Quick Forensics of Windows Event Logs (DeepBlueCLI)
VloĆŸit
- Äas pĆidĂĄn 24. 07. 2024
- j-h.io/pwyc || Jump into Pay What You Can training for more free labs just like this! j-h.io/pwyc
Download the PWYC VM: www.antisyphontraining.com/jo...
Reddit Instructions for nested virtualization: / virtualized_amdvrvi_is...
John Strand's Intro Labs Github: github.com/strandjs/IntroLabs
đ„ CZcams ALGORITHM ⥠Like, Comment, & Subscribe!
đ SUPPORT THE CHANNEL ⥠jh.live/patreon
đ€ SPONSOR THE CHANNEL ⥠jh.live/sponsor
đ FOLLOW ME EVERYWHERE ⥠jh.live/discord â jh.live/twitter â jh.live/linkedin â jh.live/instagram â jh.live/tiktok
đ„ SEND ME MALWARE ⥠jh.live/malware
@JH - Excellent! Very useful tool. Thanks for sharing.
Awesome video, thk u. Short sweet and to the point love it!!!!!
Hey John, super amazing video. Thanks alot for that. Really practical and fruitful.đ€©đ€©đ€©
hey john hammond i sent you a form of malware from a discord link I have seen it appear i don't have the proper pc tools to do it so can you do it for me i sent it to you a month ago about so i dont know if you seen it yet or such
How do you pump out so many videos. You're insane! hahah
Thought to challenge you with a simple but puzzling event. Notepad seems inconsistent in its ability to paste text with newline into either 'find' or 'replace' text box. It will consistently grab text, including newline into the f'ind' box if text is highlighted when invoking 'find' or 'replace' functions.
It will consistently keep text with nl in both find & replace boxes when 'new window' is selected.
It also is incinsistent whether saving a file with nl in replace box will pass the ability to the saved file even when replace text is performed before saving.
Cool! Thanks for video!!
Really usefull!
Awsome tool.đđđ
Interesting tool. Do you have any idea if it could be integrated with log management tools? I would like to forward those logs to an elasticsearch and there use the deepblue to search for security incidents.
Not exactly, but most will have similar rules built in, but you can certainly just look at the powershell script and see the eventids he's using (4688(security), 4672(security), 4720(security), 4728(security), 4732(security), 4756(security), 4625(security), 4673(security), 4674(security), 4648(security), 1102(security), 7045(system), 7030(system), 7036(system), 7040(system), 104(system), 2(application), 8003(applocker),...,etc), and implement similar conditions that he's using in your use case. The one catch is that proper audit policy, and applocker in at least audit mode (if you want those usecases) has to be configured on the end points that you're pulling the event logs from.
Hey, is there a way to run this on an exported "C:\Windows\System32\winevt\Logs" folder. I mean to give it a source folder/file. I have exported a full log folder to my sandbox and I have to analyze it. Thanks for you time and help
Legend
what previous video is he refrencing ?
is there a windows EXE utility that trawls through the same information.
Oh man I was having a bit of a panic...I was running the example files and thought that was what was reading from my server's log files.....pppphhhhhheeeeeew.
How i can send a discord to you to check is legal or not. Is very sus on verification sending you to microsoft
please, could you tell me what is the best computer for cyber security, and tell if I can use the MacBook as I already have one?
thanks.
MAC is fine bro... there's no perfect computer...as long as you have about 8-16 gb and can run virtual machines, you will be fine...
????????? i have the same result of you on my PC normal or not i think ????
but ty
According to you, how does chainsaw compares to deepbluecli. From my testing i found chainsaw to be more effective but there's so much praise for deepbluecli that's why i am asking for opinions
I would agree, I think Chainsaw is the "modern" choice for cutting up event logs these days
Hi, @abduallhyasin3055, I've found that chain saw use cases rely rather heavily on the presense of sysmon, and you can't quarantee that will be around. Although, admittedly, it does use some standard events too -- and yara rules. I don't think it's a matter of "either/or"; nothing stops you from running both on extracted event logs, right?
this is why you clear the even viewer after you install the remote
Thatâs often very noisy. Defenders should always be monitoring any audit logs being cleared
In that case attackers often clear as the very last step before theyâre out the door
@@Pax833 it isnt for me, windows said nothing when the script was running
Not wrong, but only on weaker clients. It's all fun and games until they have an IDS to detect the purge and a SIEM where everything gets offloaded to. At that point you're just ringing the dinner bell for no gain lol
đ
Iâm not sure if your đïž setup jives with those hand gestures for your explanations?
Ah well at least you look like every other podcaster and presenter.
Good video content in any case
551 views 18 minutes
hlo
We need a Linux equivalent, like if you agree!.
tail -f /var/log/someapp/access.log
Still liked your comment as I donât plan on responding to a bunch of questions to my comment.
Donât forget to pipe that command into grep to automatically search for keywords like,
tailâŠ. | grep âcreated userâ
Or something along those lines. Every scenario will require a different value to grep for
Hey love u
hello , please make fundamental topics of cyber seccuirty
Try hackersploit...ippsec...sabid...tcm..too many out there
Early :3
42 seconds ago
FANTASTIC, I'M FIRST!
Took too long to type it and send it đ€Šđœââïž
@@userhandler0tten351 The goal wasn't to be first. Never in the entire existence of my CZcams/Google account did I get to watch a video less than 12 hours after it's published. Therefore I typed "42 seconds" without realizing there were no other comments. When I realized it, I refreshed the page to see if someone else already wrote something. Nothing except my "42 seconds" comment. I refreshed again. Still nothing except my "42 seconds" comment. I thought that was kinda cool so I edited my comment.
I received a facepalm for being happy. I probably don't deserve to feel good over the simple things in life. I'm sorry you found it stupid. I'll never do that ever again.
@@thinotmandresy yo bro, donât ever stop. I just thought it was funny is all.
Iâve literally done the same so donât feel bad at all yo
first
bad sponser dislike
Yay kids, so now your computing experience has gone from fun gaming and whatever, to having to do all this crazy BS to counter any hacking maggots! Yay!
Brother i need Your help..Please reply my message
Just looked the tool was updated last week (end of June/23): New Sliver and Metasploit EVTX files including cmd.exe writing to ADMâŠ
âŠIN$, and suspicious remote threads
master
@eric-conrad
eric-conrad committed last week
1 parent 8e510aa
commit 2eecc65
Show file tree Hide file tree
Showing 3 changed files with 0 additions and 0 deletions.
Filter changed files
Binary file addedBIN +1.07 MB
evtx/metasploit-sysmon.evtx
Binary file not shown.
Binary file addedBIN +1.07 MB
evtx/sliver-security.evtx
Binary file not shown.
Binary file addedBIN +68 KB
evtx/sliver-sysmon.evtx
Binary file not shown.