-
Notifications
You must be signed in to change notification settings - Fork 0
/
Windows.DeepBlueCLI.yaml
30 lines (22 loc) · 1.15 KB
/
Windows.DeepBlueCLI.yaml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
name: Windows.DeepBlueCLI
description: DeepBlueCLI - a PowerShell Module for Threat Hunting via Windows Event Logs
author: AnthoLaMalice - Anthony Hannouille
tools:
- name: DeepBlueCLI
url: https://github.com/sans-blue-team/DeepBlueCLI/archive/refs/heads/master.zip
type: CLIENT
precondition:
SELECT OS From info() where OS = 'windows'
sources:
- query: |
LET Toolzip <= SELECT FullPath FROM Artifact.Generic.Utils.FetchBinary(ToolName="DeepBlueCLI", IsExecutable=FALSE)
LET TmpDir <= tempdir()
LET _ <= SELECT * FROM unzip(filename=Toolzip.FullPath, output_directory=TmpDir)
LET DeepBlueCLILocation <= TmpDir + '\\DeepBlueCLI-master'
LET cmdline = 'powershell -executionpolicy bypass -command "cd '+ "'" + DeepBlueCLILocation + "'" + '; .\\DeepBlue.ps1 | ConvertTo-JSON"'
SELECT * FROM foreach(
row={
SELECT Stdout FROM execve(argv=["Powershell", cmdline], length=104857600)
}, query={
SELECT * FROM parse_json_array(data=Stdout) where log(message=Stdout) AND log(message=Stderr)
})