PowerShellSecurity 1.0.0.0131
Introduction: PowerShell Security
PowerShell post-exploitation techniques are commodity malware. However, most organizations do not have the logging and transcription enabled to catch it. This Tanium content gives you a way to manage PowerShell security features with speed, scale, and simplicity across your environment. Implement the settings, then hunt down the machines where malicious PowerShell has executed.
No other automation technology or script language leaves as many fingerprints as PowerShell when properly configured. Before you can find this evidence, you must enable the policies first.
Download Location
This content is available at: https://content.tanium.com/files/published/PowerShellSecurity/2019-10-29_10-56-25_1.0.0.0131-gc1e22e8/PowerShellSecurity.xml
Usage
PowerShell Security Content
Content Overview
Using the speed and scale of Tanium this content will help you:
- enable PowerShell logging policies
- scan the logs for a list of malicious PowerShell keywords
- alert when malicious keywords are found
- inventory PowerShell v2 feature status and remoting endpoints
- inform deeper incident analysis using Tanium Threat Response
Continue reading to understand the Windows features leveraged for these capabilities and the Tanium components used to manage them.
PowerShell Fingerprints Overview
These are the locations where PowerShell command history can be identified on an endpoint using this content.
Module Logging
- Released in PowerShell v4.
- Default with install of Windows 2012 R2 or Windows 8.1 and above.
- Configurable with Group Policy.
- Takes a comma-delimited list of PowerShell modules to enforce logging.
- Logs to
Microsoft-Windows-PowerShell/Operationalevent4103and legacy logWindows PowerShellevent800. - All PowerShell code executed from command line, script,
System.Management.Automation, code in memory, etc. is logged here. Obfuscated code, once resolved to normal code, is captured in the clear. Includes details of parameter binding. - Tanium LiveResponse Extended collection will include this with all log files.
Script Block Logging
- Released in PowerShell v5. Back-ported to PowerShell v4 with KB3000850.
- Default with install of Windows 2016 or Windows 10 and above.
- Configurable with Group Policy.
- Logs to
Microsoft-Windows-PowerShell/Operationalevent4104, and optionally4105and4106. - Without the policy enabled there are still cases where Microsoft will log high risk code, but this is not sufficient for our needs.
- InvocationLogging - Adds
4105for command start and4106for command end. Creates significant log volume. Only use for a limited investigation window potentially. Instead using the timestamping of the events themselves. - EncryptedLogging - Only supported on Windows 10/2016 and above. Uses a document encryption certificate public key to encrypt contents of the logged events. Helpful to hide private data contained in scripts. Breaks searching for keywords on the endpoint. Must be decrypted using the private key on a central server for analysis. Not supported in this release.
- All PowerShell code executed from command line, script,
System.Management.Automation, code in memory, etc. is logged here. Obfuscated code, once resolved to normal code, is captured in the clear. - Tanium LiveResponse Extended collection will include this with all log files.
Transcription
- Released in PowerShell v5. Back-ported to PowerShell v4 with KB3000850.
- Default with install of Windows 2016 or Windows 10 and above.
- Configurable with Group Policy, but requires additional effort to clean the transcript directory.
- Captures all PowerShell sessions on the entire machine, both commands typed and output generated, to a text file transcript for each session.
- TranscriptPath - Defaults to user profile path. Recommended to use a custom path.
- InvocationLogging - Adds a banner in the text log for command start time. This is low impact and recommended.
PSReadline History
- PSreadline module published in the early days of PowerShell and capable of being loaded on many versions.
- Began automatic inclusion with PowerShell v5 on most operating systems.
- Default with install of Windows 2016 or Windows 10 and above.
- Gives Linux-like shell experience to Windows PowerShell, including persistent command history between sessions. Does not have timestamping.
- Use
Get-PSReadlineOptioncommand to see configurable settings, including output path of filesHistorySavePathand how many command lines to recordMaximumHistoryCount(4096 by default). - Only captures commands from interactive PowerShell console sessions while the module is loaded. Easily bypassed by unloading the module in the session.
- This content assumes the default output path of the commandline history file.
WinRM Log
- Event 193 shows all remote authentications for WinRM PowerShell remoting sessions.
- No code is listed in this event log.
- This may be included in a future release.
Defender AMSI (Anti-Malware Scan Interface)
- Default with install of Windows 2016 or Windows 10 and above. Not supported down level.
- Logs to
Microsoft-Windows-Windows Defender/Operationalwith Event1116(Warning) or1117(Information) for potential malicious script execution. - Other antivirus vendors are integrating with AMSI as well and may have their own logs.
- No code is listed in this event log, but it does show a possible vulnerability identification for the code that was blocked.
- This may be included in a future release.
Other PowerShell Security Concerns
Remoting
PowerShell remoting is the ability to run a command via WinRM on a remote Windows machine (port 5985 or 5986).
This is not a vulnerability and obeys all Windows permissions.
The most popular commands used for this are Enter-PSSession and Invoke-Command.
By default a user must be an administrator on the target machine.
Just Enough Administration or JEA is the ability to create restricted remote session experiences.
For example, a remote user may only be able to run 15 commands.
The entire PowerShell session experience is whitelisted (commands, providers, etc.).
Includes the ability to specify an addition transcription directory dedicated to remote connections.
Custom remoting configurations are inventoried using this PowerShell content.
Optional v2 Feature
Beginning with Windows 8 and 2012 (non-R2) Windows includes an optional feature for the PowerShell v2 engine.
This allows scripters to author v2-compliant and tested code on newer machines at higher PowerShell versions.
However, threat actors can call powershell.exe -version 2 to run malicious code and bypass the logging available in newer versions.
We recommend to disable this feature using the package provided with this content.
Event Log Size
The default event log size for the PowerShell logs is 15MB.
Obviously this rolls quickly.
Some industry experts recommend 1GB.
We recommend to set to 1GB, then use the sensor PowerShell Policy Event Logs to monitor how many days that covers on an active machine.
Adjust accordingly for your environment.
Hardening
Transcript and event logs are a target for attackers to find sensitive environment information. Additionally, normal level users should not see this information. This content provides for the hardening and hiding of the transcription directory, as well as hardening the two Windows PowerShell logs mentioned above. The hardening applies a restricted Access Control List (ACL) to the directory and the event logs, viewable only by administrators or LOCAL SYSTEM. Also, it sets the transcript directory attributes to System and Hidden, causing it to disappear from normal directory listing.
For More Information
This blog post has a list of research link to learn more about PowerShell security: Who's Afraid of PowerShell Security. Minimum reading requirement is Lee Holmes' post PowerShell Hearts the Blue Team.
Tanium PowerShell Security Content Implementation
The Tanium PowerShell Security content includes visibility and control of the following Windows PowerShell features:
- Module logging
- Scriptblock logging
- Transcription
- PSReadline command history
- Remoting
- PowerShell v2 optional feature
- Event log size
- Hardening of transcript and event logs
Most of this content is exposed through the PowerShell Security Interact category and related dashboards. The dashboards group saved questions by policy, forensics, etc.
Prerequisites
The following Tanium solutions must be installed prior to the PowerShell Security content:
- Initial Content - Hardware
- Initial Content - Network
- Initial Content - OS
- Initial Content - Registry
The Windows PowerShell policies require PowerShell version 5.1. Upgrade Windows PowerShell to WMF 5.1 on machines older than Windows 10/Windows Server 2016. You can manage PowerShell policies all the way back to Windows 7/Windows Server 2008 R2 as long as the Windows PowerShell version is upgraded first. In some cases this may also require a .NET upgrade as documented in the release notes. Customers could create a Tanium package or use Tanium Deploy to do this.
How to use this content
These are recommendations for using the content to secure and monitor PowerShell in your environment:
- Add the path
C:\PSTranscriptto antivirus exclusions for all endpoints in scope. Adjust this path if you change it in the policy package. This is required so that antivirus will not quarantine the forensic fingerprints. - In Tanium create an Action Group called
PowerShell Security. In the Computer Groups list select the computer group(s) you want in scope for configuration. For initial deployment, select a limited computer group of test machines. - Deploy these packages by asking the question
Get Online from all machines with ( Is Windows equals True and PowerShell Version > 5 ). Select the checkbox beside theTrueresult, and then click the Deploy Action button. Be sure to filter each package deployment by thePowerShell Securityaction group you created above.- Deploy the package
PowerShell Policy Setto enforce policy and event log size across the environment. Set theReissueto1 hourand theDistribute over timeto30 minutes. - Use the package
PowerShell Policy Clean Transcriptionto keep the transcript directory from growing out of control and to collect stats on the size of the directory. Set theReissueto7 hoursand theDistribute over timeto30 minutes. Later use the results of the sensorPowerShell Policy Transcriptionto see the actual storage space being used on endpoints and adjust accordingly. - Use the package
PowerShell Policy Hardeningto harden transcription and logging. It will hide and secure the transcript directory. The transcript output directory must be a local file system path and cannot end with a trailing slash "\". It will harden the ACL on both PowerShell event logs. Note that for the event log hardening to completely take effect, the endpoint may need to restart theEventLogservice or reboot. Set theReissueto5 hoursand theDistribute over timeto30 minutes. - Use the package
PowerShell Search CommandHistoryto scan available command history sources for known malicious commands. Set theReissueto1 hourand theDistribute over timeto30 minutes. This package is required before the command history sensors can be used. You might want to do this more frequently on high value endpoints, since we do not have immediate alerting capability with this content. It processes the logs and stores the output in the Tanium client tools directory under\Search-PS\. Optionally you can customize thepatterns.txtfile for other PowerShell commands to monitor in your environment and to tune out false positives. All lines inpatterns.txtare searched across these command history locations:- Module logging - 4103 events for the last six hours
- Module logging legacy - 800 events for the last six hours
- Script block logging - 4104 events for the last six hours
- Transcription history for the last six hours
- All PSreadline command history (no timestamping capability for searching, however it will only search this file if it was modified in the last six hours)
- Use the package
PowerShell FeatureV2 Disableto disabled the PowerShell v2 feature for all machines. Test this in small batches first. Only target machines were the feature is enabled. Set theReissueto5 hoursand theDistribute over timeto30 minutes.
- Deploy the package
- Adjust the saved question
PowerShell Forensics By Endpointto reissue on the same frequency as thePowerShell Search CommandHistorypackage. Set up a connection in Tanium Connect to send this saved question to your alerting tool of choice and filter for new items based on an index of the first two columns. Investigate these alerted machines.
How to adjust the search keywords
As you discover keywords in the environment you may uncover false positives. You may also want to add other keywords of interest to find in the PowerShell logs and transcripts.
NOTE: The default patterns.txt file is not inclusive of all exploits and cannot be held liable for missing other malicious commands used in your environment. It is intended to be a sample that is expanded by users. If you find commands that should be added or removed, please email them to [email protected].
Here are the steps to update the keyword search list:
- Go to this package: main menu, Content, Packages,
PowerShell Search Command History. - Check the box beside the package and choose Edit.
- Scroll down to the file attachments, download the
patterns.txtfile to your local machine. - Edit the file to remove false positives and/or add new keywords. Save it.
- Back in the Tanium package console, remove the current
patterns.txtfile on the package using the trash can icon. - Add a local file to the package and select the version of the file you just now updated.
- Save the package. The old version of the file is still cached on the package scheduled to scan the environment. You must now delete the old scheduled action and recreate it:
- Go to Scheduled Actions: main menu, Actions, Scheduled Actions.
- Identify the action(s) currently deploying the package
PowerShell Search CommandHistory. - Open the package and document the settings (Distribute Over Time, Reissue, etc.).
- Delete this package.
- Go to Interact and ask the question
get online from all machines. - Check the box for
Trueand choose Deploy Action. - Set up the package deployment using the settings from the previous action you documented. At the bottom be sure to filter by the Action Group you created for the PowerShell Security deployment.
- Deploy the action.
PowerShell Forensics Workflow
The content feature so far will illuminate machines and where specific malicious commands have been used. Use the Tanium Threat Response module to investigate these machines and commands further.
- Deploy content per instructions above.
- In Tanium Interact favorite and use the
PowerShell Forensicsdashboard to see hits in the environment. - Drill down for more information on a specific keyword or endpoint for more information.
- Deploy the
[Threat Response] Live Response - WindowsorLive Response - Windowspackage (if owned) and use the custom collection template found in this guide to retrieve the local client transcripts, PSReadline history, and event log files. - Optionally use the
Live Connectionfeature of Threat Response to connect to the endpoint, and then use theLive File Browserto select and download the files listed in the custom collection json below. - The file collection list includes the
\Search-PS\directory contents under the Tanium client path. These files with a.rawextension will provide the exact strings to find in the logs and the file paths of the transcript and PSReadline files containing the evidence. - Look for the keywords from the
PowerShell Forensicsdashboard in these files transferred from the endpoint. - The transcription files will include date, time, and process ID (PID) that can then correlate with Trace or Threat Response data from the endpoint for greater context around the malicious incident.
- Create a Tanium Connect connection using the saved questions
PowerShell Forensics By Endpointto go to your SIEM (Splunk, QRadar, etc.) hourly. Add a filter to the connection to only send new items. - Configure notifications from the SIEM to send alerts on new findings.
The (pre-Threat Response) Tanium Live Response package default Extended collection will get all the Windows event logs, including the PowerShell logs.
To get only the PowerShell logs, and then all of the other command history sources (transcript, PSReadline history, Tanium sensor result files) create a Tanium Live Response Custom_Collection.json file as below and replace the default file on the package.
Put the code below into the custom json file:
{
"options": {
"disk_info": false,
"copy": true,
"depth": 0,
"max_num_files": 100,
"raw": false,
"raw_fallback": true,
"hashes": ["md5","sha256"],
"log_level": "info"
},
"files": [{
"name": "PSReadline history",
"path": "%APPDATA%\\Microsoft\\Windows\\PowerShell\\PSReadline\\",
"regex": ".*txt$",
"enabled": true,
"order": 1
},
{
"name": "Transcripts",
"path": "C:\\PSTranscript\\",
"regex": ".*txt$",
"enabled": true,
"depth": 2,
"order": 2
},
{
"name": "Search command history package output (64 bit)",
"path": "%ProgramFiles(x86)%\\Tanium\\Tanium Client\\Tools\\Search-PS\\",
"regex": ".*$",
"raw": true,
"enabled": true,
"depth": 1,
"order": 3
},
{
"name": "Search command history package output (32 bit)",
"path": "%ProgramFiles%\\Tanium\\Tanium Client\\Tools\\Search-PS\\",
"regex": ".*$",
"raw": true,
"enabled": true,
"depth": 1,
"order": 4
},
{
"name": "Event Logs",
"path": "%SystemDrive%\\Windows\\System32\\winevt\\Logs\\",
"regex": "(.*PowerShell.*\\.evtx)|(.*WinRM.*\\.evtx)|(.*Defender.*Operational\\.evtx)",
"enabled": true,
"order": 5
}
]
}
Optionally you can build a Threat Response ad-hoc collector for file acquisition by manually entering the file path data above.
This will pull back all related Windows event logs, transcripts, PSreadline command history, and the sensor data files to give you clues where to look for the offending patterns. Adjust the file path for the location where you have configured transcript files to go.
NOTE: Antivirus on the destination file transfer server may delete the files containing known malware patterns. Take this into account for antivirus exclusions.
WARNING: If you analyze these log files with PowerShell on a machine that has the policies enabled, then you will corrupt the logs with known-bad strings in your research process. In other words, you will be entering the bad keywords into the logs in the act of searching for them, thus corrupting your logs. Be sure to do this analysis on a dedicated machine.
Design Limitations
- The default
patterns.txtfile is not inclusive of all exploits and cannot be held liable for missing other malicious commands used in your environment. It is intended to be a sample that is expanded by users. If you find commands that should be added or removed, please email them to [email protected]. - The PowerShell policy GPO settings are managed and reported on the Computer/Machine side only (not User side, because you want to capture all activity on the machine).
- If the GPO for execution policy is set on a machine, it may block execution of some packages in this content (PowerShell Remoting Disable, PowerShell Remoting Enable, etc.). You may need to override this in an emergency with the package to directly delete this policy in the machine side of the registry (PowerShell Policy Remove GPOExecutionPolicy). After running this package on an endpoint you can reissue the packages that were blocked. However, GPO can reapply the setting within any random interval of one minute to two hours. Domain Controllers refresh GPO every five minutes. Package results are not guaranteed in this case.
- AppLocker or DeviceGuard could potentially block Tanium PowerShell content execution if the Tanium Client path is not excluded. This would impact other Tanium modules as well.
- There is no log suppression for repeated events built into the sensors. They are designed to report on any activity in the last six hours (except for PSReadline history which does not have date/time data.) However, you can send output through Tanium Connect and filter for only new items.
- DO NOT add “Invoke-Expression” to the patterns file for searching command history. This cmdlet, while contrary to PowerShell best practices, is common in use and will trigger false positives. It also catches some Tanium Content executing PowerShell using that method as well.
- The policy registry keys are not hardened. Some malware may evading logging by deleting the registry keys and/or transcript files. The transcript files and event logs can be hardened with the respective package.
- Do not put the transcription output directory on a network share when using this content. The sensors and packages are designed to work with a local directory.
Known Issues
- Do not end the transcription directory path with a "\". This will break the hardening package.
- Do not apply the transcription hardening package to machines running PowerShell v4 (Windows 8.1 and Windows Server 2012 R2 natively unless WMF 5.1 has been installed, or older operating systems that have installed WMF 4.0). Transcription hardening will break PowerShell in v4.
- Event log hardening may require a restart of the
EventLogservice or a reboot to take effect fully. - PowerShell Transcription is known to break some applications: Citrix, Active Directory Administration Center (ADAC the PowerShell-based tool, not ADUC). Exclude Citrix from the PowerShell Transcription policy, however Script Block Logging and Module Logging are safe.
- If using VSCode to edit PowerShell scripts, the Script Analyzer functionality in the background will generate logging activity. This should be addressed in a future release of the PowerShell Extension for VSCode.
- The Transcription directory needs to be added to antivirus exceptions on endpoints. If malicious strings are found in the transcript directory, then antivirus products may quarantine the file, removing this evidence which is otherwise harmless. Then the content cannot identify that fingerprint in transcription, although the event logs should still be in tact. The same goes for the Live Response destination server where evidence will be transferred.
- Some reports from the field claim that a certain Microsoft System Center component may rely on PowerShell v2 engine to be installed. Test this carefully before removing everywhere. Windows 10 default is that the PowerShell v2 engine is installed but missing required .NET version to function.
Release History
v1.0.0.131 - November 2019 - Updated patterns.txt in the search package to remove false positives.
v1.0.0.122 - October 2019 - Updated patterns.txt in the search package to include all known Empire PowerShell functions.
v1.0.0.120 - September 2019 - Added hardening and reporting for event logs. Removed deprecated content. Revised the saved questions and dashboards.
v1.0.0.95 - August 2019 - Added package to harden transcription directory, enhanced Clean Transcription package to drop a file with directory stats & adjusted transcription sensor to collect it.
v1.0.0.66 - July 2019 - Updated package Search Command History to only return the matching strings. Added CommandHistory Summary sensors.
v1.0.0.58 - June 2019 - Consolidated policy packages and event log size package into a single package. Added ModuleLoggingLegacy sensors. Added script signing.
v1.0.0.39 - November 2018 - Refactor of many PowerShell sensors (12) and packages (5) to VBScript
v1.0.0.28 - November 2018 - First release
Support Information
This content was created by TAM Ashley McGlone [email protected]. Contact him for questions or support.
Dashboard Groups
PowerShell Security
Dashboards:
Dashboards
PowerShell Policy
Saved questions:
- PowerShell Version Audit
- PowerShell Policy Audit
- PowerShell Policy Event Log Statistics
- PowerShell ExecutionPolicy
- PowerShell ExecutionPolicy GPO Machine
PowerShell Forensics
Saved questions:
PowerShell Remoting
Saved questions:
PowerShell Security Targeting
Saved questions:
Questions
PowerShell ExecutionPolicy
Get PowerShell ExecutionPolicy from all machines with Is Windows equals true
PowerShell ExecutionPolicy GPO Machine
Get Registry Value Data[HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\PowerShell,EnableScripts] and Registry Value Data[HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\PowerShell,ExecutionPolicy] from all machines with Is Windows equals true
PowerShell FeatureV2
Get Computer Name and Operating System and PowerShell Version and PowerShell FeatureV2 from all machines with Operating System contains windows
PowerShell Forensics Summary
Get PowerShell CommandHistory Details Summary from all machines with ( Operating System contains windows and all PowerShell CommandHistory Details Summary not equals No results )
PowerShell Forensics By Endpoint
Get Computer Name and PowerShell CommandHistory Details Summary and PowerShell CommandHistory Details ModuleLogging and PowerShell CommandHistory Details ModuleLoggingLegacy and PowerShell CommandHistory Details ScriptBlockLogging and PowerShell CommandHistory Details Transcription and PowerShell CommandHistory Details PSReadline from all machines with ( Operating System contains windows and all PowerShell CommandHistory Details Summary not equals No results )
PowerShell PSSessionConfiguration
Get PowerShell PSSessionConfiguration from all machines with ( Is Windows equals true and PowerShell Remoting Enabled equals True )
PowerShell Policy Audit
Get PowerShell Policy Transcription and PowerShell Policy ScriptBlockLogging and PowerShell Policy ModuleLogging from all machines with ( Is Windows equals true and PowerShell Version > 4 )
PowerShell Policy Event Log Statistics
Get PowerShell Policy Event Logs from all machines with ( Is Windows equals true and PowerShell Version > 4 )
PowerShell Remoting
Get Windows OS Type and Operating System and PowerShell Remoting Enabled from all machines with ( Is Windows equals true and PowerShell Version > 2 )
PowerShell Set Remoting
Get PowerShell Remoting Enabled from all machines with Operating System contains windows
Packages:
PowerShell Version Audit
Get Operating System and PowerShell Version and PowerShell FeatureV2 from all machines with Is Windows equals true
Packages
PowerShell FeatureV2 Disable
This package contains 1 files and 0 sensors.
Properties:
Property Value Command Line cmd /c nativelauncher.cmd dism /online /disable-feature /featurename:MicrosoftWindowsPowerShellV2 Command Timeout 60
Files:
Name nativelauncher.cmd
PowerShell FeatureV2 Enable
This package contains 1 files and 0 sensors.
Properties:
Property Value Command Line cmd /c nativelauncher.cmd dism /online /enable-feature /featurename:MicrosoftWindowsPowerShellV2 Command Timeout 60
Files:
Name nativelauncher.cmd
PowerShell Policy Clean Transcription
This package contains 1 files and 0 sensors.
Properties:
Property Value Command Line powershell.exe -NoLogo -NoProfile -NonInteractive -OutputFormat Text -ExecutionPolicy ByPass -File PowerShellPolicyTranscriptionClean.ps1 "$1" Command Timeout 180
Parameters:
Name Description Type Default Value Retention Time in Days Number of days to keep PowerShell transcription policy logs. Everything older will be deleted. Numeric 14
Files:
Name PowerShellPolicyTranscriptionClean.ps1
PowerShell Policy Remove GPOExecutionPolicy
This package contains 1 files and 0 sensors.
Properties:
Property Value Command Line cmd.exe /c cscript.exe //E:VBScript //T:60 PowerShellPolicyRemoveGPOExecutionPolicy.vbs Command Timeout 60
Files:
Name PowerShellPolicyRemoveGPOExecutionPolicy.vbs
PowerShell Policy Set
This package contains 1 files and 0 sensors.
Properties:
Property Value Command Line cmd.exe /c cscript.exe //E:VBScript //T:60 PowerShellPolicySet.vbs "$1" "$2" "$3" "$4" "$5" "$6" "$7" "$8" "$9" "$10" "$11" "$12" "$13" Command Timeout 60
Parameters:
Name Description Type Default Value CONFIGURE TRANSCRIPTION Check this box to configure transcription. Checkbox UnChecked EnableTranscripting Clear checkbox to disable Checkbox UnChecked OutputDirectory Must be a valid file path, local to the endpoint. Cannot end with a slash. Text C:\PSTranscript EnableInvocationHeader Adds date and time stamp for each command logged Checkbox UnChecked CONFIGURE SCRIPT BLOCK LOGGING Check this box to configure script block logging. Checkbox UnChecked EnableScriptBlockLogging Clear checkbox to disable Checkbox UnChecked EnableScriptBlockInvocationLogging Adds log events for start/stop of each command. Preferred to leave this disabled due to high logging volume. Checkbox UnChecked CONFIGURE MODULE LOGGING Check this box to configure module logging. Checkbox UnChecked EnableModuleLogging Clear checkbox to disable. Checkbox UnChecked ModuleNames Comma-delimited list of module names for logging enforcement. Wildcards permitted. A single asterisk (*) will log all modules. Text * SET EVENT LOG SIZE Check this box to configure event log sizes. Checkbox UnChecked Microsoft-Windows-PowerShell/Operational Primary log. Events 4103-4106. OS default is 15MB. Numeric 1048576 Windows PowerShell Legacy log for event 800 Module Logging. OS default is 15MB. Numeric 1048576
Files:
Name PowerShellPolicySet.vbs
PowerShell Policy Hardening
This package contains 2 files and 0 sensors.
Properties:
Property Value Command Line cmd /c psharden.bat $1 $2 $3 $4 Command Timeout 60
Parameters:
Name Description Type Default Value CONFIGURE TRANSCRIPTION HARDENING Checkbox UnChecked Hide and secure the transcription directory Sets Transcription OutputDirectory attributes to system and hidden. Allows Everyone write and full control to only administrators and SYSTEM. Clear the checkbox to un-harden. NOTE: Transcript directory path must not end with a backslash. Checkbox UnChecked CONFIGURE EVENT LOG HARDENING Checkbox UnChecked Secure the event logs Harden both the [Microsoft-Windows-PowerShell/Operational] and [Windows PowerShell] event logs. Clear the checkbox to un-harden. Checkbox UnChecked
Files:
Name PowerShellPolicySetEventLogsHarden.vbs psharden.bat
PowerShell Remoting Disable
This package contains 0 files and 0 sensors.
Properties:
Property Value Command Line cmd /c powershell.exe -NoLogo -NoProfile -NonInteractive -OutputFormat Text -ExecutionPolicy ByPass -Command "& {Disable-PSRemoting -Force;Set-Service -Name WinRM -StartupType Disabled;Stop-Service WinRM}" Command Timeout 60
PowerShell Remoting Enable
This package contains 0 files and 0 sensors.
Properties:
Property Value Command Line cmd /c powershell.exe -NoLogo -NoProfile -NonInteractive -OutputFormat Text -ExecutionPolicy ByPass -Command "& {Enable-PSRemoting -Force}" Command Timeout 60
PowerShell Search CommandHistory
This package contains 3 files and 0 sensors.
Properties:
Property Value Command Line cmd /c search-ps.bat Command Timeout 300
Files:
Name search-ps.bat search-ps.vbs patterns.txt
Sensors
PowerShell CommandHistory Details ModuleLogging
Returns content of command history containing known commands for PowerShell post-exploitation toolkits. Must run the package "PowerShell Search CommandHistory" on the endpoint first.
Supported Platforms:
Platform Query Type Windows VBScript
PowerShell CommandHistory Details ModuleLoggingLegacy
Returns content of command history containing known commands for PowerShell post-exploitation toolkits. Must run the package "PowerShell Search CommandHistory" on the endpoint first.
Supported Platforms:
Platform Query Type Windows VBScript
PowerShell CommandHistory Details PSReadline
Returns content of command history containing known commands for PowerShell post-exploitation toolkits. Must run the package "PowerShell Search CommandHistory" on the endpoint first.
Supported Platforms:
Platform Query Type Windows VBScript
PowerShell CommandHistory Details ScriptBlockLogging
Returns content of command history containing known commands for PowerShell post-exploitation toolkits. Must run the package "PowerShell Search CommandHistory" on the endpoint first.
Supported Platforms:
Platform Query Type Windows VBScript
PowerShell CommandHistory Details Summary
Returns content of command history containing known commands for PowerShell post-exploitation toolkits. Must run the package "PowerShell Search CommandHistory" on the endpoint first.
Supported Platforms:
Platform Query Type Windows VBScript
PowerShell CommandHistory Details Transcription
Returns content of command history containing known commands for PowerShell post-exploitation toolkits. Must run the package "PowerShell Search CommandHistory" on the endpoint first.
Supported Platforms:
Platform Query Type Windows VBScript
PowerShell CommandHistory ModuleLogging
Returns "true" if command history contains known commands for PowerShell post-exploitation toolkits. Must run the package "PowerShell Search CommandHistory" on the endpoint first.
Supported Platforms:
Platform Query Type Windows VBScript
PowerShell CommandHistory ModuleLoggingLegacy
Returns "true" if command history contains known commands for PowerShell post-exploitation toolkits. Must run the package "PowerShell Search CommandHistory" on the endpoint first.
Supported Platforms:
Platform Query Type Windows VBScript
PowerShell CommandHistory PSReadline
Returns "true" if command history contains known commands for PowerShell post-exploitation toolkits. Must run the package "PowerShell Search CommandHistory" on the endpoint first.
Supported Platforms:
Platform Query Type Windows VBScript
PowerShell CommandHistory ScriptBlockLogging
Returns "true" if command history contains known commands for PowerShell post-exploitation toolkits. Must run the package "PowerShell Search CommandHistory" on the endpoint first.
Supported Platforms:
Platform Query Type Windows VBScript
PowerShell CommandHistory Summary
Returns "true" if command history contains known commands for PowerShell post-exploitation toolkits. Must run the package "PowerShell Search CommandHistory" on the endpoint first.
Supported Platforms:
Platform Query Type Windows VBScript
PowerShell CommandHistory Transcription
Returns "true" if command history contains known commands for PowerShell post-exploitation toolkits. Must run the package "PowerShell Search CommandHistory" on the endpoint first.
Supported Platforms:
Platform Query Type Windows VBScript
PowerShell ExecutionPolicy
Get-ExecutionPolicy -List to show all levels of execution policy.
Columns:
Name Description Type Hidden Scope Text ExecutionPolicy Text
Supported Platforms:
Platform Query Type Windows PowerShell
PowerShell FeatureV2
For Windows OS greater than Windows 7/2008 R2 determine if the PowerShell v2 engine Windows feature is installed. If it is enabled, then it is a potential security risk for version downgrade attacks that attempt to avoid detection via logging and transcription policies.
Supported Platforms:
Platform Query Type Windows PowerShell
PowerShell PSSessionConfiguration
Displays the remoting session configurations and true/false whether it is a default. Use to identify custom remoting endpoints like JEA.
Columns:
Name Description Type Hidden Name Text IsDefault Text
Supported Platforms:
Platform Query Type Windows PowerShell
PowerShell PSVersionTable
$PSVersionTable properties. Use to see specifics of the PowerShell versions in the environment.
Columns:
Name Description Type Hidden Property Text Value Text
Supported Platforms:
Platform Query Type Windows PowerShell
PowerShell Policy Event Logs
Reports on the size, age, and hardening status of the two PowerShell event logs.
Columns:
Name Description Type Hidden LogName Text ActualSizeIn16MB Numeric MaxSizeInMB Numeric OldestEventInWeeks Numeric IsHardened Text SDDL Text True
Supported Platforms:
Platform Query Type Windows PowerShell
PowerShell Policy ModuleLogging
Reports the computer policy settings for PowerShell module logging. Does not report the user policy settings.
Columns:
Name Description Type Hidden EnableModuleLogging Text ModuleNames Text
Supported Platforms:
Platform Query Type Windows VBScript
PowerShell Policy ScriptBlockLogging
Reports the computer policy settings for PowerShell script block logging. Does not report the user policy settings.
Columns:
Name Description Type Hidden EnableScriptBlockLogging Text EnableScriptBlockInvocationLogging Text
Supported Platforms:
Platform Query Type Windows VBScript
PowerShell Policy Transcription
Reports the computer policy settings for PowerShell transcription. (Does not report the user policy settings.) Reports the hardening status and file statistics of the transcription output directory. The file statistics rely on the package PowerShell Policy Clean Transcription to update the statistics.
Columns:
Name Description Type Hidden EnableTranscripting Text OutputDirectory Text EnableInvocationHeader Text IsHidden Text IsHardened Text FileCountBy100 Numeric DirectorySizeIn5MB Numeric OldestFileInWeeks Numeric
Supported Platforms:
Platform Query Type Windows VBScript
PowerShell Remoting Enabled
Determines if PowerShell remoting is enabled on the endpoint by checking for WinRM listening ports 5985 or 5986.
Supported Platforms:
Platform Query Type Windows PowerShell