Explore DeepBlueCLI, a PowerShell module designed for hunt teaming through Windows event logs, in this 49-minute conference talk from Derbycon 2016. Delve into the evolution of payloads, common client environments, and key indicators to monitor. Learn about logging new process creation, script writing techniques, and important design considerations. Examine use cases for DeepBlueCLI, including its application with Metasploit, hash dumping, and modern system attacks. Discover how to detect obfuscation attempts and gain insights on next steps for implementation. Conclude with a practical demonstration of DeepBlueCLI's capabilities in enhancing Windows event log analysis for improved threat detection and response.
Overview
Syllabus
Introduction
The evolution of payloads
What does my average client have
What do you look for
Logging new process creation
Writing the script
Design notes
Perfect solution fallacy
Perfect attacker fallacy
Regex
Whitelist
Use cases
Summary
DeepBlueCLI
Metasploit
Hash Dump
Defaults
Modern
System
Power
NetWeb
PowerShell
DeepBlue CLI
Invoke obfuscation
Stock Total Shoutout
Detected
Next Steps
Demo
