Introducing DeepBlueCLI, a PowerShell module for hunt teaming via Windows event logs

Presented at DerbyCon 6.0 Recharge (2016), Sept. 24, 2016, 2 p.m. (50 minutes).

A number of events are triggered in Windows environments during virtually every successful breach, these include: service creation events and errors, user creation events, extremely long command lines, compressed and base64 encoded PowerShell functions, and more. Microsoft has added a wealth of blue team tools to its operating systems, including native support of logging the full command line used to launch all processes, without requiring 3rd party tools (or Sysmon). KB3004375 adds this feature to Windows 7 and Server 2008R2. DeepBlueCLI can automatically determine events that are typically triggered during a majority of successful breaches, including use of malicious command lines including PowerShell.

Presenters:

Similar Presentations: