DeepBlueCLI is a powershell script used by blue teamers.
https://github.com/sans-blue-team/DeepBlueCLI
It parses Windows event logs and can locate unusual behavior or characteristics.
It can provide useful analysis but not perfect analysis
It looks for files and services that have naming schemes similar to what the output of the tools below can create
- Metasploit
- mimkatz
- powershell empire
- password guessing
- password spraying
You can use this on a local system, on a windows domain, or offline log files
It does not require any special configuration and relies on the default logging services in Windows systems
Usage
.\DeepBlue.ps1 <event log name> <evtx filename>
Running Deep Blue on the host system
.\DeepBlue.ps1 -log system
.\DeepBlue.ps1 -log security