DeepBlueCLI is a powershell script used by blue teamers.

It parses Windows event logs and can locate unusual behavior or characteristics.

It can provide useful analysis but not perfect analysis

It looks for files and services that have naming schemes similar to what the output of the tools below can create

  • Metasploit
  • mimkatz
  • powershell empire
  • password guessing
  • password spraying

You can use this on a local system, on a windows domain, or offline log files

It does not require any special configuration and relies on the default logging services in Windows systems


.\DeepBlue.ps1 <event log name> <evtx filename>

Running Deep Blue on the host system

.\DeepBlue.ps1 -log system

.\DeepBlue.ps1 -log security