one of the best forensic artifacts that you can use for investigation and Analysis is simply logs and the Windows Event Viewer on Modern Windows operating systems should at least clue you in on some breadcrumbs that you can use to dig down further into your analysis in this video I'm going to be walking you through a quick and free and readily available and accessible lab environment or an activity where you can see how you can rapidly and quickly analyze through Windows event logs this is all part of John strand's pay what you can courses the material that's oftentimes freely accessible and available from Black Hills information security or the anti-siphon training all the great stuff that they put out there online in the previous video we got set up with the pay what you can virtual machine that you can use for all of these Labs activities and exercises and we could dive into anything that sounds interesting to us between the Linux command line memory analysis TCP dump Windows CLI Wireshark Rita nessus Etc in this video we're going to dive into the deep blue CLI lab now deep blue CLI if you aren't familiar is a free tool put together by Eric Conrad one incredible fella that puts out a ton of awesome tooling to do forensic investigations and Analysis and defer digital forensics and incident response it demonstrates some amazing detection capabilities it also has checks that are effective for showing how Yuba or ueba user entity and behavior analytics can be adapted and used and observed within your environment inside of our pay which you can virtual machine we can go ahead and fire up the terminal I'll right click and run as administrator so that I can open this up without an issue and now we have this prompt ready and available for us going back to the lab it suggests hey open up a command prompt and move into the tools directory they do offer this for you at the very root of the file system and if you invoke Powershell you should be able to run the deep blue CLI script so let me paste and hop into that directory where deep blue CLI is present and these are all of the things that are included in the deep blue CLI repository on GitHub we'll dive into those in just a moment but I do want to show you this deep blue CLI script the deep blue dot PS1 file is how you can run this on Windows they also have a python script to run it on Linux now this lab exercise has already given you a whole lot of logs that you can analyze there are these evtx files these Event Viewer sort of records that you could look through with deep blue CLI they're already set up in the virtual machine you don't have to do anything extra but we can just run the commands and see it in action they note as a little bit of background context it is very common for attackers threat actors and hackers to add additional users on a system that they've compromised this will give them a level of persistence that they otherwise would not gain with malware and if you ask why hey there are lots and lots of ways that you can detect malware but creating an extra user account might allow them to blend in if no one is monitoring for that if no one's looking for it and actively threat hunting so what we could do with these windows event logs is actually fire up the deep blue Powershell script and just give it hey maybe the security log from the Windows Event Viewer logs now we could just give it that file that's all it takes the syntax is super duper easy all we have to do is copy and paste for what the lab has given us here and let's just plop it in I'll go ahead and paste and I'll let this thing run remember hey if we set execution policy unrestricted or whatever Powershell will let it happen now take a look it's going to Output a whole lot of Powershell objects and we can see here hey there is in the security log an event ID of 4732 a user was added to the local administrators group and just before it literally a second ahead of it it ends up creating a user this IE user with the same exact Sid so that Clues us in a little bit on hey maybe some potentially suspicious user account and let's scroll down to see actually what else they showcase here another attack that very few seems or Sims however you say the security information and event management system like a central location to collect and archive all these logs and information that's passed through in the system another attack that very few seams detect is password spring this is when our attacker takes a user list from a domain and sprays it with the same password over and over and over again so rather than taking one user and just trying different passwords against it it actually flips that script it takes a list of users over and over and over again and tries the same password on each one of them that is a helpful technique because you don't have the same like user lockout and timeout from a repeated amount of incorrect password attempts because you're moving the target from every user that you're going to go against you actually end up using the same password on each one and it's okay if you get that wrong because it'll just move on to the next user once you've made a round robin array maybe then you can try another password in your password spraying attempts and the lab actually addresses this hey it's effective because it keeps the lockout threshold below the lockout policy and many times flies under the radar simply because these accounts aren't getting locked out but of course ueba user entity and behavior analytics this should be something that you can still flag and track down you can use deep blue CLI to see this in action and again super quick super easy hey just passing an event log file to the application to the power partial script we'll paste that in here let this thing run and it just tracks it down right then and there takes a little bit because hey it's probably going through all of the different attempts seeing what's been happening on that system throughout that log file which could be a pretty big log file but there it is take a look hey a high number of logon failures for one account the administrator account was attempted to be logged into maybe 3 560 times to be clear that's an example of password guessing that's not spraying it across multiple users it's taking and targeting one user the administrator and just hammering it with a bunch of different passwords if you wanted to see what a genuine password spray would look like though hey again we can use the exact same syntax just using the tools super nice and easy let's paste it in fire it up let it run and note hey there was a distributed account explicit credential use or a password spraying attack multiple user accounts were attempted to be accessed with a specific password and that's G Selena C Davis L past the administrator M Elliott etc etc etc all these users were hit it up in this attack and the tool just found that for us it was nice and easy we didn't have to do anything didn't even have to open the windows Event Viewer the last thing that the lab activity gets into is looking at how deep blue CLI could detect various different Powershell encoding techniques that are used oftentimes within malicious payloads that attackers hackers and threat actors use they oftentimes will encode or obfuscate different parts of their script to try and bypass signature detection when an antivirus or preventative security product is going to be like automated to hunt something down if it can masquerade and camouflage and kind of blend in or at least fool the automated system so that it's not what normally is flagged as bad then it might be able to fly under the radar here they give a good example with a Powershell invoke obfuscation utility again that's going to be executed and present in the logs so we could simply go ahead and run that script now uh before we dive into the very very end of this this is probably a whole lot of like same sort of weird sketchy Powershell syntax that you've seen in maybe other of my videos but but I do want to drill down and dive into what else deep blue CLI could do because we finished the lab we finished the activity super easy like it's literally just copy and paste to see this thing in action but if you weren't tracking the original repository for the tool itself for deep blue CLI it is here as part of the Sans blue team it's a little bit dated right you can see some commits from years ago and I will be the first to admit hey it's kind of an old tool we might be able to use something more like chainsaw if we want something a little bit more modern to throw in a whole bunch of Sigma rules and other cool high-flying flashy stuff but deep blue CLI is exactly what we saw Powershell module for threat hunting by a Windows event logs now all these things can be working with local evtx files with these event log records that you could just pass to it it showcases how you can use it again super duper simple you just pass it to the utility and if you wanted to you could give it a whole log on a local system or just a file that you might Supply the detected events are everything that we saw already suspicious user account Behavior command line sysmon Powershell modeling and that that's one thing that I do want to note here while it might get into some mimikats app Locker blocks service auditing uh it does of course have some records and capability to track sysmon you could output it in lots of different ways because it's Powershell objects but these are all the things that you might be able to turn on if you didn't already have them set up in the environment to actually capture these events like turn on command line auditing turn on failed logons Powershell logging and transcription that's Powershell 5.0 so again a little bit dated but sysmon is an option here and that is awesome you don't often get to see sysmon at least in some like battle ready environment right if you're really doing some forensics and incident response but whenever you have it it is awesome and super duper helps out uh let me add one last note here as I'm scrolling back up the deep blue dot Pi script is how you might be able to dig into this and use the exact same utility on Linux they do have this included within the repository we were just using it in Windows in our lab machine but uh your mileage may vary it looks like it might pick up on a couple of things and again this is a bit dated this is from 2019 if you're looking at the commit history something that we could very well use is chainsaw but maybe that is another video for another showcase uh I do hope that this one was kind of cool because look you're still going to be digging through Windows event logs and it is one great resource and artifact when you're cutting up for some incident response and investigation thanks so much for watching everybody I hope this was fun A little bit of a quick one a little bit of a good showcase just super easy to use the tool add it to your toolkit that's not already in there maybe chainsaw just as well and if you haven't go take a look at what John strain is up to and all the incredible stuff with anti-siphon training Black Hills information security and their pay what you can courses you can literally jump into any new material for free if you want to it's for fun and for Learning and for education and all the great stuff I'm done rambling I'll see in the next video