Skip to content

BlueTeamTools

In this note, I organize the commons blue team tools

IDS/IPS

  • OSSEC

    • HIDS

  • Suricata

    • NIDS/NIPS
    • ls -lah /etc/suricata/rules/ see all rulus
    • suricata -r test.pcap create various logs(etc eve.json,fast.log...)
    • suricata --pcap=ens160 -vv Suricata’s (Live) LibPCAP mod
    • cat /var/log/suricata/old_eve.json | jq -c 'select(.event_type == "http")' | head -1 | jqquury example

  • RITA

  • Snort

    • example: 
      sudo snort -c /root/snorty/etc/snort/snort.lua --daq-dir /usr/local/lib/daq -R /home/htb-student/local.rules -r /home/htb-student/pcaps/cerber.pcap -A cmg

    sudo snort -c /root/snorty/etc/snort/snort.lua --daq-dir /usr/local/lib/daq \
-r XXX.pcap

    sudo snort -c /root/snorty/etc/snort/snort.lua --daq-dir /usr/local/lib/daq \
-i ens160

  • Zeek

    • /usr/local/zeek/bin/zeek -C -r XXX.pcap

  • [Sysmon]

xml filter example 

<QueryList>
  <Query Id="0" Path="Microsoft-Windows-Sysmon/Operational">
    <Select Path="Microsoft-Windows-Sysmon/Operational">
      *[
        System[
          (EventID=3)
          and TimeCreated[
            @SystemTime >= '2022-01-01T07:41:36.000Z'
            and @SystemTime <= '2022-10-02T07:41:36.999Z'
          ]
        ]
        and EventData[
          Data[@Name='ProcessGuid']='a79137ec-af0f-6338-b702-00000000e901'
        ]
      ]
    </Select>
  </Query>
</QueryList>

SIEM

Continuously, for ongoing detection and alerting

DFIR

after an incident has occurred

CTI

malware analysis

  • Noriben
    • Noriben is a Python-based script that works in conjunction with Sysinternals Procmon to automatically collect, analyze, and report on runtime indicators of malware.
    • python Noriben.py launch the script

Network Forensics

  • wireshark
  • NetworkMiner
  • Zui
    • find who is attacker by alert

disk Forensics

  • AutoSpy

  • R-studio

    • $MFT viewer

  • MFTECmd

    • $MFT to csv file
    • can use timeline Explorer to see the csv

  • NTFS Log Tracker

  • SIDR

    • windows Search Index Database Reporter
    • detect the delete file

  • shellbagsexplorer

    • shellbags date changes into nice view
    • to trace the user active even the file had been delete
    • need %userprofile%\AppData\Local\Microsoft\Windows\USRCLASS.dat and %userprofile%\NTUSER.dat

  • [LECmd]

    • to see link file LECmd.exe -d "C:\Users\Administrator\Desktop\Start Here\Artifacts" --csvf lnk.csv --csv "C:\Users\Administrator\Desktop\lnk-files"

  • jumpLists Explorer

    • to

  • USB Forensics tracker

  • WxTCMD

    • analyze timeline data base to csv file
    • "C:\Users\ \AppData\Local\ConnectedDevicesPlatform\L.\ActivitiesCache.db"

  • Amcache parser

    • may catch the app install time

  • RegistryExplorer

  • WinPrefetchView

  • SrumECmd

Aspect Shellbags $MFT (Master File Table) $LogFile $UsnJrnl:$J
📦 Source Registry (NTUSER.DAT / USRCLASS.DAT) NTFS file system metadata NTFS transactional log (operation history) NTFS update sequence number journal (USN Journal)
📂 Tracks Folders accessed via File Explorer GUI (local, USB, network) Metadata and timestamps for every file/folder Low-level file/folder changes (create, rename, delete) All file/folder change events with USN IDs and timestamps
⏱️ Timestamps Included ✅ Yes – folder access/creation timestamps ✅ Yes – MACB timestamps (Modified, Accessed, Created, Entry Modified) ✅ Yes – change timestamps (no content changes recorded) ✅ Yes – detailed change times
👁️ Focus of Analysis User GUI behavior: which folders were clicked/viewed? File presence and lifecycle metadata Change log, like a transaction record Tracks entire change history of files/folders
🧠 Purpose of Retention Store folder view settings and history (for UI consistency) Core structure for NTFS operation Provides file system consistency and crash recovery Enables quick file change lookup (for apps, indexing, backup)
👣 Common Forensic Use Cases - Detect if a user accessed \\10.10.5.86\shared
- Track lateral movement or USB use		 - Check if a file existed, when it was created
- Identify malicious file activity		 - Reconstruct sequence of malicious activity (e.g., payload creation) - Identify file usage and renaming/deletion events
🧪 Can Recover Deleted Files? ❌ No – folder-based, does not retain deleted file info ✅ Yes – traces may remain unless overwritten ✅ Possibly – recover some actions if log is intact ✅ Yes – shows file creation, renaming, deletion history

Rapid Triage tool

  • Eric Zimmerman
    • MFTECmd
      • .\MFTECmd.exe -f 'C:\Users\johndoe\Desktop\forensic_data\kape_output\D\$Extend\$J' --csv C:\Users\johndoe\Desktop\forensic_data\mft_analysis\ --csvf MFT-J.csv
    • Timeline Explorer
      • View CSV and Excel files, filter, group, sort, etc. with ease
    • EvtxECmd
      • Event log (evtx) parser with standardized CSV, XML, and json output! Custom maps, locked file support, and more!
      • .\EvtxECmd.exe -f "C:\Users\johndoe\Desktop\forensic_data\kape_output\D\Windows\System32\winevt\logs\Microsoft-Windows-Sysmon%4Operational.evtx" --csv "C:\Users\johndoe\Desktop\forensic_data\event_logs\csv_timeline" --csvf kape_event_log.csv
    • Registry Explorer
      • Registry viewer with searching, multi-hive support, plugins, and more. Handles locked files
    • RegRipper
      • .\rip.exe -r "C:\Users\johndoe\Desktop\forensic_data\kape_output\D\Windows\System32\config\SYSTEM" -p compname
    • PECmd
      • Prefetch parser
      • .\PECmd.exe -d C:\Users\johndoe\Desktop\forensic_data\kape_output\D\Windows\prefetch --csv C:\Users\johndoe\Desktop\forensic_data\prefetch_analysis
    • API Monitor

Acquision

  • Dumpit.exe
    • windows memory image
  • LiME
    • Linux memory image
  • EDD
    • check disk wheather has been encrypted
  • KAPE
    • triage image
  • CyLR
    • inux triage image

if windwos memory dead Acquision

  • hiberfil.sys C:/

  • pagefile.sys C:/

reference