If you have any questions, comments, or suggestions, please feel free to send us an email at email@example.com
Licensing & Compliance
The core BLUESPAWN code is licensed under GNU General Public License (GPL) v3.0.
Note that the project integrates several other libraries to provide additional features/detections. One of these is Florian Roth's signature-base which is licensed under the Creative Commons Attribution-NonCommercial 4.0 International License. YARA rules from this project are integrated into the standard build without any changes. In order to use BLUESPAWN for any commercial purposes, you must remove everything under the "Non-Commercial Only" line in this file and recompile the project.
Made with 💗 by the UVA Cyber Defense Team Windows Group
- Jake Smith (Github, Twitter)
- Jack McDowell (Github)
- Calvin Krist (Github, Twitter)
- Will Mayes (Github, Twitter)
- Aaron Gdanski (Github)
- Grant Matteo (Github)
Thanks to all of the folks listed below for their contributions to BLUESPAWN!
- Alexander Kluth (Github)
Want to help? Take a look at the current issues, add ideas for new features, write some code, and create a pull request!
We would like to provide a special thank you to the following projects that have helped us to build BLUESPAWN:
- Github's support of open-source projects, especially the ability for unlimited use Github Actions
- Microsoft's documentation and examples on the Windows API
- The Department of Defense's Defense Information Systems Agency (DISA) for their great work in publishing STIGs and various other technical security guidance for Windows.
- @hasherezade's PE Sieve, which currently manages our process analytics
- VirusTotal's YARA Project which we use to scan data for malicious identifiers
- The Yara Rules Project's Rules repository which contains a large collection of open-source YARA rules
- @Neo23x0's open-source signature-base project which contains a large collection of YARA rules
- The MITRE's ATT&CK Project which has put together an amazing framework for which to consider, document, and categorize attacker tradercraft
- Red Canary's Atomic Red Team and Invoke-AtomicRedTeam Projects which have been incredibly useful in helping to test the detections we are building
- Amazon's Open Source at AWS Initiative who has provided our team some AWS promotional credits to help us reserach and test BLUESPAWN better
- The NSA Cybersecurity Directorate's Windows Event Forwarding Guidance
- Sean Metcalf's Active Directory Security blog ADSecurity
- @op7ic's EDR-Testing-Script Project
- The Japan Computer Emergency Response Team (JPCERT)'s Tool Analysis Result Sheet for its documentation of attacker behavior and correlation with detection opportunities
- @jarro2783's cxxopts which we use to parse command line arguments
- @leethomason's tinyxml2 library which we use to output scan information to XML