Threat Hunting via DeepBlueCLI v3

  • Thursday, 29 Jun 2023 1:00PM EDT (29 Jun 2023 17:00 UTC)
  • Speaker: Eric Conrad

Every incident ends with a lessons learned meeting, and most executive summaries include this bullet point: "Leverage the tools you already paid for"

Are you leveraging the tools you already paid for? Are you using the host-based firewall to block/alert when applications like PowerShell, PSExec, and WMIC attempt to make outbound connections from non-IT clients? Have you enabled AppLocker?

DeepBlueCLIv3 will go toe-to-toe with the latest attacks, analyzing the evidence malware leaves behind, using built-in capabilities such as Windows command line auditing, PowerShell, and Sysmon logging. This talk will focus on the latest updates to DeepBlueCLI, including detecting Impacket and WMI-based attacks, C2 frameworks such as Sliver, password spraying, process injection, event log manipulation, and more.