BluSapphire
  • 01_Introduction
  • 02_Unified Cyber Defense Platform
  • 03_The Stack
  • 04_Features and capabilities
  • 05_Operations
  • 06_Architecture
    • Architecture - Version 3
    • Architecture - Version 4
  • 07_Integration
    • Cisco pxGrid Integration
    • Threat Intel Sources
  • 08_Use cases
    • SIGMA Rules
      • SIGMA Detection Attributes
      • Understanding SIGMA Rule
      • Creating SIGMA Rule
  • 09_CaseHub
    • Events
    • Cases
      • Case-Templates
    • Event-Rules
    • Reflex Query Language (RQL)
    • Input Configuration
      • Credentials
      • Agents
      • Field Templates
  • 10_Active-Defense-Services
    • Services (ADS - LIADS)
      • Network Services
      • Database Services
      • Web-Apps
    • Tokens (ADS - Tokens)
  • 11_Data-Pipeline-Manager (DPM)
    • Basic Concepts
    • Getting Started
  • 12_Deployment / Log Forwarding
    • Log Forwarding (on-prem) - How To
      • Fortimanager
      • Fortinet
      • Cisco ASA with FirePOWER services
      • Cisco ASA
      • Cisco VPN 3000 Concentrator
      • Cisco IOS Switch
      • Cisco ASA using ASDM
      • Cisco Router
      • Cisco Sourcefire
      • Cisco Ironport
      • Cisco Nexus Switch
      • Cisco VPN Concentrator
      • NetScreen Firewall
        • Configure/Enable Syslog Messages for Netscreen Firewall device using CLI Console:
      • Palo Alto Firewalls
        • Configure Syslog Monitoring
        • Configure a Syslog server profile
        • Create a log forwarding profile
        • Configure security policy rule action as log forwarding
        • Configure syslog forwarding for System, Config, HIP Match, and Correlation logs
      • Juniper
        • Using J-Web
        • Using CLI
        • Using J-Web
        • Using CLI
        • Configuring to send Syslog Messages directly from Sensor
      • Sonicwall
        • Configuring SonicWALL To Direct Log Streams
        • Configuring SonicWALL Logging Level
      • Checkpoint
        • R80.20
        • R80.10
        • R77.30
      • Blue Coat Proxy Logs
        • To Forward Blue Coat Logs Using Web Interface
        • To Forward Blue Coat Proxy Logs Using CLI
      • Tipping Point
      • FireEye
        • To Forward Fireeye NX Alert Logs
      • Linux
      • UBUNTU
      • CENTOS-RHEL
      • Citrix Access Gateway
      • SYMANTEC AV
      • DarkTrace
      • Nutanix
      • SAP
      • Cisco Meraki Firewall
      • Zoho Vault Integration
      • Zoho Analytics Integration
      • Sophos EDR Integration
      • PowerDMARC Integration
      • Perception Point Integration
      • MS Intune Integration
      • AWS-Cloudtrail & AWS-Cloudwatch integration
      • Dell PowerEdge Log Integration
      • HPE ProLiant DX380 Gen10 Log Integration
      • Lenovo ThinkSystem SR650 Log Integration
      • Aruba-3810M-L3 Switch
      • Cisco HX220C-M5SX Log Integration
      • Aruba-6200F-48-Access Switch
      • Brocade & Ruckus Switch Log Integration
      • Cavera L2 Switch Log Integration
      • CentOS & RHEL Log Integration
      • Cisco L2 Switch Log Integration
      • Cisco L3 Switch Log Integration
      • Dell EMC Switch Log Integration
      • Dell Powervault ME4 & ME5 Series Log Integration
      • HCI_CISCO_HX 240C_M5SX_CIMS(Intersight)
      • IBM AIX Log Integration
      • IBM Storwize Log Integration
      • Lenovo L2 Switch Log Integration
      • Lenovo Think System Storage Log Integration
      • lenovo_think_system_manager_851
      • Netgear M4300 Switch Log Integration
      • Net Gear Ready NAS 314 & Net Gear Ready NAS 428
      • qnap storage log integration
      • Ruckus SmartZone 100 Wi-Fi Controller Log Integration
      • Seqrite Endpoint Security 7.6 Log Integration
      • Suse log integration
      • Ubuntu log integration
      • Vcenter log integration
      • Microsoft SQL DB integration
      • Vios log integration
      • Cisco SF/SG 200 & 300 Series Switches
      • oracle db integration
      • lenovo thinksystem storage
      • F5 BIG-IP Load Balancer (11.x - 17.x)
      • Seqrite 76
      • Seqrite 82
      • Aruba switch log integration
      • Windows FIM
        • FIM Integration with GPO
        • FIM Integration without GPO
      • Sophos Firewall
        • Sophos XG Firewalls Syslog
          • Netflow Configuration To Verify
      • SAP
      • Integrating Forcepoint Web Proxy (or) Email Security
      • MicroAgent - Winlogbeat & Sysmon
        • Deploy Micro-Agent/Sysmon via GPO
        • MicroAgent manual installation
      • Microsoft’s IIS Integration
      • vios log integration
      • aruba switch log integration
      • oracle db integration
      • Cisco SF/SG 200 & 300 Series Switches
      • microsoft sql db integration
      • seqrite 82
      • seqrite 76
      • List of Supported Log Sources
        • 17.x)
    • Cloud Log Forwarding
      • Akamai WAF
      • Azure Sentinel
      • AWS Cloud Logs
        • Collecting CloudWatch Logs
        • Collecting Cloudtrail Logs
      • Configuring Mimecast for Log Collection via API
      • Cisco Umbrella
      • Cisco Duo
      • Cisco AMP
      • Cisco CES
      • SOPHOS AV
      • CROWDSTRIKE
      • Microsoft Defender ATP
        • Enable SIEM integration in Microsoft Defender ATP
        • Assign permissions to the WindowsDefenderATPSiemConnector application
    • BluArmour Pre-Deployment Checklist & Roll out Process
    • Deploy BluArmour via SCCM
    • BluGenie GPO for Service Account, WinRM and WMI
    • Mirror / SPAN port configuration
    • Average LogSize by LogSource
    • Windows Package Installation
    • Linux Package Installation
  • 13_MITRE ATT&CK
    • MITRE ATT&CK Coverage by Tactic
    • MITRE ATT&CK Coverage by Technique
    • Rules mapping - MITRE ATT&CK
  • 14_BluArmour Endpoint Protection
    • BluArmour For ICS / AirGapped Networks
  • 15_BluGenie
    • Manual
    • How To Guides
      • BluGenie Intro
      • How To Run
      • How to Use Help
      • Running Localhost & Remote commands
      • Get-BluGenieChildItemList
      • Invoke-BluGenieYara
    • Enable-BluGenieWinRMoverWMI
  • 16_Best Practices
    • Windows Logging Recommendations
      • Windows Security Log recommendations
      • Windows General Log Recommendations
      • Windows Advanced Auditing Recommendations
    • Lateral Movement Logging Recommendations
    • Best Data Sources for Detection
    • Cloud Incident Readiness
  • 17_Threat Hunt
  • 18_Taxonomy
    • Categories
    • Web Security Gateway
    • Cloud AWS
    • Windows
    • Linux
    • Endpoint Detection
    • NGFW (Firewalls)
    • Email Gateway Security
    • Network Access Control
    • Auth (IDAM)
    • Alert Data
    • Web Security Gateway
    • Endpoint Protection
    • DHCP
    • Cloud AWS
    • Wireless Access Controllers
    • Windows
    • Load Balancers (LB)
    • Linux
    • Active Defence (Deception)
  • 19_Product Videos
  • 20_M-SOC_Self Service Portal
    • Registering as a Customer (Regulated Entity)
    • Digital Contract Signing Process
      • RACI Matrix
    • Updating Billing Information
    • Updating Escalation Matrix
    • Manage Users and Roles
    • Windows Package Installation
    • Linux Package Installation
    • RPM Package Installation
    • Frequently Asked Questions (FAQ)
    • Default Log Collection
    • Incident Management Workflow(M-SOC only)
    • Troubleshooting Installs
    • MACOS Package Installation
  • Customer Self Service Portal
    • Registering as a Customer
    • Registering as a Partner
    • Digital Contract Signing Process
    • Updating Billing Information
    • Updating Escalation Matrix
    • Manage Users and Roles
    • Windows Package Installation
    • Linux deb Package Installation
    • Linux rpm Package Installation
    • Frequently Asked Questions (FAQ)
    • Default Log Collection
    • Asset Reconciliation
    • Troubleshooting Installs
  • Appendix A
  • 21_Incident Response
    • Cloud Incident Readiness
Powered by GitBook
On this page
  • Page Archived
  • Blugenie
  • Overview
  • EQL Queries:
  • Run Yara Rule Files:
  • Firewall Audit and Protection:
  • Process Audit and Protection:
  • Remote Audit and Protection:
  • File and Folder Audit and Protection:
  • Registry Audit and Protection:
  • Network Audit and Protection:
  • Services Audit and Protection:
  • Threat Hunt and Protection:
  • System Information:
  • Overall Engine Design:

15_BluGenie

Agentless Framework

Page Archived

Blugenie

Automated Response and Remediation - there are plenty of PowerShell frameworks for offense. This is a PowerShell framework for defense. The only Response and Remediation Framework in PS today offering complete visibility on user endpoints such as servers, laptops and desktops, both stationary and remote, wherever your users may be working from.

You can use this framework for Threat Hunting, automated Response and Remediation also. This framework may also be used for forensic artifact collection except collecting images.

Overview

EQL Queries:

  • execute any EQL queries

  • option to add custom fields along with EQL fields

  • run EQL queries on a single machine or multiple systems or all systems on your infrastructure

  • get results in YAML or JSON

Run Yara Rule Files:

  • run any of the 100+ yara rule files prebuilt into the tool

  • run any arbitrary yara file downloaded from any TI sources including US-CERT

  • run yara on one or many systems at the time

  • get results in YAML or JSON

Firewall Audit and Protection:

Display a full list of firewall rules and their attributes for each firewall profile

  • Enable / Disable GPO Security

  • Enable / Disable Rules (A selected few or all of them)

  • Install / Uninstall Rules (A selected few or all of them)

  • Query all rules and the entire rule property table

  • Configure (Domain, Public, Private) firewall profile status

Process Audit and Protection:

Display information regarding each process in the process stack for all users including the parent command and full command line used that initialized the execution.

  • Query based on all property attributes of any process (in memory or installed on disk)

  • Query and Manage based on Signature

  • Query and Manage based on Algorithm

    • MACTripleDES

    • MD5

    • RIPEMD160

    • SHA1

    • SHA256

    • SHA384

    • SHA512

  • Terminate, Pause, or Restart processes

  • Quickly determine what processes are completely running in memory

Remote Audit and Protection:

Display information of the current remote configuration and accessibility of the remote machine.

  • Manage remote host with WMI

  • Manage remote host with WinRM

  • Enable WinRM with WMI

  • Enable / Disable Remote Desktop Protocol (RDP)

File and Folder Audit and Protection:

Displays file and folder information including

  • Algorithm, Signature, File Permissions, and ADS information

  • Quick File and Folder search (Faster than the normal search function) even hidden files and folders. Query an entire OS file system in less than 3 min for any file or folder.

  • Remove file(s) and folder(s)

  • Query Alternate Data Streams

    • Shows Stream names -Shows Stream data

  • Query and Manage based on Algorithm

    • MACTripleDES

    • MD5

    • RIPEMD160

    • SHA1

    • SHA256

    • SHA384

    • SHA512

  • Convert any variablized path to a literal path

  • Export a detailed file and folder (details view snapshot) including

    • Attributes, Date Created, File Size, and Full file name

  • Copy files and folders to and from a remote source.

    • Using SMB

    • Using WinRM (even if SMB is disabled)

Registry Audit and Protection:

Display registry information including

  • User profile attributes

  • Username

  • Profile Path

  • User Hive Path

  • User from SID information

  • Loaded Shell information

  • Load and Unload registry hives

  • Convert SID to readable user / service name

  • Convert User / Service name to SID

  • Export Registry Snapshots (.REG format)

Network Audit and Protection:

Displays all connections and listening ports and the executable involved in creating each connection

  • Terminate a connection and the executable managing it

  • Query based on any property attribute

  • Convert Foreign Address IP information to Domain Name

Services Audit and Protection:

Display information regarding each service and child process including the processing command line that was used in the initialize execution.

  • Query based on all property attributes of any service

  • Query and Manage based on Signature

  • Query and Manage based on Algorithm

    • MACTripleDES

    • MD5

    • RIPEMD160

    • SHA1

    • SHA256

    • SHA384

    • SHA512

  • Terminate, Pause, or Restart processes

  • Start, Stop, Restart, or Remove Services

Threat Hunt and Protection:

Display information regarding COM Object Hijacking, Auto Run Processes, System Prefect Data, and Most Recently Used (MRU) application and file history.

  • Query for possible COM Object Hijacking. The process searches for (*.EXE, *.DLL, *.AX, *.CPL, and *.OCX) files that can be Hijacked using the registry CLSID.

  • Display MRU Activity

  • Enable / Disable Windows Prefetching

  • Enable / Disable Audit Level Process Tracking

  • Enable / Disable Audit Level Process Policy

  • Display what programs are configured to run during system boot-up and session logins

System Information:

Display information regarding Active Directory, GPO, System configuration and hardware

  • Display Active Directory Machine Information (Without RSAT)

    • Assigned GPO List

    • System Group Membership

    • Group Members of the System

    • LDAP Container location

    • Default AD Attributes

      • Password Last Set

      • Last Logon Time

      • Logon Count

      • Object Category

      • Is Critical System Object

      • Operating System

      • Last Logon Date

      • Name

      • Bad Password Timeout

      • Service Principle Names

      • Object Class

      • Bad Password Count

      • Sam Account Type

      • Object Created Date

      • Object Changed Date

      • Object SID

      • Last Log off

      • Account Expires

      • Local Policy Flags

      • Container

      • Country Code

      • Primary Group ID

      • DNS Host Name

      • Distinguished name

      • Account expires Date

      • Supported encryption types

      • SAM Account Name

  • Display Windows Updates

    • Patches

    • Rollups

    • Service Packs

    • Hotfixes

    • Definition Update Information

    • Live link to Microsoft Information Database for each identified item

  • Display System Configuration and Hardware Information for the following items

    • Local Disks

    • Domain

    • System Description

    • Manufacturer

    • Model

    • CPU

    • System Type

    • Primary Owner

    • Logged on users

    • PowerShell Supported Versions

    • Memory

    • Operating System Information

      • Version

      • Installed Date

      • Service Packs

  • Dot Net Versions

  • System Boot Time

  • 3rd Party Application / Tool Installation and Removal

  • Download and Install Windows SysInternals Tools from Microsoft

  • Install / Uninstall and Configure SysMon Service

  • Install / Uninstall and Configure WinLogBeat Service

Overall Engine Design:

  • Run 1 to many managed jobs to thousands of remote systems

  • 3 major execution sections will speed up performance on remote systems

    • Pre – Any command(s) processed here are started first and run synchronously

    • Parallel - Any command(s) processed here are started after all the Pre commands have finished. These commands run in parallel.

    • Post – Any command(s) processed here are started after all the Pre and Parallel commands have finished. These commands run synchronously

  • Can manage Multiple IP ranges in a single job

  • Jobs can run from the Console Command Line, BluGenie Management Framework, or a JSON configuration file. Future support for YAML and XML.

PreviousBluArmour For ICS / AirGapped NetworksNextManual

Last updated 9 months ago

Over 150 Functions. To Download the latest version check out our Repo on GitHub

here