DeepBlueCLI

DeepBlueCLI - A PowerShell Module for Threat Hunting using Windows Event Logs Eric Conrad, Backshore Communications, LLC Sample EVTX files are located in the .\evtx directory. Note: If your antivirus software raises alerts after you download DeepBlueCLI, it is likely reacting to the included EVTX files in the .\evtx directory. These files contain command-line logs of malicious attacks and other artifacts, but they are not harmful. You may need to adjust your antivirus settings to ignore the DeepBlueCLI directory. Table of Contents - Usage - Windows Event Logs Processed - Detected Events - Examples - Output - Logging Setup Refer to the DeepBlue.py README for details on DeepBlue.py. Refer to the DeepBlueHash README for information on DeepBlueHash, which provides detective safelisting using Sysmon event logs. Usage: .\DeepBlue.ps1 If you encounter a 'running scripts is disabled on this system' error, please see the Set-ExecutionPolicy README. To process the local Windows security event log (PowerShell must be run as Administrator): .\DeepBlue.ps1 or: .DeepBlue.ps1 -log security To process the local Windows system event log: .DeepBlue.ps1 -log system