sans-blue-team / deepbluecli Goto Github PK
View Code? Open in Web Editor NEWLicense: GNU General Public License v3.0
License: GNU General Public License v3.0
Hello,
Was working on a lab and came across an issue regarding outputting to JSON. Specifically when a password spray attack is logged.
When running the command: .\DeepBlue.ps1 | ConvertTo-JSON
, the output for each user appears to be overwritten by the password spray totals.
Once this if condition is hit, the original $obj contents appear to be overwritten when invoking the JSON output.
https://github.com/sans-blue-team/DeepBlueCLI/blob/master/DeepBlue.ps1#L564
Hello Eric,
So we were practicing in SANS504 with your DeepBlueCLI script and when Chris cleared all the logs then ran the script again we didn't see the event ID "1102" - The Audit Log Was Cleared". However, we really believe this event should be add to the script :).
Thank you,
It appears that the Check-Service function should be Check-Regex.
Getting the following error on Application.evtx with known logs within it.
Get-WinEvent @{path="C\Windows\System32\winevt\logs\Application.evtx";ID=2} -ErrorAction Stop
Get-WinEvent error: No events were found that match the specified selection criteria.
How often would you recommend to schedule the script to run and how can I ingest the output into Security Onion for our domain?
I was running the script like so .\DeepBlue.ps1 C:\Path\Tp\myEvtxFile.evtx
I verified that I am using a valid evtx
file and it opens fine with Event Viewer
.
I am reaching this Logic error 3, should not reach here..
I commented out that check on the switch and then it would hit a following Logic error 1, should not reach here...
.
Unfortunately, I cannot provide the evtx file for testing which I am sure would be helpful.
I can share that issue looks to be an unsupported type in the $event.LogName of Microsoft-Windows-TerminalServices-RDPClient/Operational
. Which looks not to be supported at the moment in the code.
As a thought/suggestion, it may be worthwhile to have some kind of processing anyway, even if is not a supported LogName to try to get something useful out of it.
this would make it alot easier to run the script as a pre-parser on data coming in from winlogbeat /logstasah before being sent to elasticsearch db
Hi everyone and thanks for this amazing tool. I have a siem in my environment and which is configured to process windows logs(system, security, application) from critical servers meaning i dont have access to evtx files and I want to use signatures of deepbluecli and search them on my siem(qradar btw and dont buy it, it sucks!). any idea if this can be accomplished?
Is there an issues getting this to work on Windows 10 (2004) with the latest version of Sysmon 12.0.3?
I get the error when running the powerShell script DeepWhite-collector:
Out-Host : A positional parameter cannot be found that accepts argument 'No SHA256 hash found. Ensure Sysmon is creatin
g SHA256 hashes'.
At DeepWhite-collector.ps1:36 char:9
Out-Host "No SHA256 hash found. Ensure Sysmon is creating SHA ...
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
If I look in the Eventviewer, I can see the sha256 hashes for events 1 and 7 are present
I have an issue where where the script local (-log) or remote (-file) arguments shows no results. There is no error so it looks like it cannot find anything even though there are event IDs that should match on the "Microsoft-Windows-PowerShell/Operational.evtx" log.
Can you please help me to troubleshoot this?
I have a windows 11.After Downloaded then extracted the zip file, DeepBlue.ps1 is not nowhere to be found. I thought maybe that i'm not logged in to my github, but then it was the same issue.
Seems that Windows Defender thinks Deep Blue is powersploit. I can't download the repo without it getting removed.
Hello Team,
I want to forward the DeepBlueCLI output into a logfile which can then be sent to a Syslog Server. Is there a way to do it?
Regards
Not sure if I put this here, but Windows defender is detecting the zip file as a virus
https://github.com/sans-blue-team/DeepBlueCLI/archive/refs/heads/master.zip
Greetings SANS Blue Team,
Under Examples, current example commands for Metasploit PowerShell target (security) and Metasploit PowerShell target (system) are a repeat of the previous native commands.
Metasploit PowerShell target (security) should be .\DeepBlue.ps1 .\evtx\metasploit-psexec-powershell-target-security.evtx
and Metasploit PowerShell target (system) should be
.\DeepBlue.ps1 .\evtx\metasploit-psexec-powershell-target-system.evtx
I can fork, fix, and send you a pull request if you prefer.
Cheers, Russ
A declarative, efficient, and flexible JavaScript library for building user interfaces.
๐ Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
An Open Source Machine Learning Framework for Everyone
The Web framework for perfectionists with deadlines.
A PHP framework for web artisans
Bring data to life with SVG, Canvas and HTML. ๐๐๐
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
Some thing interesting about web. New door for the world.
A server is a program made to process requests and deliver data to clients.
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
Some thing interesting about visualization, use data art
Some thing interesting about game, make everyone happy.
We are working to build community through open source technology. NB: members must have two-factor auth.
Open source projects and samples from Microsoft.
Google โค๏ธ Open Source for everyone.
Alibaba Open Source for everyone
Data-Driven Documents codes.
China tencent open source team.