Logging Powershell activities

Hunting Fileless Malware & Powershell Activities:
  • Event ID 4103 – Module logging – Attackers uses several obfuscated commands and calls self-defined variables and system commands. Hunting these EventIDs provide SOC operations to record all the obfuscated commands as pipeline execution details under EventID 4103. It should be enabled to process and get the malicious commands.
  • Event ID 4104 – Powershell Script Block Logging – Captures the entire scripts that are executed by remote machines. For example, obfuscated scripts that are decoded and executed at run time.
  • If an event exceeds the maximum event log message size, script block logging will split the logged events into multiple events and suspicious commands can be observed at the logging level of “warning”.
Above figure shows script block ID is generated for the remote command execution from the computer “MSEDGEWIN10” and the security user ID S-1-5-21-3461203602-4096304019-2269080069-1000 and commands are fully encoded.
Enabling the Event ID 4104 as an added benefit as run time obfuscated commands will be processed to decode and all decoded scripts will be logged into this event ID 4104.
Above figure shows encoded commands are decoded at run time and above malicious code is trying to get the user's network credentials.
Event ID 4688 – Audit Process Creation with Command Line Process Auditing – Enabling this Event ID provides the source process names which is executing the malicious commands that is processed in audit mode and logged. Command line arguments are commonly leveraged in fileless based attacks.
This provides insights on Parent and child process names which is initiating the Powershell commands or command line arguments.

Configuring PowerShell Event ID 4103/4104:

Group Policy for logging configuration:
  1. 1.
    Computer Configuration > Policies > Administrative Templates > Windows Components > Windows PowerShell.
  2. 2.
    Select: Turn on Module Logging, and Select: Enabled, Select: OK
  3. 3.
    Select: Turn on PowerShell Script Block Logging, and Select: Enabled, Select: Log script block invocation start /stop events:

Configuring Event ID 4688:

Group Policy for logging configuration:
  1. 1.
    Computer Configuration > Policies > Windows Settings > Security Settings > Advanced Audit Configuration > Detailed Tracking
  2. 2.
    Select: Audit Process Creation, Select: Success + Failure, Select: OK
  3. 3.
    Computer Configuration > Policies > Administrative Templates > System > Audit Process Creation
  4. 4.
    Select: Include command line in process creation events, Select: Enabled, Select: OK