BlueTeamTools
In this note, I organize the commons blue team tools
IDS/IPS
-
- HIDS
-
- NIDS/NIPS
ls -lah /etc/suricata/rules/
see all rulussuricata -r test.pcap
create various logs(etc eve.json,fast.log...)suricata --pcap=ens160 -vv
Suricata’s (Live) LibPCAP modcat /var/log/suricata/old_eve.json | jq -c 'select(.event_type == "http")' | head -1 | jq
quury example
-
- detect C2
- ``
- simple tour
- simple tour2
-
- example:
-
Zeek
/usr/local/zeek/bin/zeek -C -r XXX.pcap
-
[Sysmon]
xml filter example
<QueryList>
<Query Id="0" Path="Microsoft-Windows-Sysmon/Operational">
<Select Path="Microsoft-Windows-Sysmon/Operational">
*[
System[
(EventID=3)
and TimeCreated[
@SystemTime >= '2022-01-01T07:41:36.000Z'
and @SystemTime <= '2022-10-02T07:41:36.999Z'
]
]
and EventData[
Data[@Name='ProcessGuid']='a79137ec-af0f-6338-b702-00000000e901'
]
]
</Select>
</Query>
</QueryList>
SIEM
Continuously, for ongoing detection and alerting
DFIR
after an incident has occurred
CTI
malware analysis
- Noriben
- Noriben is a Python-based script that works in conjunction with Sysinternals Procmon to automatically collect, analyze, and report on runtime indicators of malware.
python Noriben.py
launch the script
Network Forensics
- wireshark
- NetworkMiner
- Zui
- find who is attacker by alert
disk Forensics
-
AutoSpy
-
R-studio
- $MFT viewer
-
MFTECmd
- $MFT to csv file
- can use timeline Explorer to see the csv
-
NTFS Log Tracker
-
- windows Search Index Database Reporter
- detect the delete file
-
- shellbags date changes into nice view
- to trace the user active even the file had been delete
- need %userprofile%\AppData\Local\Microsoft\Windows\USRCLASS.dat and %userprofile%\NTUSER.dat
-
[LECmd]
- to see link file
LECmd.exe -d "C:\Users\Administrator\Desktop\Start Here\Artifacts" --csvf lnk.csv --csv "C:\Users\Administrator\Desktop\lnk-files"
- to see link file
-
jumpLists Explorer
- to
-
USB Forensics tracker
-
WxTCMD
- analyze timeline data base to csv file
- "C:\Users\
\AppData\Local\ConnectedDevicesPlatform\L. \ActivitiesCache.db"
-
Amcache parser
- may catch the app install time
-
RegistryExplorer
-
WinPrefetchView
-
SrumECmd
Aspect | Shellbags | $MFT (Master File Table) | $LogFile | $UsnJrnl:$J |
---|---|---|---|---|
📦 Source | Registry (NTUSER.DAT / USRCLASS.DAT) | NTFS file system metadata | NTFS transactional log (operation history) | NTFS update sequence number journal (USN Journal) |
📂 Tracks | Folders accessed via File Explorer GUI (local, USB, network) | Metadata and timestamps for every file/folder | Low-level file/folder changes (create, rename, delete) | All file/folder change events with USN IDs and timestamps |
⏱️ Timestamps Included | ✅ Yes – folder access/creation timestamps | ✅ Yes – MACB timestamps (Modified, Accessed, Created, Entry Modified) | ✅ Yes – change timestamps (no content changes recorded) | ✅ Yes – detailed change times |
👁️ Focus of Analysis | User GUI behavior: which folders were clicked/viewed? | File presence and lifecycle metadata | Change log, like a transaction record | Tracks entire change history of files/folders |
🧠 Purpose of Retention | Store folder view settings and history (for UI consistency) | Core structure for NTFS operation | Provides file system consistency and crash recovery | Enables quick file change lookup (for apps, indexing, backup) |
👣 Common Forensic Use Cases | - Detect if a user accessed \\10.10.5.86\shared - Track lateral movement or USB use |
- Check if a file existed, when it was created - Identify malicious file activity |
- Reconstruct sequence of malicious activity (e.g., payload creation) | - Identify file usage and renaming/deletion events |
🧪 Can Recover Deleted Files? | ❌ No – folder-based, does not retain deleted file info | ✅ Yes – traces may remain unless overwritten | ✅ Possibly – recover some actions if log is intact | ✅ Yes – shows file creation, renaming, deletion history |
Rapid Triage tool
- Eric Zimmerman
- MFTECmd
.\MFTECmd.exe -f 'C:\Users\johndoe\Desktop\forensic_data\kape_output\D\$Extend\$J' --csv C:\Users\johndoe\Desktop\forensic_data\mft_analysis\ --csvf MFT-J.csv
- Timeline Explorer
- View CSV and Excel files, filter, group, sort, etc. with ease
- EvtxECmd
- Event log (evtx) parser with standardized CSV, XML, and json output! Custom maps, locked file support, and more!
.\EvtxECmd.exe -f "C:\Users\johndoe\Desktop\forensic_data\kape_output\D\Windows\System32\winevt\logs\Microsoft-Windows-Sysmon%4Operational.evtx" --csv "C:\Users\johndoe\Desktop\forensic_data\event_logs\csv_timeline" --csvf kape_event_log.csv
- Registry Explorer
- Registry viewer with searching, multi-hive support, plugins, and more. Handles locked files
- RegRipper
.\rip.exe -r "C:\Users\johndoe\Desktop\forensic_data\kape_output\D\Windows\System32\config\SYSTEM" -p compname
- PECmd
- Prefetch parser
.\PECmd.exe -d C:\Users\johndoe\Desktop\forensic_data\kape_output\D\Windows\prefetch --csv C:\Users\johndoe\Desktop\forensic_data\prefetch_analysis
- API Monitor
- MFTECmd
Acquision
- Dumpit.exe
- windows memory image
- LiME
- Linux memory image
- EDD
- check disk wheather has been encrypted
- KAPE
- triage image
- CyLR
- inux triage image
if windwos memory dead Acquision
-
hiberfil.sys C:/
-
pagefile.sys C:/