Tweet
Title: (Intermediate) Building BLUESPAWN: An Open-Source, Active Defense & EDR Software
Description:
Our team has developed BLUESPAWN, a fully open-source, active defense and EDR tool for Windows. While there are ample offensive oriented tools publicly available, there is very little on the defensive side. We aim to use this project to demonstrate how modern-day security solutions work by building our own from the ground up. In addition, we integrate a number of popular community libraries and tools such as MITRE ATT&CK, DoD STIGs, YARA, and PE-Sieve with one goal: to enable any security analyst to quickly detect, identify, and eliminate malicious activity on a system.
In today’s world, computers running Microsoft’s Windows operating system remain a top target for threat actors given its popularity. While there are a number of commercial defensive cybersecurity tools and multi-purpose system analysis programs such as SysInternals, this software is often closed-source, operates in a black-box manner, or requires a payment to obtain. These characteristics impose costs for both attackers and defenders. In particular, while the restrictions prevent attackers from knowing exactly what these tools detect, defenders often end up not having a good understanding of how their tools work or exactly what malicious activity they can identify.
Building on prior work and other open-source software, our team decided to create BLUESPAWN. This open-source program is an active defense and endpoint detection & response (EDR) tool designed to quickly prevent, detect, and eliminate malicious activity on a Windows system. In addition, BLUESPAWN is centered around the MITRE ATT&CK Framework and the Department of Defense’s published STIGs. We have also integrated popular malware analysis libraries such as VirusTotal’s YARA to increase the tool’s effectiveness and accessibility. Currently, our team is developing the alpha version of the client which can already detect real-world malware. In the future, we will continue to build out the client and eventually integrate both a server component for controlling clients and a cloud component to deliver enhanced detection capabilities.
Github: https://github.com/ION28/BLUESPAWN
Speaker(s): Jake Smith, Jack McDowell
Location: Blue Team Vlg / Blue Team Vlg - Talks Track 1
Discord: https://discord.com/channels/7082082...54317658734613
Event starts: 2020-08-07 13:30 (01:30 PM) PDT (UTC -07:00)
Event ends: 2020-08-07 14:30 (02:30 PM) PDT (UTC -07:00)
For the most up-to-date information, please either visit https://info.defcon.org, or use HackerTracker, which is available for iOS and Android. This is an automated message, and this data was last modified 2020-08-06T21:47 (UTC).
Description:
Our team has developed BLUESPAWN, a fully open-source, active defense and EDR tool for Windows. While there are ample offensive oriented tools publicly available, there is very little on the defensive side. We aim to use this project to demonstrate how modern-day security solutions work by building our own from the ground up. In addition, we integrate a number of popular community libraries and tools such as MITRE ATT&CK, DoD STIGs, YARA, and PE-Sieve with one goal: to enable any security analyst to quickly detect, identify, and eliminate malicious activity on a system.
In today’s world, computers running Microsoft’s Windows operating system remain a top target for threat actors given its popularity. While there are a number of commercial defensive cybersecurity tools and multi-purpose system analysis programs such as SysInternals, this software is often closed-source, operates in a black-box manner, or requires a payment to obtain. These characteristics impose costs for both attackers and defenders. In particular, while the restrictions prevent attackers from knowing exactly what these tools detect, defenders often end up not having a good understanding of how their tools work or exactly what malicious activity they can identify.
Building on prior work and other open-source software, our team decided to create BLUESPAWN. This open-source program is an active defense and endpoint detection & response (EDR) tool designed to quickly prevent, detect, and eliminate malicious activity on a Windows system. In addition, BLUESPAWN is centered around the MITRE ATT&CK Framework and the Department of Defense’s published STIGs. We have also integrated popular malware analysis libraries such as VirusTotal’s YARA to increase the tool’s effectiveness and accessibility. Currently, our team is developing the alpha version of the client which can already detect real-world malware. In the future, we will continue to build out the client and eventually integrate both a server component for controlling clients and a cloud component to deliver enhanced detection capabilities.
Github: https://github.com/ION28/BLUESPAWN
Speaker(s): Jake Smith, Jack McDowell
Location: Blue Team Vlg / Blue Team Vlg - Talks Track 1
Discord: https://discord.com/channels/7082082...54317658734613
Event starts: 2020-08-07 13:30 (01:30 PM) PDT (UTC -07:00)
Event ends: 2020-08-07 14:30 (02:30 PM) PDT (UTC -07:00)
For the most up-to-date information, please either visit https://info.defcon.org, or use HackerTracker, which is available for iOS and Android. This is an automated message, and this data was last modified 2020-08-06T21:47 (UTC).