An Active Defense and EDR software to empower Blue Teams
--scan
flag!Mitigate Mode
This release represents a massive rework of BLUESPAWN's internals, hunts, and really everything. This is our DEFCON 28 release following our talk at the Blue Team Village.
The software is very much still in the alpha phase, but please reach out to us on Discord if you have questions about the project or run into issues!
New Hunts T1035 (Service Execution) and T1053 (Scheduled task)
New Mitigations V-3479 (DLL Safe Search), V-71769 (Prevent Remote SAM Calls), V-73585 (Disable Windows Installer automatic elevation)
Many additional YARA signatures
New Memory Carving Reaction
New --hunts
and --exclude-hunts
command line options
Major updates to a number of hunts including T1015, T1101, T1131, and T1183 which reduces false positives and improves accuracy
Performance enhancements
krabsetw
In this release, we continued to make a number of under the hood enhancements including reworking the logging and reactions frameworks, adding a CI for the BLUESPAWN-agent project, and adding new logging sinks. We also added a BLUESPAWN-server solution as we start to build out the server functionality.
This release primarily fixes some bugs in the registry submodule of the BLUESPAWN-agent, updates the project to use the BLUESPAWN-agent terminology to support the upcoming server and cloud components, updates the project's README, and adds some additional code to support upcoming modules/features.