Created
September 15, 2024 17:48
-
-
Save iknowjason/0b325c2f7f5d537864b6f9df3d663f79 to your computer and use it in GitHub Desktop.
Powershell Workflow Example - Malware Process Detection - DeepBlueCLI Threat Hunting in Windows Event Logs
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
# Step 1: Download and extract DeepBlueCLI on each target computer | |
# https://github.com/sans-blue-team/DeepBlueCLI | |
# Step 2: Get the path for Deepblue.ps1 and change it in the ```DeepBluePath``` below | |
workflow Analyze-EventLogsDeepBlue { | |
param ( | |
[string[]]$ComputerName, | |
[string]$LogName = 'Security', | |
[string]$DeepBluePath = "C:\Path\To\DeepBlue.ps1" | |
) | |
foreach -parallel ($computer in $ComputerName) { | |
InlineScript { | |
# Ensure the script is run as an Administrator | |
if (-not (Test-Path -Path $using:DeepBluePath)) { | |
throw "DeepBlue.ps1 not found at $using:DeepBluePath. Please check the path and try again." | |
} | |
# Execute the script directly on the remote machine using Invoke-Command | |
$result = Invoke-Command -ComputerName $using:computer -ScriptBlock { | |
param ($logName, $deepBluePath) | |
# Set Execution Policy to allow running scripts | |
Set-ExecutionPolicy -Scope Process -ExecutionPolicy Bypass -Force | |
# Execute the DeepBlue script with parameters | |
powershell.exe -File $deepBluePath -log $logName | |
} -ArgumentList $using:LogName, $using:DeepBluePath | |
# Output the result in the current session | |
Write-Output ("DeepBlueCLI analysis for {0} on {1}:" -f $using:LogName, $using:computer) | |
Write-Output $result | |
} | |
} | |
} | |
# Run it on target computers, adapting correct computername | |
Analyze-EventLogsDeepBlue -ComputerName @('win1') -LogName 'Security' |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment