-
Notifications
You must be signed in to change notification settings - Fork 170
Home
BLUESPAWN is an active defense and Endpoint Detection and Response (EDR) tool designed to be operated by a technical expert to detect, identify, and eliminate malicious activity from a Windows machine. It consists of a client with three modes:
- Hunt: actively hunt for malware on a Windows machine. These are all attached to specific MITRE attack techniques.
- Monitor: passively operate in the background and monitor for suspicious activity. This mode launches a hunt when something is detected.
- Mitigate: reduces the risk present on a Windows system by looking for weak security policies and settings, then helping an operator fix them.
If you want to contribute to BLUESPAWN or are interested in how it works, please refer to our contributing or architecture pages.
Download BLUESPAWN binary here, then open an Administrative Command Prompt and navigate to the binary.
Hunts can be run at three levels (Cursory, Normal, and Intensive) which each look for threats at a varying level of thoroughness.
# Run a basic hunt
BLUESPAWN-client.exe --hunt -l Normal --reaction=carve-memory,log,remove-value --log=console,xml --debugThis command will run all the implemented hunts at the normal level. These hunts will print information about anything suspicious they find, but will not actively do anything about them. More information can be found here. Other examples of running hunts:
BLUESPAWN-client.exe --hunt -l Cursory --hunts=TXXX,TXXX
BLUESPAWN-client.exe --hunt -l Cursory --exclude-hunts=TXXX,TXXXBLUESPAWN-client.exe --monitor -l Normal --reaction=carve-memory,log,remove-value --log=console,xmlBLUESPAWN-client.exe --mitigate=enforceBelow is an overview of the hunts in BLUESPAWN, a description and the MITRE attack technique it's based on.
| Name | MITRE Attack | Description |
|---|---|---|
| Winlogon Helper DLL | T1004 | Checks registry for DLL persistence through Winlogon Helper |
| Logon Scripts | T1037 | Checks for logon script registry keys |
| New Service | T1050 | Checks for service installation events |
| Registry Autoruns | T1060 | Checks the registry for run keys and startup folders |
| Web Shells | T1100 | Checks local file system for possible web shells |
| Security Support Provider | T1101 | Checks registry for DLL persistence through LSA-loaded DLLs |
| AppInit DLLs | T1103 | Checks registry for DLL persistence through AppInit |
| Authentication Package | T1131 | Checks registry for DLL persistence through authentication packages |
| Application Shimming | T1138 | Checks registry for persistence through application shimming |
| AppCert DLLs | T1182 | Checks registry for DLL persistence through AppCert |