocomplete and press R.
If we run this command, we get some output, but for a real test, we need a real and easy command.
A different option is finding a new user in a log.
First, we have to create a user. Open Computer Management and add a user.
A different option is finding a new user in a log.
First, we have to create a user. Open Computer Management and add a user.
We see we were not able to see the new created user (we have two old entries) and the security log explains the reason. We do not log this type of event and therefore we cannot see this type of event.
Our log and settings look like this:
|
|
What is the lesson?
Test everything before you think it works. Here, we have a nice program, but the program needs a correct log configuration. If we not provide the right logs, the software cannot detect the malicious actor.
Fix the problem
A quick google search gives us this link: social.technet.microsoft.com/wiki/contents/articles/17055.active-directory-event-ids-when-a-new-user-account-is-created.aspx
and we forgot the "Audit account management"setting.
Test everything before you think it works. Here, we have a nice program, but the program needs a correct log configuration. If we not provide the right logs, the software cannot detect the malicious actor.
Fix the problem
A quick google search gives us this link: social.technet.microsoft.com/wiki/contents/articles/17055.active-directory-event-ids-when-a-new-user-account-is-created.aspx
and we forgot the "Audit account management"setting.
We create a new user and check the log. Now, we have a matching entry and a new 4720 event.
We have the right event, but DeepBlueCLI is still not able to detect it. One problem could be the additional parameter .\evtx\new-user-security.evtx
We can try a new command:
.\DeepBlue.ps1 -log security
Indeed, if we process all security events, we get the right EventID 4720 and see the new created user.
We can try a new command:
.\DeepBlue.ps1 -log security
Indeed, if we process all security events, we get the right EventID 4720 and see the new created user.
|
|
Cybersecurity is hard
This was a very small problem and you will encounter dozens of those every single day. I like this job a lot, because I need a lot of creativity to solve problems.
What next?
Try different things to understand the software. You can use Atomic Red Team to test DeepBlueCLI and find some matching PowerShell modules.
We will come back later with mimikatz and Empire (more advanced stuff).
This was a very small problem and you will encounter dozens of those every single day. I like this job a lot, because I need a lot of creativity to solve problems.
What next?
Try different things to understand the software. You can use Atomic Red Team to test DeepBlueCLI and find some matching PowerShell modules.
We will come back later with mimikatz and Empire (more advanced stuff).
© 2021. This work is licensed under a CC BY-SA 4.0 license