Skip to content
Calvin Krist edited this page Jan 28, 2020 · 25 revisions

Introduction

BLUESPAWN is an active defense and Endpoint Detection and Response (EDR) tool designed to be operated by a technical expert to detect, identify, and eliminate malicious activity from a Windows machine. It consists of a client with three modes:

  • Hunt: actively hunt for malware on a Windows machine. These are all attached to specific MITRE attack techniques.
  • Monitor: passively operate in the background and monitor for suspicious activity. This mode launches a hunt when something is detected.
  • Mitigate: reduces the risk present on a Windows system by looking for weak security policies and settings, then helping an operator fix them.

If you want to contribute to BLUESPAWN or are interested in how it works, please refer to our contributing or architecture pages.

Using BLUESPAWN

Download BLUESPAWN binary here, then open an Administrative Command Prompt and navigate to the binary.

Hunt

# Run a basic hunt
.\BLUESPAWN.exe --hunt -l Cursory

This command will run all the implemented hunts at the cursory level. These hunts will print information about anything suspicious they find, but will not actively do anything about them. More information can be found here

Monitor

# Coming soon

Mitigate

# Coming soon

Hunting Malware

Below is an overview of the hunts in BLUESPAWN, a description and the MITRE attack technique it's based on.

Name MITRE Attack Description
Winlogon Helper DLL T1004 Checks for DLL Persistance
Clone this wiki locally