Scribd
Upload
3 views

PowerShell Hunting and Detection

The document provides a comprehensive guide on PowerShell hunting and detection techniques for threat hunters and blue team activities. It outlines various PowerShell event IDs, their descriptions, and hunting parameters, including logs from PowerShell operational channels, Sysmon logs, and application whitelisting. Additionally, it highlights the importance of PowerShell transcripts and history files for digital forensics and incident response (DFIR) investigations.

Uploaded by

Aman Singh
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
3 views

PowerShell Hunting and Detection

The document provides a comprehensive guide on PowerShell hunting and detection techniques for threat hunters and blue team activities. It outlines various PowerShell event IDs, their descriptions, and hunting parameters, including logs from PowerShell operational channels, Sysmon logs, and application whitelisting. Additionally, it highlights the importance of PowerShell transcripts and history files for digital forensics and incident response (DFIR) investigations.

Uploaded by

Aman Singh
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
You are on page 1/ 3

PowerShell Hunting and Detection for (Threat Hunters | DFIR |

Blue Team Activities)


Sunday, June 4, 2023 2:23 PM

Author: Muhammed Talaat - Senior. Malware Researcher | DFIR Investigator | Threat Intelligence Analyst
LinkedIn: https://www.linkedin.com/in/muhammed-talaat-0x00/
Twitter: https://twitter.com/Muhammed_0x00
Personal Email: [email protected]

 PowerShell Activities
Data Source Channel Category - Refers To Event ID Description | Comment
PowerShell Microsoft-Windows-PowerShell/Operational User started Application 4103 • records all the obfuscated commands as pipeline execution details.
host • Hunt the obfuscated commands and calls self -defined variables and system commands.
PowerShell Microsoft-Windows-PowerShell/Operational Script block contents 4104 • Execution of a remote PowerShell command.
• Captures the entire scripts that are executed by remote machines. For example, obfuscated scripts that
are decoded and executed at run time.
• If an event exceeds the maximum event log message size, script block logging will split the logged events
into multiple events and suspicious commands can be observed at the logging level of "warning".
PowerShell Windows PowerShell Application host started 400 • Indicates when a new PowerShell host process has started.

Event ID Hunting Parameters


4103 `@timestamp` | Hostname | AccountType | AccountName | ContextInfo
4104 `@timestamp` | Hostname | AccountType | AccountName | UserID | ScriptBlockText
400 `@timestamp` | Hostname | Message

Examples:

PowerShell/Operational Log (Event ID: 4103)

PowerShell/Operational Log (Event ID: 4104)

PowerShell Log (Event ID: 400)

PowerShell Hunting Page 1


Data Source Channel Category - Refers To Event ID Description | Comment
PowerShell Microsoft-Windows-PowerShell/Operational Application domain started 53504 • The “PowerShell Named Pipe IPC” event will indicate the name of the PowerShell AppDomain that started.
When DSC executes the script resource, this event automatically captures the
"DscPsPluginWkr_AppDomain" AppDomain which, as the name suggests, is unique to DSC execution.

Event ID Hunting Parameters


53504 `@timestamp` | Hostname | Message

Example:

PowerShell/Operational Log (Event ID: 53504)

 Application Whitelisting
Data Source Channel Category - Refers To Event ID Description | Comment
Process Security A new process has been created 4688 • Logs details about new process creations within Windows.

Event ID Hunting Parameters


4688 `@timestamp` | Hostname | NewProcessName| ParentProcessName| SubjectUserName | CommandLine | Message

• When you hunt with this Event ID pay attention to the Parent Process (Specifically when it's not "explorer.exe")

Examples:

Security Log (Event ID: 4688)

 Sysmon Logs
Data Source Channel Category - Refers To Event ID Description | Comment
Process Microsoft-Windows-Sysmon/Operational A new process has been 1 • Logs new process creations within Windows.
created • Provides context on the process execution.

Event ID Hunting Parameters


1 `@timestamp` | Hostname | Image| ParentImage| CommandLine | ParentCommandLine | Hashes | Message

• Filter with Image: "powershell.exe"


• When you hunt with this Event ID pay attention to the Parent Process (Specifically when it's not "explorer.exe")

Examples:

PowerShell Hunting Page 2


Sysmon Log (Event ID: 1)

---------------------------------------------------------------------------------------------------------

Data Source Channel Category - Refers To Event ID Description | Comment


Module Microsoft-Windows-Sysmon/Operational Process loaded Dll 7 • The image loaded event logs when a module is loaded in a specific
process.

Event ID Hunting Parameters


7 `@timestamp` | Hostname | Image| ImageLoaded | Hashes | AccountType | Message | Signed

• Monitor for processes loading PowerShell DLL "system.management.automation".


• Filter with Description or ImageLoaded: "system.management.automation"

Examples:

Sysmon Log (Event ID: 7)

---------------------------------------------------------------------------------------------------------

Data Source Channel Category - Refers To Event ID Description | Comment


Named Pipe Microsoft-Windows-Sysmon/Operational Process created Pipe 17 • This event generates when a named pipe is created. Malware often uses
named pipes for interprocess communication.

Event ID Hunting Parameters


17 `@timestamp` | Hostname | Image| PipeName

• A pipe is a section of shared memory that processes use for communication.


• Monitoring for PSHost* pipes to find PowerShell execution.
• Format: PSHost.<StartTimestampTicks>.<ProcessID>.DefaultAppDomain.powershell

Examples:

Sysmon Log (Event ID: 17)

 PowerShell Transcript
• For DFIR investigators they can look for transcript file if it was active.
• Transcript file is a .txt document located by default in the Documents directory, it records all PowerShell sessions. The
transcript file includes all command that the user types and all output that appears on the console.

 PowerShell History File


• For DFIR investigators they can look for PS history file, it records everything you type in PowerShell.
• Located in: APPDATA\Roaming\Microsoft\Windows\PowerShell\PSReadLine\ConsoleHost_history.txt

PowerShell Hunting Page 3

You might also like