Full Report
Slides for this webcast can be found here: https://www.blackhillsinfosec.com/wp-content/uploads/2020/09/SLIDES_AttackTactics7LogsYouAreLookingFor.pdf So we went through an attack in the BHIS Webcast, “Attack Tactics 5! Zero to Hero Attack.” Then we went through […] The post Webcast: Attack Tactics 7 – The Logs You Are Looking For appeared first on Black Hills Information Security, Inc..
Analysis Summary
# Tool/Technique: DeepBlueCLI
## Overview
DeepBlueCLI is a tool showcased for analyzing logs to detect signs of attack activity, particularly when default logging settings might miss key events. It is used in conjunction with proper log configuration setup to provide visibility into attacks that might otherwise go unnoticed.
## Technical Details
- Type: Tool
- Platform: Windows (implied, as it analyzes IIS, Exchange, Active Directory, and workstation logs)
- Capabilities: Log analysis, extraction of important information from configured logs.
- First Seen: Not explicitly mentioned, but discussed in a webcast context from July 2019 onwards.
## MITRE ATT&CK Mapping
*Note: Since DeepBlueCLI is an analysis tool used for detection/DFIR, specific technique mapping relates to what it helps *detect* rather than what the attacker *uses*. The context implies log analysis against various attack phases.*
- **TA0008 - Collection** (Hypothetical detection target: If it analyzes logs related to data staging/collection)
- **TA0009 - Command and Control** (Hypothetical detection target: If it analyzes network/process logs for C2 beacons)
- **TA0010 - Exfiltration** (Hypothetical detection target: If it analyzes logs showing data leaving the network)
## Functionality
### Core Capabilities
- Processing and analyzing system logs (IIS, Exchange, Active Directory, Workstation logs) after specific configuration changes have been made to enable necessary logging.
- Providing actionable insights from the collected log data.
### Advanced Features
- Used alongside other tools like LogonTracer and basic PowerShell scripts for comprehensive log investigation during Incident Response or DFIR.
## Indicators of Compromise
*This tool *generates* findings from logs, it does not *produce* typical network/file IOCs itself.*
- File Hashes: N/A (Tool)
- File Names: N/A (Tool, dependent on installation)
- Registry Keys: N/A
- Network Indicators: N/A
- Behavioral Indicators: Generation of reports/output detailing suspicious activity found within the input logs.
## Associated Threat Actors
- Associated with Blue Teams, DFIR professionals, and Incident Responders using it for defensive analysis.
## Detection Methods
- Detection is achieved *through* the output of DeepBlueCLI analyzing logs that were previously configured to capture attacker actions.
- Signature-based detection: N/A (Tool analysis)
- Behavioral detection: N/A (Tool analysis)
- YARA rules: N/A
## Mitigation Strategies
- **Prerequisite:** Implementing comprehensive logging across key systems (IIS, Exchange, Active Directory, Workstations) as default settings are insufficient.
- **Response:** Utilizing tools like DeepBlueCLI for efficient log review during incident response scenarios.
## Related Tools/Techniques
- LogonTracer
- Basic PowerShell for log manipulation
- Attack Tactics (The webcast series being discussed)