sans-blue-team / deepbluecli Goto Github PK

It appears that the Check-Service function should be Check-Regex.

this would make it alot easier to run the script as a pre-parser on data coming in from winlogbeat /logstasah before being sent to elasticsearch db

I have a windows 11.After Downloaded then extracted the zip file, DeepBlue.ps1 is not nowhere to be found. I thought maybe that i'm not logged in to my github, but then it was the same issue.

Not sure if I put this here, but Windows defender is detecting the zip file as a virus
https://github.com/sans-blue-team/DeepBlueCLI/archive/refs/heads/master.zip

Hello Eric,

So we were practicing in SANS504 with your DeepBlueCLI script and when Chris cleared all the logs then ran the script again we didn't see the event ID "1102" - The Audit Log Was Cleared". However, we really believe this event should be add to the script :).

Thank you,

Is there an issues getting this to work on Windows 10 (2004) with the latest version of Sysmon 12.0.3?

I get the error when running the powerShell script DeepWhite-collector:
Out-Host : A positional parameter cannot be found that accepts argument 'No SHA256 hash found. Ensure Sysmon is creatin
g SHA256 hashes'.
At DeepWhite-collector.ps1:36 char:9

•     Out-Host "No SHA256 hash found. Ensure Sysmon is creating SHA ...
  

•     ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
  

  • CategoryInfo : InvalidArgument: (:) [Out-Host], ParameterBindingException
  • FullyQualifiedErrorId : PositionalParameterNotFound,Microsoft.PowerShell.Commands.OutHostCommand

If I look in the Eventviewer, I can see the sha256 hashes for events 1 and 7 are present

Hello Team,

I want to forward the DeepBlueCLI output into a logfile which can then be sent to a Syslog Server. Is there a way to do it?

Regards

I was running the script like so .\DeepBlue.ps1 C:\Path\Tp\myEvtxFile.evtx
I verified that I am using a valid evtx file and it opens fine with Event Viewer.
I am reaching this Logic error 3, should not reach here..

I commented out that check on the switch and then it would hit a following Logic error 1, should not reach here....

Unfortunately, I cannot provide the evtx file for testing which I am sure would be helpful.

I can share that issue looks to be an unsupported type in the $event.LogName of Microsoft-Windows-TerminalServices-RDPClient/Operational. Which looks not to be supported at the moment in the code.

As a thought/suggestion, it may be worthwhile to have some kind of processing anyway, even if is not a supported LogName to try to get something useful out of it.

How often would you recommend to schedule the script to run and how can I ingest the output into Security Onion for our domain?

I have an issue where where the script local (-log) or remote (-file) arguments shows no results. There is no error so it looks like it cannot find anything even though there are event IDs that should match on the "Microsoft-Windows-PowerShell/Operational.evtx" log.

Can you please help me to troubleshoot this?

Greetings SANS Blue Team,

Under Examples, current example commands for Metasploit PowerShell target (security) and Metasploit PowerShell target (system) are a repeat of the previous native commands.

Metasploit PowerShell target (security) should be .\DeepBlue.ps1 .\evtx\metasploit-psexec-powershell-target-security.evtx and Metasploit PowerShell target (system) should be
.\DeepBlue.ps1 .\evtx\metasploit-psexec-powershell-target-system.evtx

I can fork, fix, and send you a pull request if you prefer.
Cheers, Russ

Getting the following error on Application.evtx with known logs within it.

Get-WinEvent @{path="C\Windows\System32\winevt\logs\Application.evtx";ID=2} -ErrorAction Stop
Get-WinEvent error: No events were found that match the specified selection criteria.

Hi everyone and thanks for this amazing tool. I have a siem in my environment and which is configured to process windows logs(system, security, application) from critical servers meaning i dont have access to evtx files and I want to use signatures of deepbluecli and search them on my siem(qradar btw and dont buy it, it sucks!). any idea if this can be accomplished?

Hello,

Was working on a lab and came across an issue regarding outputting to JSON. Specifically when a password spray attack is logged.

When running the command: .\DeepBlue.ps1 | ConvertTo-JSON , the output for each user appears to be overwritten by the password spray totals.

Once this if condition is hit, the original $obj contents appear to be overwritten when invoking the JSON output.

https://github.com/sans-blue-team/DeepBlueCLI/blob/master/DeepBlue.ps1#L564

Seems that Windows Defender thinks Deep Blue is powersploit. I can't download the repo without it getting removed.