PowerShell/WinRM Operational

Console_History.txt / PsTranscripting:

Auto logs the last 4,096 commands since PSv5/Win10

# location: 
%UserProfile%\AppData\Roaming\Microsoft\Windows\PowerShell\PsReadLine

Also check for PSTranscripting in the Env - default location = "%UserProfile%\Documents" unless specified in the GPO

PowerShellCore-Operational.evtx (PSv6,7) PowerShell-Operational.evtx (PSv5)

EID

4104

Records scrip blocks (but only on first execution) - should be first look | specifically for potentially malicious "Warning"

4103

Records module/pipeline output

4105/4106

Very noisy for threat hunting

Most logging is disabled by default; but MS added potentially malicious script activity

Lookout for downgrade attacks to pre PSv5 - also use of PowerShellv7+ due to likelihood of less monitoring (need to enable PS monitoring for both V5 and v6+ individually)

Quick Wins:

Filter for common abuse:

IEX

Invoke-Expression (IEX)

FromBase64String

rundll32

Invoke-Command

WebClient

http

syswow64

bitstransfer

download

Start-Process

Reflection

Powershell -version

Invoke-WmiMethod

Invoke-CimMethod

WebRequest

EncodedCommand/ -enc/ -E

ExecutionPolicy -Bypass

https://github.com/danielbohannon/Revoke-Obfuscation

Downgrade attacks

Can be found by searching the 'Windows Powershell.evtx' log for:

EngineVersion=2.0 
# OR 
HostVersion=2.0

WinRM/Operational.evtx

Tracks WinRM Connections - Available on source and destination host - WinRM is the primary protocol for PSRemoting. Recording: Hostname, IP, Currently logged-on user

EID

Destination Hostname, IP Address, Currently Logged-on user

Source session creation

168

Authenticating user account

Also

PreviousWMI-Activity Operations NextTask Scheduler

Last updated 1 year ago