Log Analysis using DeepBlueCLI

August 4, 2023 0 Comments

This another lab I have done while doing the “Intro to SOC” class offered by Antisyphon training.

DeepBlueCLI is a free tool created by Eric Conrad. It is used for standard Windows Events logs. It had great detection capabilities and it also can be used to demonstrates how behavioral analysis style techniques function with the numerous checks it offers.

First, I have to open a terminal as admin and then I have to go in the proper directory in order to be able to use this tool. I am going to use Powershell to run my commands:

Malicious actors often introduce extra user accounts into a system they’ve infiltrated. This is a persistence mechanism for an attacker that wouldn’t be achievable through malware alone. The reason behind this is that there exists a multitude of tools designed for identifying malware. Through the addition of an extra user account, they’re able to assimilate more seamlessly. Now, I am going to initiate a scan within an .evtx files to pinpoint instances of new user additions by running the following check:

I get the following result:

Through this check, I get the the exact date at which an new user was created and added to the local Administrators group.

Another breach technique that SIEMs often fail to identify is password spraying. In this method, an attacker employs a list of domain users and systematically applies the same password to each user account. The attacker here is not trying to Brute Force passwords. This tactic proves effective by maintaining the number of failed login attempts below the lockout threshold, thus often evading attention due to the absence of account lockouts. This aligns precisely with the kind of activity that User and Entity Behavior Analytics (UEBA) is designed to uncover. Now, l am going to examine an event log containing an instance of a password spray attack and I am going to run another DeepBlueCLI check. This check is very efficient at detecting an attacker trying to login multiple times to the same account:

Here, I can see that somebody tried to login to an administrator account 3560 times.

For password spraying, I can use a different that will spot an attacker trying to login to multiple user accounts with the same password.

Here, I can see that the attacker went from one user’s workstation (jwrig) and tried accessing several user accounts using the same password. I can see the name of the user accounts that were targeted by the password spraying technique.

Employing several encoding methods to circumvent signature-based detection is another frequently employed strategy among attackers. Therefore, I am going to run a last DeepBlueCLI check in order to identify different encoding strategies that malevolent actors employ to veil their attacks:

The check is able to detect different kind of obfuscations (like base64 encoding for example). This kind of encoding is not something I would expect to see in a normal SysAdmin Powershell script yet this is something that is seen when trying to detect attacks.

Leave a Reply

Your email address will not be published. Required fields are marked *