Introducing DeepBlueCLI, a PowerShell module for hunt teaming via Windows event logs

Presented at DerbyCon 6.0 Recharge (2016), Sept. 24, 2016, 2 p.m. (50 minutes)

A number of events are triggered in Windows environments during virtually every successful breach, these include: service creation events and errors, user creation events, extremely long command lines, compressed and base64 encoded PowerShell functions, and more. Microsoft has added a wealth of blue team tools to its operating systems, including native support of logging the full command line used to launch all processes, without requiring 3rd party tools (or Sysmon). KB3004375 adds this feature to Windows 7 and Server 2008R2. DeepBlueCLI can automatically determine events that are typically triggered during a majority of successful breaches, including use of malicious command lines including PowerShell.

Presenters:

• Eric Conrad

Similar Presentations:

• DerbyCon 6.0 Recharge (2016) / Invoke-Obfuscation: PowerShell obFUsk8tion Techniques & How To (Try To) D””e`Tec`T ‘Th’+’em’
• BruCON 0x09 (2017) / Getting the Most Out of Windows Event Logs Workshop
• DeepSec 2016 „Ten“ / Offensive PowerShell for Red and Blue Teams (closed)