Automatically generated based on tag:
Title | Type | Summary | Location |
---|---|---|---|
ETW - PowerShell activity | Page | For local PowerShell activity. Windows PowerShell version 2.0, and prior versions, provide few useful audit settings, thereby limiting the availability of evidence (such as a command history). Starting with PowerShell v5, PowerShell logging was enhanced, with the notable addition of Script Block Logging, that record full contents of PowerShell code executed (both original and deobfuscated code). While Script Block Logging is not fully enabled by default, it will record events for code containing suspicious keywords (from a Microsoft pre-defined list). |
Channels: Windows PowerShell. Events: 400, 403, 500, 501, 600, 800. Microsoft-Windows-PowerShell\Operational. Events: 4100, 4103, 4104, 40961, 40962, 53504. Microsoft-Windows-AppLocker\MSI and Script. Events: 8005, 8006. |
ETW - PowerShell remoting - Destination host | Page | Destination host of a PowerShell remoting / WinRM access. Main events: Channel: Microsoft-Windows-Windows Remote Management/Operational. Event ID 91: "Creating WSMan shell on server with ResourceUri: <X>". |
Channels: Microsoft-Windows-Windows Remote Management/Operational. Event: 91. Windows PowerShell. Events: 400, 403, 600. With the HostName field set to "ServerRemoteHost". |
ETW - PowerShell remoting - Source host | Page | Source host initiating a PowerShell remoting / WinRM access. Main events: Channel: Microsoft-Windows-Windows Remote Management/Operational. Event ID 6: "Creating WSMan Session. The connection string is: <REMOTE_HOST>/wsman?PSVersion=XXX". |
Channel: Microsoft-Windows-Windows Remote Management/Operational. Events: 2, 4, 6, 8, 12, 15, 16, 30, 31, 33, 80, 162, 166. |
PowerShell ConsoleHost_history | Page | Starting with PowerShell v5 on Windows 10, the commands entered in a PowerShell console will be logged by the PSReadline module to a user-scoped ConsoleHost_history.txt file. By default, only the last 4096 commands are stored. Information of interest: command entered, with no associated timestamps (or any additional metadata). The last entered command execution timestamp can be deduced from the last write timestamp of the ConsoleHost_history file itself. |
By default: <APPDATA>\Microsoft\Windows\PowerShell\PSReadLine\ConsoleHost_history.txt i.e <SYSTEMDRIVE>:\Users\<USERNAME>\AppData\Roaming\Microsoft\Windows\PowerShell\PSReadLine\ConsoleHost_history.txt. |
PowerShell Transcript | Page | PowerShell Transcript is a mechanism to record a PowerShell console session. The full console input and, depending on the transcript configuration, stdout and stderr streams are logged to a text file. This logging mechanism, disabled by default, is the only Windows built-in feature to gain extended visibility on PowerShell console interactions, and in particular to the results of PowerShell commands entered in a console. Contrary to Script Block Logging however, PowerShell Transcript does not include content of scripts executed and only the commands as they are entered in the PowerShell console. PowerShell Transcript can be enabled using the Start-Transcript cmdlet, by GPO, or directly in the registry. |
By default: <USERPROFILE>\Documents\PowerShell_transcript.*.txt However, alternative path, on the local filesystem or on a remote server, can be specified. |
View on GitHub