evtx","path":"evtx/Powershell-Invoke. {"payload":{"allShortcutsEnabled":false,"fileTree":{"":{"items":[{"name":"evtx","path":"evtx","contentType":"directory"},{"name":"hashes","path":"hashes","contentType. Invoking it on Security. {"payload":{"allShortcutsEnabled":false,"fileTree":{"IntroClassFiles/Tools/IntroClass/PasswordSpray":{"items":[{"name":"attachments","path":"IntroClassFiles/Tools. evtx . Open the windows powershell or cmd and just paste the following command. 基于Django构建的Windows环境下. You may need to configure your antivirus to ignore the DeepBlueCLI directory. This detect is useful since it also reveals the target service name. BTLO | Deep Blue Investigation | walkthrough | blue team labs Security. A full scan might find other hidden malware. Leave Only Footprints: When Prevention Fails. GitHub is where people build software. DeepBlueCLI. RedHunt的目标是通过整合攻击者的武库和防御者的工具包来主动识别环境中的威胁,来提供威胁仿真(Threat Emulation)和威胁狩猎所有需求的一站式服务. c. Features. You will apply all of the skills you’ve learned in class, using the same techniques used by Threat Hunting via DeepBlueCLI v3. Blue Team Level 1 is a practical cybersecurity certification focusing on defensive practices, security. ps1 ----- line 37. Daily Cyber Security News Podcast, Author: Johannes B. evtx log. Sysmon setup . py. Start Spidertrap by opening a terminal, changing into the Spidertrap directory, and typing the following: . . py Public Mark Baggett's (@MarkBaggett - GSE #15, SANS. D. #5 opened Nov 28, 2017 by ssi0202. {"payload":{"allShortcutsEnabled":false,"fileTree":{"READMEs":{"items":[{"name":"README-DeepBlue. {"payload":{"allShortcutsEnabled":false,"fileTree":{"READMEs":{"items":[{"name":"README-DeepBlue. allow for json type input. Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community. Over 99% of students that use their free retake pass the exam. The script assumes a personal API key, and waits 15 seconds between submissions. evtx directory (which contain command-line logs of malicious attacks, among other artifacts). Runspace runspace = System. As you can see, they attempted 4625 failed authentication attempts. md","path":"safelists/readme. Bu aracı, herhangi bir güvenlik duvarı ya da antivirüs engeli olmadan çalıştırmak için şu komutu çalıştırmamız gerekmektedir. b. You may need to configure your antivirus to ignore the DeepBlueCLI directory. 2. This allows Portspoof to. py evtx/password-spray. py. DNS-Exfiltrate Public Python 18 GPL-3. Hello Guys. Example 1: Basic Usage . to s207307/DeepBlueCLI-lite development by creating an account on GitHub. DeepBlueCLI is a free tool by Eric Conrad that demonstrates some amazing detection capabilities. I have a windows 11. August 30, 2023. Output. The tool parses logged Command shell and. Digital Evidence and Forensic Toolkit Zero --OR-- DEFT Zero. md","contentType":"file. Cannot retrieve contributors at this time. It is not a portable system and does not use CyLR. Now, click OK . DeepBlueCLI has no bugs, it has no vulnerabilities, it has a Strong Copyleft License and it has medium support. EVTX files are not harmful. 1. evtxsmb-password-guessing. NET application: System. In this video, I'll teach you how to use the Windows Task Scheduler to automate running DeepBlueCLI to look for evidence of adversaries on your network. EVTX files are not harmful. . ps1 log. The text was updated successfully, but these errors were encountered:Hey folks! In this Black Hills Information Security (BHIS) webcast, "Access Granted: Practical Physical Exploitation," Ralph May invites you to delve deeper into the methods and tactics of. The magic of this utility is in the maps that are included with EvtxECmd, or that can be custom created. More information. Which user account ran GoogleUpdate. Usage . Reload to refresh your session. md","contentType":"file. evtx directory (which contain command-line logs of malicious attacks, among other artifacts). py. A Password Spray attack is when the attacker tries a few very common. md at main · EvolvingSysadmin/Blue-Team-ToolkitGet-winevent will accept the computer name parameter but for some reason DNS resolution inside the parameter breaks the detection engine. evtx directory (which contain command-line logs of malicious attacks, among other artifacts). The only difference is the first parameter. Saved searches Use saved searches to filter your results more quickly{"payload":{"allShortcutsEnabled":false,"fileTree":{"READMEs":{"items":[{"name":"README-DeepBlue. md Go to file Go to file T; Go to line L; Copy path Copy permalink; This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository. 1 Threat Hunting via Sysmon 23 Test PowerShell Command • The test command is the PowerSploit Invoke-Mimikatz command, typically loaded via NetWebClient DownloadString o powershell IEX (New-Object Net. sys','*. md","contentType":"file. 対象のファイルを確認したところ DeepBlueCLIevtxmany-events-system. Top 10 companies in United States by revenue. It means that the -File parameter makes this module cross-platform. III. It is not a portable system and does not use CyLR. No contributions on December 18th. ps1 -log system # if the script is not running, then we need to bypass the execution policy Set-ExecutionPolicy Bypass -Scope CurrentUser First thing we need to do is open the security. This allows them to blend in with regular network activity and remain hidden. From an incident response perspective, identifying the patient zero during the incident or an infection is just the tip of the ice berg. No contributions on December 25th. py. 📅 Create execution timelines by analysing Shimcache artefacts and enriching them with Amcache data. As the name implies, LOLs make use of what they have around them (legitimate system utilities and tools) for malicious purposes. ps1 . DeepBlueCLI by Eric Conrad is a powershell module that can be used for Threat Hunting and Incident Response via Windows Event Logs. EVTX files are not harmful. dll module. In this video I have explained Threat hunting concept and performed a demonstration with help of opensource tools like DNSTwist, CyberChef, DeepBlueCLI and T. Thank you,. has a evtx folder with sample files. filter Function CheckRegex Function CheckObfu Function CheckCommand Function. DeepBlueCLI - a PowerShell Module for Threat Hunting via Windows Event Logs. \DeepBlue. In the Module Names window, enter * to record all modules. It cannot take advantage of some of the PowerShell features to do remote investigations or use a GUI but it is very lightweight and fast so its main purpose is to be used on large event log files and to be a. Contribute to ghost5683/jstrandsClassLabs development by creating an account on GitHub. Every incident ends with a lessons learned meeting, and most executive summaries include this bullet point: "Leverage the tools you already paid for"Are you. No contributions on December 11th. First, we confirm that the service is hidden: PS C: oolsDeepBlueCLI> Get-Service | Select-Object Name | Select-String -Pattern 'SWCUEngine' PS C: oolsDeepBlueCLI>. You may need to configure your antivirus to ignore the DeepBlueCLI directory. \evtx\metasploit-psexec-native-target-security. You can read any exported evtx files on a Linux or MacOS running PowerShell. Sysmon is required:. {"payload":{"allShortcutsEnabled":false,"fileTree":{"IntroClassFiles/Tools/IntroClass/WebTesting":{"items":[{"name":"attachments","path":"IntroClassFiles/Tools. DeepBlueCLI, in concert with Sysmon, enables fast discovery of specific events detected in Windows Security, System, Application, PowerShell, and Sysmon logs. CSI Linux. 💡 Analyse the SRUM database and provide insights about it. evtx and System. has a evtx folder with sample files. It also has some checks that are effective for showing how UEBA style techniques can be in your environment. UsageDeepBlueCLI - a PowerShell Module for Threat Hunting via Windows Event Logs Eric Conrad, Backshore Communications, LLC deepblue at backshore dot net Twitter: @eric_conrad. From the above link you can download the tool. Optional: To log only specific modules, specify them here. This session provides an overview of several Sysinternals tools, including Process Monitor, Process Explorer, and Autoruns, focusing on the features useful f. {"payload":{"allShortcutsEnabled":false,"fileTree":{"":{"items":[{"name":"READMEs","path":"READMEs","contentType":"directory"},{"name":"evtx","path":"evtx. DeepBlueCLI - PowerShell script that was created by SANS to aid with the investigation and triage of Windows Event logs. DeepBlueCLI ; A PowerShell Module for Threat Hunting via Windows Event Log. DeepBlueCLI is an open-source tool that automatically analyzes Windows event logs on Linux/Unix systems running ELK (Elasticsearch, Logstash, and Kibana) or Windows (PowerShell version) (Python version). UsageThis seems to work on the example file: [mfred@localhost DeepBlueCLI]$ python DeepBlue. As Windows updates, application installs, setting changes, and. Even the brightest minds benefit from guidance on the journey to success. Write better code with AI. . PS C:ToolsDeepBlueCLI-master > . It identifies the fastest series of steps from any AD account or machine to a desired target, such as membership in the Domain Admins group. It should look like this: . || Jump into Pay What You Can training for more free labs just like this! the PWYC VM: Public PowerShell 1,945 GPL-3. But you can see the event correctly with wevtutil and Event Viewer. Upon clicking next you will see the following page. You may need to configure your antivirus to ignore the DeepBlueCLI directory. Sysmon setup . It reads either a 'Log' or a 'File'. After Downloaded then extracted the zip file, DeepBlue. 0 329 7 7 Updated Oct 14, 2023. Description: Deep Blue is an easy level defensive box that focuses on reading and extracting informtion from Event Viewer logs using a third-party PowerShell script called. DownloadString('. 1, add the following to WindowsSystem32WindowsPowerShellv1. {"payload":{"allShortcutsEnabled":false,"fileTree":{"IntroClassFiles/Tools/IntroClass/deepbluecli":{"items":[{"name":"attachments","path":"IntroClassFiles/Tools. Click here to view DeepBlueCLI Use Cases. No contributions on January 1st. \evtx\Powershell-Invoke-Obfuscation-encoding-menu. teamDeepBlueCLI – PowerShell Module for Threat Hunting. F-Secure Countercept has released publicly AMSIDetection which is a tool developed in C# that attempts to detect AMSI bypasses. At RSA Conference 2020, in this video The 5 Most Dangerous New Attack Techniques and How to Counter Them, Ed Skoudis presented a way to look for log anomalies – DeepBlueCLI by Eric Conrad, et al. Sigma - Community based generic SIEM rules. Powershell local (-log) or remote (-file) arguments shows no results. An important thing to note is you need to use ToUniversalTime() when using [System. I have loved all different types of animals for as long as I can remember, and fishing is one of my. Obviously, you'll want to give DeepBlueCLI a good look, as well as the others mentioned in the intro, and above all else, even if only a best effort, give Kringlecon 3 a go. evtx","path":"evtx/Powershell-Invoke. Codespaces. You may need to configure your antivirus to ignore the DeepBlueCLI directory. Powershell local (-log) or remote (-file) arguments shows no results. evtx","path":"evtx/Powershell-Invoke. 1\" width=\"16\" height=\"16\" aria-hidden=\"true. Except for books, Amazon will display a List Price if the product was purchased by customers on Amazon or offered by other retailers at or above the List Price in at least the past 90 days. We can do this using DeepBlueCLI (as asked) to help automatically filter the log file for specific strings of interest. Copilot. Note If your antivirus freaks out after downloading DeepBlueCLI: it's likely reacting to the included EVTX files in the . The Ultimate Guide to the CSSLP covers everything you need to know about the secure software development professional’s certification. In the Module Names window, enter * to record all modules. Micah Hoffman{"payload":{"allShortcutsEnabled":false,"fileTree":{"IntroClassFiles/Tools/IntroClass/deepbluecli":{"items":[{"name":"attachments","path":"IntroClassFiles/Tools. I. Setup the DRBL environment. DeepBlueCLI is available here. py. The script assumes a personal API key, and waits 15 seconds between submissions. ps1 . CyberChef. 10. Packages. evtx Figure 2. DeepBlueCLI. {"payload":{"allShortcutsEnabled":false,"fileTree":{"":{"items":[{"name":"READMEs","path":"READMEs","contentType":"directory"},{"name":"evtx","path":"evtx. Run directly on a VM or inside a container. And I do mean fast, DeepBlueCLI is quick against saved or archived EVTX files. Description Get-WinEvent fails to retrieve the event description for Event 7023 and EventLogException is thrown. 11. RedHunt的目标是通过整合攻击者的武库和防御者的工具包来主动识别环境中的威胁,来提供威胁仿真(Threat Emulation)和威胁狩猎所有需求的一站式服务. DeepBlueCLI can also review Windows Event logs for a large number of authentication failures. md","contentType":"file"},{"name":"win10-x64. {"payload":{"allShortcutsEnabled":false,"fileTree":{"":{"items":[{"name":"READMEs","path":"READMEs","contentType":"directory"},{"name":"evtx","path":"evtx. Note If your antivirus freaks out after downloading DeepBlueCLI: it's likely reacting to the included EVTX files in the . Event tracing is how a Provider (an application that contains event tracing instrumentation) creates items within the Windows Event Log for a consumer. You may need to configure your antivirus to ignore the DeepBlueCLI directory. as one of the C2 (Command&Control) defenses available. IV. First, let's get your Linux systems IP address19 DeepBlueCLI DeepBlueCLI (written by course authors) is a PowerShell framework for threat hunting via Windows event logs o Can process PowerShell 4. And I do mean fast, DeepBlueCLI is quick against saved or archived EVTX files. DeepBlueCLI: a PowerShell Module for Hunt Teaming via Windows Event Logs. PS C:\\> Get-ChildItem c:\\windows\\system32 -Include '*. Since DeepBlueCLI is a PowerShell module, it creates objects as the output. To accomplish this we will use an iptables command that redirects every packet sent to any port to port 4444 where the Portspoof port will be listening. We have used some of these posts to build our list of alternatives and similar projects. Table of Contents. DeepBlueCLI, in concert with Sysmon, enables fast discovery of specific events detected in Windows Security, System, Application, PowerShell, and Sysmon logs. Do you want to learn how to play Backdoors & Breaches, an incident response card game that simulates cyberattacks and defenses? Download this visual guide from Black Hills Information Security and get ready to test your skills and knowledge in a. DeepBlueCLI is available here. ps1 Vboxsvrhhc20193Security. {"payload":{"allShortcutsEnabled":false,"fileTree":{"IntroClassFiles/Tools/IntroClass/deepbluecli":{"items":[{"name":"attachments","path":"IntroClassFiles/Tools. You may need to configure your antivirus to ignore the DeepBlueCLI directory. A tag already exists with the provided branch name. evtx Go to file Go to file T; Go to line L; Copy path Copy permalink; This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository. , what can DeepBlue CLI read and work with ? and more. evtx directory (which contain command-line logs of malicious attacks, among other artifacts). A tag already exists with the provided branch name. It means that the -File parameter makes this module cross-platform. プログラム は C言語 で書かれ、 オペレーティングシステム は AIX が使われていた。. \evtx directory (which contain command-line logs of malicious attacks, among other artifacts). securityblue. EVTX files are not harmful. DeepBlueCLI . 6 videos. md","contentType":"file. DeepBlueCLI, in concert with Sysmon, enables fast discovery of specific events detected in Windows Security, System, Application, PowerShell, and Sysmon logs. 1") . 0 / 5. Many Git commands accept both tag and branch names, so creating this branch may cause unexpected behavior. A responder. Además, DeepBlueCLI nos muestra un mensaje cercano para que entendamos rápidamente qué es sospechoso y, también, un resultado indicándonos el detalle sobre quién lo puede utilizar o quién, generalmente, utiliza este tipo comando. C. He gained information security experience in a. DeepBlueCLI / evtx / Powershell-Invoke-Obfuscation-encoding-menu. DEEPBLUECLI FOR EVENT LOG ANALYSIS Use DeepBlueCLI to quickly triage Windows Event logs for signs of malicious activity. This will work in two modes. . In the “Windows PowerShell” GPO settings, set “Turn on Module Logging” to enabled. #5 opened Nov 28, 2017 by ssi0202. What is the name of the suspicious service created? Whenever a event happens that causes the state of the system to change , Like if a service is created or a task was scheduled it falls under System logs category in windows. . You signed in with another tab or window. py. 38 lines (38 sloc) 1. Reload to refresh your session. Many Git commands accept both tag and branch names, so creating this branch may cause unexpected behavior. DeepBlue. Table of Contents . Eric Conrad, Backshore Communications, LLC. evtx directory (which contain command-line logs of malicious attacks, among other artifacts). exe? Using DeepBlueCLI investigate the recovered Security. md","contentType":"file. Popular Searches Council of Better Business Bureaus Inc Conrad DeepBlueCLI SIC Code 82,824 NAICS Code 61,611 Show More. Recommended Experience. Hayabusaは事前に作成したルールに則ってWindowsイベントログを調査し、インシデントや何かしらのイベントが発生していないか高速に検知することができるツールです。DeepBlueCLIの攻撃検知ルールを追加する。 DeepBlueCLIの攻撃検知ルールを確認する WELAへと攻撃検知ルールの移植を行う DeepBlueCLIのイベントログを用いて同様の結果が得られるようにする。Su uso es muy sencillo, en primer lugar extraeríais los logs de eventos de Windows, y a continuación, se los pasaríais como un parámetro: . Owner; Primary group; The trustee in an ACE; A SID string in a security descriptor string can use either the standard string representation of a SID (S-R-I-S-S) or one of the string. Eric Conrad : WhatsMyName ; OSINT/recon tool for user name enumeration. md","path":"READMEs/README-DeepBlue. evtx","path":"evtx/many-events-application. Performance was benched on my machine using hyperfine (statistical measurements tool). csv Using DeepBlueCLI investigate the recovered System. SysmonTools - Configuration and off-line log visualization tool for Sysmon. As far as I checked, this issue happens with RS2 or late. . He has over 28 years of information security experience , has created numerous tools and co-authored the CISSP Study Guide. 0 329 7 7 Updated Oct 14, 2023. 0 license and is protected by Crown. py. py. ps1 is not nowhere to be found. 🎯 Hunt for threats using Sigma detection rules and custom Chainsaw detection rules. ShadowSpray : Tool To Spray Shadow Credentials. Detected events: Suspicious account behavior, Service auditing. JSON file that is used in Spiderfoot and Recon-ng modules. EVTX files are not harmful. 基于Django构建的Windows环境下. Automation. {"payload":{"allShortcutsEnabled":false,"fileTree":{"IntroClassFiles/Tools/IntroClass/AppLocker":{"items":[{"name":"attachments","path":"IntroClassFiles/Tools. Chainsaw or Hayabusa? Thoughts? In my experience, those using either tool are focused on a tool, rather than their investigative goals; what are they trying to solve, or prove/disprove? Also, I haven't seen anyone that I have seen use either tool write their own detections/filters, based on what they're seeing. Eric Conrad's career began in 1991 as a UNIX systems administrator for a small oceanographic communications company. In my various pentesting experiments, I’ll pretend to be a blue team defender and try to work out the attack. DeepBlueCLI will go toe-to-toe with the latest attacks: this talk will explore the evidence malware leaves behind, leveraging Windows command line auditing (now natively available in Windows 7+) and PowerShell logging. And I do mean fast, DeepBlueCLI is quick against saved or archived EVTX files. You signed in with another tab or window. The threat actors deploy and run the malware using a batch script and WMI or PsExec utilities. Here are my slides from my SANS Webcast Introducing DeepBlueCLI v3. Learn how CSSLP and ISC2 can help you navigate your training path, create your plan and distinguish you as a globally respected secure. 1. Prepare the Linux server. And I do mean fast, DeepBlueCLI is quick against saved or archived EVTX files. DeepBlueCLI is an open-source framework that automatically parses Windows event logs and detects threats such as. {"payload":{"allShortcutsEnabled":false,"fileTree":{"evtx":{"items":[{"name":"Powershell-Invoke-Obfuscation-encoding-menu. md","path":"READMEs/README-DeepBlue. md","contentType":"file"},{"name":"win10-x64. DeepBlueCLI – a PowerShell Module for Threat Hunting via Windows Event Logs | Professional Hackers India Provides single Platform for latest and trending IT Updates, Business Updates, Trending Lifestyle, Social Media Updates, Enterprise Trends, Entertainment, Hacking Updates, Core Hacking Techniques, And Other Free Stuff. Followers. 专门用于攻防对抗仿真(Adversary Emulation)和威胁狩猎的虚拟机。. Start an ELK instance. / DeepBlue. Defense Spotlight: DeepBlueCLI. Unfortunately, attackers themselves are also getting smarter and more sophisticated. evtx directory (which contain command-line logs of malicious attacks, among other artifacts). Autopsy. py. DeepBlueCLI is DFIR smoke jumper must-have. dll','*. At regular intervals a comparison hash is performed on the read only code section of the amsi. {"payload":{"allShortcutsEnabled":false,"fileTree":{"":{"items":[{"name":"READMEs","path":"READMEs","contentType":"directory"},{"name":"evtx","path":"evtx. Open Powershell and run DeepBlueCLI to process the Security. JSON file that is. {"payload":{"allShortcutsEnabled":false,"fileTree":{"evtx":{"items":[{"name":"Powershell-Invoke-Obfuscation-encoding-menu. It does not use transcription. {"payload":{"allShortcutsEnabled":false,"fileTree":{"IntroClassFiles/Tools/IntroClass/deepbluecli":{"items":[{"name":"attachments","path":"IntroClassFiles/Tools. Find and fix vulnerabilities Codespaces. {"payload":{"allShortcutsEnabled":false,"fileTree":{"evtx":{"items":[{"name":"Powershell-Invoke-Obfuscation-encoding-menu. I wi. DeepBlue. 2. EVTX files are not harmful. Checklist: Please replace every instance of [ ] with [X] OR click on the checkboxes after you submit you. a. ps1 <event log name> <evtx. Moreover, DeepBlueCLI is quick when working with saved or archived EVTX files. RustyBlue is a Rust implementation of Eric Conrad's DeepBlueCLI, a DFIR tool that detects various Windows attacks by analyzing event logs. Querying the active event log service takes slightly longer but is just as efficient. DeepBlueCLI is an open source framework that automatically parses Windows event logs, either on Windows (PowerShell version) or. . Usage: -od <directory path> -of Defines the name of the zip archive will be created. It is not a portable system and does not use CyLR. Why? No EXE for antivirus or HIPS to squash, nothing saved to the filesystem, sites that use application whitelisting allow PowerShell, and little to no default logging. More, on Medium. freq. Others are fine; DeepBlueCLI will use SHA256. evtx. You switched accounts on another tab or window. {"payload":{"allShortcutsEnabled":false,"fileTree":{"":{"items":[{"name":"READMEs","path":"READMEs","contentType":"directory"},{"name":"evtx","path":"evtx. This is very much part of what a full UEBA solution does:</p> <p dir="auto">PS C: oolsDeepBlueCLI-master><code>. EnCase. {"payload":{"allShortcutsEnabled":false,"fileTree":{"READMEs":{"items":[{"name":"README-DeepBlue. {"payload":{"feedbackUrl":". The available options are: -od Defines the directory that the zip archive will be created in. Let's get started by opening a Terminal as Administrator. EVTX files are not harmful. Reload to refresh your session. DeepBlueCLI is a tool used for managing and analyzing security events in Splunk. evtx parses Event ID. Note If your antivirus freaks out after downloading DeepBlueCLI: it's likely reacting to the included EVTX files in the . Less than 1 hour of material. Defense Spotlight: DeepBlueCLI SECTION 6: Capture-the-Flag Event Our Capture-the-Flag event is a full day of hands-on activity that has you working as a consultant for ISS Playlist, a fictitious company that has recently been compromised. evtx file using : Out-GridView option used to get DeepBlueCLI output as GridView type. And I do mean fast, DeepBlueCLI is quick against saved or archived EVTX files. Table of Contents . However, we really believe this event. {"payload":{"allShortcutsEnabled":false,"fileTree":{"IntroClassFiles/Tools/IntroClass/WindowsCLI":{"items":[{"name":"attachments","path":"IntroClassFiles/Tools. Digital Evidence and Forensic Toolkit Zero --OR-- DEFT Zero. But you can see the event correctly with wevtutil and Event Viewer. {"payload":{"allShortcutsEnabled":false,"fileTree":{"READMEs":{"items":[{"name":"README-DeepBlue. Download and extract the DeepBlueCLI tool . A tag already exists with the provided branch name. Intro To Security ; Applocker ; Bluespawn ; DeepBlueCLI ; Nessus ; Nmap . {"payload":{"allShortcutsEnabled":false,"fileTree":{"IntroClassFiles/Tools/IntroClass/bluespawn":{"items":[{"name":"attachments","path":"IntroClassFiles/Tools. 2019 13:22:46 Log : Security EventID : 4648 Message : Distributed Account Explicit. You either need to provide -log parameter then log name or you need to show the . DeepBlueCLI outputs in PowerShell objects, allowing a variety of output methods and types, including JSON, HTML, CSV, etc. DeepBlue. As Windows updates, application installs, setting changes, and. md","path":"READMEs/README-DeepBlue. No contributions on November 20th. DeepBlueCLI is a PowerShell script created by Eric Conrad that examines Windows event log information. It does take a bit more time to query the running event log service, but no less effective. The last one was on 2023-02-08. 2020年3月6日. DeepBlueCLI is an open source tool provided in the SANS Blue Team GitHub repository that can analyze EVTX files from the Windows Event Log. Btlo.