DeepBlueCLI

VERIFIED

PowerShell module for Windows event log threat hunting

AI Hacking ToolsOSS

Easy

Windows

Description

DeepBlueCLI is a PowerShell module developed by SANS for threat hunting via Windows Event Logs. It detects suspicious activity patterns including command-line obfuscation, privilege escalation attempts, Mimikatz usage, and unusual service installations by analyzing Security, System, and Sysmon logs.

Use Cases

Threat hunting in Windows Event Logs
Detecting Mimikatz and credential dumping activity
Identifying command-line obfuscation and encoded PowerShell

Attack Phases

01. RECON

02. SCAN

03. EXPLOIT

04. PERSIST

05. COVER

MITRE ATT&CK Techniques (3)

T1059.001Command and Scripting Interpreter: PowerShell

Related Tools (1)

AI-Hunter