Log Analysis using Bluespawn (EDR system)

August 8, 2023 0 Comments

During this Antisyphon Training laboratory session, I will utilize Bluespawn as a substitute for an EDR (Endpoint Detection and Response) system. BlueSpawn will be actively monitoring the system to identify any unconventional activities and will make a record of these occurrences.

In this practical session, my focus will be on initiating BlueSpawn and subsequently running the Atomic Red Team to deliberately trigger a series of alerts.

To begin, I will need to deactivate Defender. To achieve this, I execute the following command from an Administrator PowerShell prompt:

Defender is disabled now and I can open a Terminal as Administrator and open a command prompt. I am going to change directory and go to the Tools one in order to access Bluespawn:

Now, I am going to use Atomic Red Team to test the monitoring that can be done using BlueSpawn. Atomic Red Team is not a pentesting tool. It is a tool that blue teams can run to emulate what red teamers would do. It is an adversarial simulation tool that is running a series of Powershell scripts in order to simulate what an attacker would do on a computer system.

First, I need to open a PowerShell Prompt and enter the following command:

I went to the Atomic Red Team directory and imported the powershell modules. Then, I invoked all the Atomic tests and let it run for about 2 minutes.

If I did everything correctly, I should be getting a lot of alerts on my Bluespawn terminal:

I first see a serie of ” 0 Detections!” generated by Bluespawn. What this means is that Bluespawn saw something but this something did not match a specific signal. I saw that there was masquerading but the way this masquerading happened did not match a specific signature. It is similar to an EDR system flagging an event with a low or medium risk.

Then we see that Bluespawn emitted 2 Detections regarding a “Winlogon Helper DLL”. This particular attack matched a specific string that it was looking for on this system.

Now, I can go back to the PowerShell prompt and clean up using the following command to prevent Atomic red Team from doing weird things to the system:

PS C:\AtomicRedTeam\invoke-atomicredteam> Invoke-AtomicTest All -Cleanup

Leave a Reply

Your email address will not be published. Required fields are marked *