PowerShell activity
Windows DFIR notes are no longer maintained on InfoSec-Notes. Updated versions can be found on: artefacts.help.
Overview
Windows PowerShell version 2.0, and prior versions, provide few useful audit settings, thereby limiting the availability of evidence (such as a command history).
Upon executing any PowerShell command or script, either locally or using PS remoting, Windows may write events to the following hives:
Windows PowerShell.evtx
Microsoft-Windows-PowerShell\Operational.evtx
Microsoft-Windows-PowerShell\Analytic.etl
(non default)
Starting with PowerShell v5
on Windows 10
, the commands entered in a PowerShell console will be logged by the PSReadline
module to an user-scoped ConsoleHost_history.txt
file. Console-less PowerShell sessions, such as the content of PowerShell script or commands execution through the PowerShell ISE
, will not be logged in this file. By default, the ConsoleHost_history.txt
file will be located under: $env:APPDATA\Microsoft\Windows\PowerShell\PSReadLine\ConsoleHost_history.txt
. Bypassing PSReadline
logging is however easy, as it simply requires to unload the PSReadline
module (for instance with the Remove-Module PSReadline
in an existing PowerShell session).
As PowerShell implements its remoting functionality through the Windows Remote Management (WinRM)
service, remote PowerShell activity may induce events in the following hives:
Microsoft-Windows-WinRM\Operational.evtx
Microsoft-Windows-WinRM\Analytic.etl
(non default)
The events linked to remote PowerShell activity, conducted through the WinRM
service, are detailed in the Lateral movements
section.
Additionally, if enabled, AppLocker
will record PowerShell activity in the Microsoft-Windows-AppLocker\MSI and Script
hive.
Note that PowerShell 2.0, and prior versions, provide limited logging capacities and thereby limit the availability of evidence, such as the interactive command history executed through PowerShell console.
The events providing command line / command history information should be searched for the following keywords (case insensitive search):
-Enc
/-e
-nop
/bypass
IEX
/Invoke-Expression
ICM
/Invoke-command
Net.WebClient
/io.
DownloadString
/DownloadFile
&
/|
//
/http
/ftp
/cifs
/smb
/ etc.join
/nioj
/replace
/ecalper
/-f
/CHAR
/RAHC
/STRING
/GNIRTS
/marshal
/convert
/env
/{
/}
(obfuscation detection)
While the occurrence of these keywords may entail malicious activities, their absence is not a formal proof of lack of malicious PowerShell activity as PowerShell code can be deeply obfuscated.
PowerShell deobfuscation
The PSDecode
PowerShell script can be used to deobfuscate malicious PowerShell scripts that have several layers of encodings.
PowerShell Windows events
References
https://www.blackhat.com/docs/us-14/materials/us-14-Kazanciyan-Investigating-Powershell-Attacks.pdf
https://www.jpcert.or.jp/english/pub/sr/20170612ac-ir_research_en.pdf
http://jpcertcc.github.io/ToolAnalysisResultSheet/details/PowerSploit_Invoke-Mimikatz.htm
https://www.eventsentry.com/blog/2018/01/powershell-p0wrh11-securing-powershell.html
https://www.powershellmagazine.com/2014/07/16/investigating-powershell-attacks/
https://nsfocusglobal.com/Attack-and-Defense-Around-PowerShell-Event-Logging
https://static1.squarespace.com/static/552092d5e4b0661088167e5c/t/59c1814829f18782e24f1fe2/1505853768977/ Windows+PowerShell+Logging+Cheat+Sheet+ver+Sept+2017+v2.1.pdf
https://www.eventtracker.com/EventTracker/media/EventTracker/Files/support-docs/Integration-Guide-Windows-PowerShell.pdf
https://www.blackhat.com/docs/us-14/materials/us-14-Kazanciyan-Investigating-Powershell-Attacks-WP.pdf
https://jpcertcc.github.io/ToolAnalysisResultSheet/details/WinRM.htm
Last updated