DeepBlueCLI
A PowerShell module for threat hunting and detecting malicious activity via Windows Event Logs.
What is DeepBlueCLI?
DeepBlueCLI is a PowerShell module for threat hunting and security analysis using Windows Event Logs. It processes logs from multiple sources like Security, System, PowerShell, and Sysmon to detect malicious activities such as password attacks, suspicious command execution, and service manipulation. It helps security teams identify compromise indicators and attack patterns in Windows environments.
Security analysts, incident responders, and blue team members who need to hunt for threats in Windows environments using event logs. It's also useful for forensic investigators analyzing EVTX files from compromised systems.
Developers choose DeepBlueCLI because it provides a comprehensive, scriptable detection engine for Windows-specific attack techniques, with built-in decoding of obfuscated commands and flexible output formats. It leverages existing Windows logging without requiring additional agents, making it lightweight and practical for real-world hunting scenarios.
Overview
DeepBlueCLI is a PowerShell module designed for security professionals to perform threat hunting and forensic analysis using Windows Event Logs. It processes logs from Security, System, Application, PowerShell, and Sysmon sources to detect a wide range of suspicious activities and attack patterns.
Key Features
- Suspicious Account Detection — Identifies user creation, group additions, password guessing, password spraying, and Bloodhound-style privilege anomalies.
- Command-Line Analysis — Detects long command lines, obfuscated commands, PowerShell launched via WMIC/PsExec, and compressed/Base64-encoded commands with automatic decoding.
- Service Auditing — Flags suspicious service creation, service errors, and attempts to stop/start the Windows Event Log service.
- Attack Tool Detection — Recognizes Mimikatz
lsadump::samcommands and EMET/AppLocker blocks. - Flexible Output — Exports results in multiple formats including JSON, CSV, HTML, XML, and PowerShell objects for further analysis.
Philosophy
DeepBlueCLI prioritizes practical, actionable detection of real-world attack techniques, leveraging built-in Windows logging capabilities to provide defenders with a powerful, scriptable hunting tool.
Related Projects
Found a gem we're missing?
Open-Awesome is built by the community, for the community. Submit a project, suggest an awesome list, or help improve the catalog on GitHub.
