Release Notes for v0.5.1-alpha

• Add interface for scan mode! Scan folders, files, and processes directly with the --scan flag!
• User permissions management added
• JSON log sink added
• Add more hunts
• Bugfixes

Mitigate Mode

• Mitigations are now configurable via json
• New mitigations have been added
• Mitigations' enforcement-levels are now properly configured
• Mitigations' associated software is now used. Mitigations may have an associated software and version, and unless the system has that software at the specified version, the mitigation won't be applied.
• Mitigation enforcement can now be configured with a much finer granularity. A default enforcement level may be specified, which can be overwritten for each mitigation, and each mitigation policy may be configured to ignore the default enforcement level.
• Mitigation enforcement now produces a report describing the results

This release represents a massive rework of BLUESPAWN's internals, hunts, and really everything. This is our DEFCON 28 release following our talk at the Blue Team Village.

The software is very much still in the alpha phase, but please reach out to us on Discord if you have questions about the project or run into issues!

User Level Features

Hunts: 17 -> 26

Mitigations: 24 -> 27

Additions

• Added a number of new hunts including T1013, T1031, T1036, T1068, T1089, T1122, T1128, T1198, and T1484
• Added Delete File and Quarantine File Reactions
• Added a few new mitigations including M1028-WFW, M1054-WSC, and V-73511
• Detect and record latent CobaltStrike beacon configurations in memory
• Record file hashes for detections
• Enhanced timestamp logging
• Launch of project website at bluespawn.cloud

Improvements

• Greatly improved stability and abilities of Monitor mode
• Improved coverage and/or optimized several hunts including T1004, T1015, T1035, T1037, T1050, T1055, T1060, T1100, T1101, T1103, T1131, and T1182
• Better detection for use of LOLBINs
• Numerous bugfixes regarding scanning coverage & program crashes
• Performance Enhancements - Smaller binary; YARA scanning is much faster due to a smaller, more targetted default configured ruleset

Architecture Features

• Added a User/Permissions Class to the client for analyzing object permissions
• Completely rewritten Event Listener/System
• Added ability to monitor directories on the file system
• Switched a number of Registry and FileSystem functions to directly call Windows Nt* functions instead of using higher level ones to obtain better data
• Added more error handling and some SEH to reduce crashes

User Level Features

Hunts: 17

Mitigations: 24

• New Hunts T1035 (Service Execution) and T1053 (Scheduled task)

• New Mitigations V-3479 (DLL Safe Search), V-71769 (Prevent Remote SAM Calls), V-73585 (Disable Windows Installer automatic elevation)

• Many additional YARA signatures

• New Memory Carving Reaction

• New --hunts and --exclude-hunts command line options

• Major updates to a number of hunts including T1015, T1101, T1131, and T1183 which reduces false positives and improves accuracy

• Performance enhancements

  • Binary is now 87% smaller

Architecture Features

• Integration of File Signed method within the File System Module. Hunts can now check if files are signed
• Updates to the CI and Atomic Red Team Tests
• Command Line parsing module
• Integration of libzip for compression of signatures in the binary
• Memory Carving Module/PE analysis

User Level Features

Hunts: 15

Mitigations: 21

• Expand number of registry keys watched in Monitor mode
• Bug Fixes
  • Fixed FileSystem module bug where it is sometimes unable to read/access protected files
  • Fixed crash on Windows Server 2008 R2
• Performance enhancements
  • Binary is now 33% smaller

Architecture Features

• Massive updates to Registry module to make it more efficent, expand scope of checks to Wow64/Users automatically
• Redo and better integrate dependencies into our project
• Updates to CI/build process

User Level Features

Hunts: 15

Mitigations: 21

• Monitoring Updates
  • All Hunts now have support for monitoring!!
• New Mitigations
  • M1035-RDP limits RDP connections
  • M1047 enables useful, optional event logs
  • M1054-RDP ensures console sessions can't be closed by remote RDP admins
  • V-3340 prevents anonymous network shares
  • V-3344 restricts local accounts with blank passwords
  • V-3379 prevents storage of LAN Manager hash of passwords
  • V-63753 prevents local storage of domain credentials
  • V-63687 limits caching of credentials
• New Hunts
  • T1015 checks for accessibility backdoor
  • T1099 checks for timestomp
  • T1136 checks for account creation
• Adds XML Logging

Architecture Features

• Adds support to scan files against YARA rules, enabling a much greater level of threat detection
• Multithreaded CLI to work with Monitoring
• CI tests now compare Bluespawn to Atomic Red Team

User Level features

• Monitor: this is a new feature that continuously monitors a Windows system for specific events. From there, BLUESPAWN can automatically launch hunts to take action against malicious activity.
• New Mitigations:
  • M1025 - LSA Protection
  • M1042 - LLMNR
  • M1042 - NBT-NS
  • M1042 - Windows Script Host
  • V1153 - NTLMv2 is used
  • V63597 - Filter Privileged Tokens over the network (helps against T1075)
  • V63817 - Include Builtin Admin account in UAC
  • V63825 - Prompt for application installations
  • V63829 - UAC is enabled
  • V73519 - SMBv1 is disabled
• New Hunts:
  • T1055 - Process Injection
  • T1183 - IFEO
• Updated Hunts:
  • T1050 - Monitor for new services
  • T1100 - Web shells
• New Reactions including SuspendProcess
• Updates to the README & docs
• Hunt Levels changed to Cursory, Normal, and Intensive now

Architecture Features

• GitHub CI
  • Add x86 builds
• Integration of PESieve Project
• Performance improvements with Hunts
• Major Registry module changes
• Major Event Log module updates
• File System module added

User Level features

• Mitigations: this is a new feature that audits a Windows system for weak security settings. From there, BLUESPAWN can either automatically fix them or just notify an operator of the issue.
  • V1093: Restrict anonymous enumeration of shares
  • V3338: Ensure unauthorized named pipes are accessible with anonymous credentials
  • V72753: Ensure WDigest Authentication is disabled
• New Hunts
  • T1050: look for new services in event logs
• Logging improvements
  • Debug and Verbosity options
• Centralized user I/O interface

Architecture Features

• GitHub CI
  • Ensures the project can compile in Debug and Release modes
• Initial untested Process and PE analysis libraries
  • Validate processes, threads, and addresses
  • Analyze loaded images
• Event logs library
  • Search any event log by ID and extract event information
• Reactions overhaul
  • More powerful logging, more extensible, support for more data types
• Prototype ETW library
  • Basic ETW callbacks based on krabsetw
• Prototype server communications (currently disabled)
  • gRPC protocols and buffer files for many key datastructures
• Intelligent dynamic linker
  • Centralized dynamic linker for linking to functions not capable of being statically linked
• String parsing utilities
  • Easily convert between unicode and ansi; capitalization and lowercasing
• Completely restructure project away from the static libraries architecture to a single centralized project

In this release, we continued to make a number of under the hood enhancements including reworking the logging and reactions frameworks, adding a CI for the BLUESPAWN-agent project, and adding new logging sinks. We also added a BLUESPAWN-server solution as we start to build out the server functionality.

This release primarily fixes some bugs in the registry submodule of the BLUESPAWN-agent, updates the project to use the BLUESPAWN-agent terminology to support the upcoming server and cloud components, updates the project's README, and adds some additional code to support upcoming modules/features.