Get a DeepBlue analysis

At RSA Conference 2020, in this video The 5 Most Dangerous New Attack Techniques and How to Counter Them, Ed Skoudis presented a way to look for log anomalies – DeepBlueCLI by Eric Conrad, et al. as one of the C2 (Command&Control) defenses available.

I forked the original version from the commit made in Christmas 2019.

My intent is to make the DeepBlueCli:

    • available as a PowerShell module contained in a single .psm1 file
    • expose a single function with many parameters (instead of editing the original .ps1 file to change them)
    • more aligned with what PowerShell can do and other PowerShell coding style standards

Of course, you should first start reading what the original DeepBlueCLI can do in its README

I found the Deepblue.ps1 script great for various reasons:

    • First, it can analyze a live running Windows computer. It reads by default the Security event log.
      However, it’s not scalable because it loads regular expressions used for analyzing commands content from its side regexes.txt file.
    • Sencondly, it can analyze an exported .evtx file either from the ‘Application’, ‘System’, ‘Security’, ‘Applocker’, ‘Sysmon’ or ‘PowerShell’ event logs. That makes it cross-platform. You can use the script on Linux computer running PowerShell 7 🙂
    • Third, it’s a very fast way to find out indicators of compromise. It will tell you if a new account has been added, how many times an account was used to log on, if there are suspicious well known commands…
    • Last but not least, Eric Conrad stores many sample .evtx files in his GH repo.

Let’s see it in action!

I launched a Windows 10 Pro 1809 VM in Azure and ran the following:

# Install PowerShell 7 (msi x64), click, click...
iex "& { $(irm https://aka.ms/install-powershell.ps1) } -UseMSI"
# Open PS7
saps pwsh

In the new PowerShell 7 console, I ran:

# Download
iwr 'https://github.com/p0w3rsh3ll/DeepBlue/archive/master.zip' -OutFile ~/downloads/DeepBlue-master.zip -Verbose
# Unzip
Expand-Archive ~/downloads/DeepBlue-master.zip ~/downloads/DeepBlue-master
cd  ~/downloads/DeepBlue-master/DeepBlue-master
# Verify
$HT = @{
    CatalogFilePath = "./DeepBlue.cat"
    Path = "./"
    Detailed = $true
    FilesToSkip = 'README.md'
}
Test-FileCatalog @HT
Set-ExecutionPolicy RemoteSigned -Scope Process -Force -Verbose
# Import
Import-Module .\DeepBlue.psd1 -Force -Verbose
# Run the function
Get-DeepBlueAnalysis

I also downloaded that the original DeepBlueCLI script and repo from Eric Conrad and ran the same commands to see the difference between my forked version and his:


NB: Notice the tab completion for the Log parameter in my version 😉

# Capture results in a variable
$r = Get-DeepBlueAnalysis -File `
..\DeepBlueCLI-master\DeepBlueCLI-master\evtx\many-events-security.evtx

# Just to get an idea of what DeeBlueCli is able to report:
$r | group  Results -noEl| ft -Wrap -AutoSize

# Show other sample events:
$r[0]
$r | ? Results -match 'Meterpreter' | select -First 1

Nice, isn’t it?

What’s next? If I get Eric Conrad’s approval, I’ll digitally sign my forked version named DeepBlue and push it to the PowerShell Gallery so that you can do:

# Either Save...
Find-Module -Name DeepBlue -Repository PSGallery
Save-Module -Name DeepBlue -Repository PSGallery -Path ~/Downloads

#...or Install
Install-Module -Name DeepBlue -Verbose -Repository PSGallery

If you want to see what I did since the fork, all the changes are available on this page 😎

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.