EDR Bluespawn (free)
Author: Stefan Waldvogel
-under construction-
BLUESPAWN is an active defense and endpoint detection and response tool which means it can be used by defenders to quickly detect, identify, and eliminate malicious activity and malware across a network.
To follow this guide, you can use your Windows 10 VM. If you do not have one, you can follow this guide to create a machine
BLUESPAWN is an active defense and endpoint detection and response tool which means it can be used by defenders to quickly detect, identify, and eliminate malicious activity and malware across a network.
To follow this guide, you can use your Windows 10 VM. If you do not have one, you can follow this guide to create a machine
To follow all steps, you can install Atomic Red Team before you proceed with the installation of Bluespawn:
GitHub:
github.com/ION28/BLUESPAWN
Downloadlink:
https://github.com/ION28/BLUESPAWN/releases (all releases)
github.com/ION28/BLUESPAWN/releases/tag/v0.5.1-alpha (used version in this guide)
Download the client x64.exe
github.com/ION28/BLUESPAWN
Downloadlink:
https://github.com/ION28/BLUESPAWN/releases (all releases)
github.com/ION28/BLUESPAWN/releases/tag/v0.5.1-alpha (used version in this guide)
Download the client x64.exe
|
|
Depending on your system, you have to turn off Microsoft defender. --> To play around, do not user your main system!
You can use the GUI or a powershell command to turn Defender off. The command is:
Set-MpPreference -DisableRealtimeMonitoring $true
You can use the GUI or a powershell command to turn Defender off. The command is:
Set-MpPreference -DisableRealtimeMonitoring $true
|
|
Windows 10 is changing a lot, you might have to whitelist the program if the PowerShell command does not work.
Bluespan has three different modes:
Open a command line (cmd) with administrator rights and point the cursor to your Bluespawn.exe
- mitigate
- hunt
- monitor
Open a command line (cmd) with administrator rights and point the cursor to your Bluespawn.exe
The command to start monitoring is:
.\BLUESPAWN-client-x64.exe --monitor -a Cursory
.\BLUESPAWN-client-x64.exe --monitor -a Cursory
At the moment, nothing happens, therefore we can dive into the given output. Bluespawn (and Atomic Red Team) is based on MITRE and we see matching numbers here. T1136 is about creating a user account. We find more information here: attack.mitre.org/techniques/T1136/
The article mentions EventID 4720. Let us create a user via Computer Management and observe everything. We will not see anything, because we do not log this event.
The article mentions EventID 4720. Let us create a user via Computer Management and observe everything. We will not see anything, because we do not log this event.
|
|
We have to edit the Group Policy (again), because a different policy overwrite this setting.
At least in my version, Bluespawn is crashing after creating a user. Bluespawn is an alpha version, this is okay. We can try something else.
What about T1036 (Masquerading)?
The matching command is:
Invoke-AtomicTest T1036.003 -ShowDetailsBrief
What about T1036 (Masquerading)?
The matching command is:
Invoke-AtomicTest T1036.003 -ShowDetailsBrief
First, we check if we need something for this atomic:
Invoke-AtomicTest T1036.003 -TestName 1 -CheckPrereqs
Invoke-AtomicTest T1036.003 -TestName 1 -CheckPrereqs
we need a folder, that is not a problem:
Invoke-AtomicTest T1036.003 -TestName 1 -GetPrereqs
Invoke-AtomicTest T1036.003 -TestName 1 -GetPrereqs
Now, we have everything for our small test and we can run Bluespawn again.
The test command is:
Invoke-AtomicTest T1036 -TestName 1
Invoke-AtomicTest T1036 -TestName 1
© 2021. This work is licensed under a CC BY-SA 4.0 license