Skip to content
/ Blue Public

Script collection for blue team ops in restricted environments

7 stars 1 fork Branches Tags Activity
Star
Notifications You must be signed in to change notification settings

zulu8/Blue

BranchesTags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

15 Commits
query
query
 
 
Deploy-Blue.ps1
Deploy-Blue.ps1
 
 
README.md
README.md
 
 

Repository files navigation

Blue Team Scripts

This project is the result of blue team tasks where the client restricts access to or usage of group policy management. Most advanced security and auditing features rely heavily on group policy for deployment. Deploy-Blue.ps1 is an attempt to bypass group policy and enact the changes necessary within the scope to enable blue team operations.

Getting Started

These instructions will get you a copy of the project up and running on your local machine for development and testing purposes. See deployment for notes on how to deploy the project on a live system.

Prerequisites

  • PowerShell 5.0+
  • Windows 7/2008r2+
  • Administrator credentials
  • Designated system for collection
  • Target Systems are WinRM enabled

Initial Configuration

Before you can begin configuration is required. The following variables must be set in Deploy-Blue.ps1 in accordance with your environment:

# Enter the FQDN of the Windows Event Collector Server
$collectorServer = "dc01.zulu8.info"

# Enter the path to store all original system configurations
$backupDirectory = "C:\Backups"

# Enter the path to store all powershell transcripts
$transcriptDirectory = "\\DC01\Transcripts"

# Sysmon Configuration File
$sysmonConfigFile = "C:\exampleSysmonConf.xml"

# Define all target systems in scope. Use Hostname.
$targetSystems = @(
    'pc02win10'
)

The following variables determine the desired configuration on you target systems. The default values are very loud.

# Create Group for Special Logon Auditing (Event ID 4964). Add Suspects to Group.
$specialAuditGroup
$specialGroupString

# Define Desired State for Registry Entries
$regConfig

Deployment

Once your script is configured, directories created, and permissions set you can begin execution.

Initialize

Simply executing the script without argument will prepare your environment for the sensor configurations. The script is designed to be run on the WEC Server.

PS C:\> .\Deploy-Blue.ps1

Configure Sensors

If the script runs without error, begin your remote sensor configuration.

PS C:\> Configure-Sensors

Configure Supporting Tasks and Conduct Blue Team Ops

Beyond the scope of this script are the remaining tasks to fully setup your blue team/threat hunting environment.

  • Configure WEF Subscriptions
  • Import data into SIEM
  • Query and Alert on data provided
  • Catch bad guys

Restore Sensors

When the task is complete simply invoke the Restore-Sensors function and the original state will be configured.

PS C:\> Restore-Sensors

Built With

Contributing

Versioning

Authors

See also the list of contributors who participated in this project.

License

This project is licensed under the MIT License - see the LICENSE.md file for details

Acknowledgments

About

Script collection for blue team ops in restricted environments

Resources

Readme
Activity

Stars

7 stars

Watchers

2 watching

Forks

1 fork
Report repository

Releases

2 tags

Packages

No packages published

Languages