BlueSpectrum is an IOC framework written in PowerShell. It searches for Indicators of Compromise (IOC) in Registry keys\values, network connections, file metadata, and or hashes on local or remote systems using WMI as the remote process caller. This script works with PowerShell v2 and newer.
Open one of the five IOC files and input an applicable indicator on each line. Please see the folder labled "IOC_Examples" for how an indicator should look in the file.
1)* Download this repository and unzip it.
2) Add applicable IOCs to the indicator files.
3) Change applicable variables.
- BlueSpectrum_Process_Call.ps1 -- Lines 18, 21, 24, and 27
- BlueSpectrum.ps1 -- Line 46
4) Run BlueSpectrum_Process_Call.ps1 from a PS console.
5) Review findings in the "Results" folder.
There are a few ways to run BlueSpectrum remotely to include using PSRemoting, PSEXEC, and/or WMI. We only address running it locally.
Results are returned to the local machine and begin with the IP or hostname of the system it came from.
