DeepBlueCLI - a PowerShell Module for Threat Hunting via Windows Event Logs
name: Windows.EventLogs.DeepBlueCLI
description: DeepBlueCLI - a PowerShell Module for Threat Hunting via Windows Event Logs
author: Anthony Hannouille - @AnthoLaMalice
tools:
- name: DeepBlueCLI
url: https://github.com/sans-blue-team/DeepBlueCLI/archive/refs/heads/master.zip
type: CLIENT
precondition:
SELECT OS From info() where OS = 'windows'
sources:
- query: |
LET Toolzip <= SELECT FullPath FROM Artifact.Generic.Utils.FetchBinary(ToolName="DeepBlueCLI", IsExecutable=FALSE)
LET TmpDir <= tempdir()
LET _ <= SELECT * FROM unzip(filename=Toolzip.FullPath, output_directory=TmpDir)
LET DeepBlueCLILocation <= TmpDir + '\\DeepBlueCLI-master'
LET cmdline = 'powershell -executionpolicy bypass -command "cd '+ "'" + DeepBlueCLILocation + "'" + '; .\\DeepBlue.ps1 | ConvertTo-JSON"'
SELECT * FROM foreach(
row={
SELECT Stdout FROM execve(argv=["Powershell", cmdline], length=104857600)
}, query={
SELECT * FROM parse_json_array(data=Stdout) where log(message=Stdout) AND log(message=Stderr)
})