-
Notifications
You must be signed in to change notification settings - Fork 170
Home
Calvin Krist edited this page Jan 28, 2020
·
25 revisions
BLUESPAWN is an active defense and Endpoint Detection and Response (EDR) tool designed to be operated by a technical expert to detect, identify, and eliminate malicious activity from a Windows machine. It consists of a client with three modes:
- Hunt: actively hunt for malware on a Windows machine. These are all attached to specific MITRE attack techniques.
- Monitor: passively operate in the background and monitor for suspicious activity. This mode launches a hunt when something is detected.
- Mitigate: reduces the risk present on a Windows system by looking for weak security policies and settings, then helping an operator fix them.
If you want to contribute to BLUESPAWN or are interested in how it works, please refer to our contributing or architecture pages.
Download BLUESPAWN binary here, then open an Administrative Command Prompt and navigate to the binary.
# Run a basic hunt
.\BLUESPAWN.exe --hunt -l Cursory
This command will run all the implemented hunts at the cursory level. These hunts will print information about anything suspicious they find, but will not actively do anything about them. More information can be found here
# Coming soon
# Coming soon
``
## Hunting Malware
Below is an overview of the hunts in BLUESPAWN, a description and the MITRE attack technique it's based on.
| Name | MITRE Attack | Description |
---
| Winlogon Helper DLL | T1004 | Checks for DLL Persistance |