IMPORTANT: This site is planned to be decommissioned in 2026. Visit the Tanium Resource Center for all Tanium release notes, user guides, and support information. To view release notes in the Resource Center, see Tanium Release Notes.
IMPORTANT: If you are using semi-annual releases for on premises, see the Release notes for 2024H1 semiannual release, Release notes for 2024H2 semiannual release, or Release notes for 2025H1 semiannual release on the Tanium Resource Center.
Effective October 15, 2024: On prem release notes on the Tanium Knowledge Base are frozen. For release notes related to 7.4 or 7.5 Server and Solutions, see the Monthly updates for Tanium Version 7.4 and 7.5 Server and Solutions on the Tanium Resource Center.

PowerShellSecurity 1.0.0.0131

From Tanium Knowledge Base
Jump to navigation Jump to search


Introduction: PowerShell Security

PowerShell post-exploitation techniques are commodity malware. However, most organizations do not have the logging and transcription enabled to catch it. This Tanium content gives you a way to manage PowerShell security features with speed, scale, and simplicity across your environment. Implement the settings, then hunt down the machines where malicious PowerShell has executed.

No other automation technology or script language leaves as many fingerprints as PowerShell when properly configured. Before you can find this evidence, you must enable the policies first.

Download Location

This content is available at: https://content.tanium.com/files/published/PowerShellSecurity/2019-10-29_10-56-25_1.0.0.0131-gc1e22e8/PowerShellSecurity.xml

Usage

PowerShell Security Content

Content Overview

Using the speed and scale of Tanium this content will help you:

  • enable PowerShell logging policies
  • scan the logs for a list of malicious PowerShell keywords
  • alert when malicious keywords are found
  • inventory PowerShell v2 feature status and remoting endpoints
  • inform deeper incident analysis using Tanium Threat Response

Continue reading to understand the Windows features leveraged for these capabilities and the Tanium components used to manage them.

PowerShell Fingerprints Overview

These are the locations where PowerShell command history can be identified on an endpoint using this content.

Module Logging

  • Released in PowerShell v4.
  • Default with install of Windows 2012 R2 or Windows 8.1 and above.
  • Configurable with Group Policy.
  • Takes a comma-delimited list of PowerShell modules to enforce logging.
  • Logs to Microsoft-Windows-PowerShell/Operational event 4103 and legacy log Windows PowerShell event 800.
  • All PowerShell code executed from command line, script, System.Management.Automation, code in memory, etc. is logged here. Obfuscated code, once resolved to normal code, is captured in the clear. Includes details of parameter binding.
  • Tanium LiveResponse Extended collection will include this with all log files.

Script Block Logging

  • Released in PowerShell v5. Back-ported to PowerShell v4 with KB3000850.
  • Default with install of Windows 2016 or Windows 10 and above.
  • Configurable with Group Policy.
  • Logs to Microsoft-Windows-PowerShell/Operational event 4104, and optionally 4105 and 4106.
  • Without the policy enabled there are still cases where Microsoft will log high risk code, but this is not sufficient for our needs.
  • InvocationLogging - Adds 4105 for command start and 4106 for command end. Creates significant log volume. Only use for a limited investigation window potentially. Instead using the timestamping of the events themselves.
  • EncryptedLogging - Only supported on Windows 10/2016 and above. Uses a document encryption certificate public key to encrypt contents of the logged events. Helpful to hide private data contained in scripts. Breaks searching for keywords on the endpoint. Must be decrypted using the private key on a central server for analysis. Not supported in this release.
  • All PowerShell code executed from command line, script, System.Management.Automation, code in memory, etc. is logged here. Obfuscated code, once resolved to normal code, is captured in the clear.
  • Tanium LiveResponse Extended collection will include this with all log files.

Transcription

  • Released in PowerShell v5. Back-ported to PowerShell v4 with KB3000850.
  • Default with install of Windows 2016 or Windows 10 and above.
  • Configurable with Group Policy, but requires additional effort to clean the transcript directory.
  • Captures all PowerShell sessions on the entire machine, both commands typed and output generated, to a text file transcript for each session.
  • TranscriptPath - Defaults to user profile path. Recommended to use a custom path.
  • InvocationLogging - Adds a banner in the text log for command start time. This is low impact and recommended.

PSReadline History

  • PSreadline module published in the early days of PowerShell and capable of being loaded on many versions.
  • Began automatic inclusion with PowerShell v5 on most operating systems.
  • Default with install of Windows 2016 or Windows 10 and above.
  • Gives Linux-like shell experience to Windows PowerShell, including persistent command history between sessions. Does not have timestamping.
  • Use Get-PSReadlineOption command to see configurable settings, including output path of files HistorySavePath and how many command lines to record MaximumHistoryCount (4096 by default).
  • Only captures commands from interactive PowerShell console sessions while the module is loaded. Easily bypassed by unloading the module in the session.
  • This content assumes the default output path of the commandline history file.

WinRM Log

  • Event 193 shows all remote authentications for WinRM PowerShell remoting sessions.
  • No code is listed in this event log.
  • This may be included in a future release.

Defender AMSI (Anti-Malware Scan Interface)

  • Default with install of Windows 2016 or Windows 10 and above. Not supported down level.
  • Logs to Microsoft-Windows-Windows Defender/Operational with Event 1116 (Warning) or 1117 (Information) for potential malicious script execution.
  • Other antivirus vendors are integrating with AMSI as well and may have their own logs.
  • No code is listed in this event log, but it does show a possible vulnerability identification for the code that was blocked.
  • This may be included in a future release.

Other PowerShell Security Concerns

Remoting

PowerShell remoting is the ability to run a command via WinRM on a remote Windows machine (port 5985 or 5986). This is not a vulnerability and obeys all Windows permissions. The most popular commands used for this are Enter-PSSession and Invoke-Command. By default a user must be an administrator on the target machine. Just Enough Administration or JEA is the ability to create restricted remote session experiences. For example, a remote user may only be able to run 15 commands. The entire PowerShell session experience is whitelisted (commands, providers, etc.). Includes the ability to specify an addition transcription directory dedicated to remote connections. Custom remoting configurations are inventoried using this PowerShell content.

Optional v2 Feature

Beginning with Windows 8 and 2012 (non-R2) Windows includes an optional feature for the PowerShell v2 engine. This allows scripters to author v2-compliant and tested code on newer machines at higher PowerShell versions. However, threat actors can call powershell.exe -version 2 to run malicious code and bypass the logging available in newer versions. We recommend to disable this feature using the package provided with this content.

Event Log Size

The default event log size for the PowerShell logs is 15MB. Obviously this rolls quickly. Some industry experts recommend 1GB. We recommend to set to 1GB, then use the sensor PowerShell Policy Event Logs to monitor how many days that covers on an active machine. Adjust accordingly for your environment.

Hardening

Transcript and event logs are a target for attackers to find sensitive environment information. Additionally, normal level users should not see this information. This content provides for the hardening and hiding of the transcription directory, as well as hardening the two Windows PowerShell logs mentioned above. The hardening applies a restricted Access Control List (ACL) to the directory and the event logs, viewable only by administrators or LOCAL SYSTEM. Also, it sets the transcript directory attributes to System and Hidden, causing it to disappear from normal directory listing.

For More Information

This blog post has a list of research link to learn more about PowerShell security: Who's Afraid of PowerShell Security. Minimum reading requirement is Lee Holmes' post PowerShell Hearts the Blue Team.

Tanium PowerShell Security Content Implementation

The Tanium PowerShell Security content includes visibility and control of the following Windows PowerShell features:

  • Module logging
  • Scriptblock logging
  • Transcription
  • PSReadline command history
  • Remoting
  • PowerShell v2 optional feature
  • Event log size
  • Hardening of transcript and event logs

Most of this content is exposed through the PowerShell Security Interact category and related dashboards. The dashboards group saved questions by policy, forensics, etc.

Prerequisites

The following Tanium solutions must be installed prior to the PowerShell Security content:

  • Initial Content - Hardware
  • Initial Content - Network
  • Initial Content - OS
  • Initial Content - Registry

The Windows PowerShell policies require PowerShell version 5.1. Upgrade Windows PowerShell to WMF 5.1 on machines older than Windows 10/Windows Server 2016. You can manage PowerShell policies all the way back to Windows 7/Windows Server 2008 R2 as long as the Windows PowerShell version is upgraded first. In some cases this may also require a .NET upgrade as documented in the release notes. Customers could create a Tanium package or use Tanium Deploy to do this.

How to use this content

These are recommendations for using the content to secure and monitor PowerShell in your environment:

  1. Add the path C:\PSTranscript to antivirus exclusions for all endpoints in scope. Adjust this path if you change it in the policy package. This is required so that antivirus will not quarantine the forensic fingerprints.
  2. In Tanium create an Action Group called PowerShell Security. In the Computer Groups list select the computer group(s) you want in scope for configuration. For initial deployment, select a limited computer group of test machines.
  3. Deploy these packages by asking the question Get Online from all machines with ( Is Windows equals True and PowerShell Version > 5 ). Select the checkbox beside the True result, and then click the Deploy Action button. Be sure to filter each package deployment by the PowerShell Security action group you created above.
    • Deploy the package PowerShell Policy Set to enforce policy and event log size across the environment. Set the Reissue to 1 hour and the Distribute over time to 30 minutes.
    • Use the package PowerShell Policy Clean Transcription to keep the transcript directory from growing out of control and to collect stats on the size of the directory. Set the Reissue to 7 hours and the Distribute over time to 30 minutes. Later use the results of the sensor PowerShell Policy Transcription to see the actual storage space being used on endpoints and adjust accordingly.
    • Use the package PowerShell Policy Hardening to harden transcription and logging. It will hide and secure the transcript directory. The transcript output directory must be a local file system path and cannot end with a trailing slash "\". It will harden the ACL on both PowerShell event logs. Note that for the event log hardening to completely take effect, the endpoint may need to restart the EventLog service or reboot. Set the Reissue to 5 hours and the Distribute over time to 30 minutes.
    • Use the package PowerShell Search CommandHistory to scan available command history sources for known malicious commands. Set the Reissue to 1 hour and the Distribute over time to 30 minutes. This package is required before the command history sensors can be used. You might want to do this more frequently on high value endpoints, since we do not have immediate alerting capability with this content. It processes the logs and stores the output in the Tanium client tools directory under \Search-PS\. Optionally you can customize the patterns.txt file for other PowerShell commands to monitor in your environment and to tune out false positives. All lines in patterns.txt are searched across these command history locations:
      • Module logging - 4103 events for the last six hours
      • Module logging legacy - 800 events for the last six hours
      • Script block logging - 4104 events for the last six hours
      • Transcription history for the last six hours
      • All PSreadline command history (no timestamping capability for searching, however it will only search this file if it was modified in the last six hours)
    • Use the package PowerShell FeatureV2 Disable to disabled the PowerShell v2 feature for all machines. Test this in small batches first. Only target machines were the feature is enabled. Set the Reissue to 5 hours and the Distribute over time to 30 minutes.
  4. Adjust the saved question PowerShell Forensics By Endpoint to reissue on the same frequency as the PowerShell Search CommandHistory package. Set up a connection in Tanium Connect to send this saved question to your alerting tool of choice and filter for new items based on an index of the first two columns. Investigate these alerted machines.

How to adjust the search keywords

As you discover keywords in the environment you may uncover false positives. You may also want to add other keywords of interest to find in the PowerShell logs and transcripts.

NOTE: The default patterns.txt file is not inclusive of all exploits and cannot be held liable for missing other malicious commands used in your environment. It is intended to be a sample that is expanded by users. If you find commands that should be added or removed, please email them to [email protected].

Here are the steps to update the keyword search list:

  1. Go to this package: main menu, Content, Packages, PowerShell Search Command History.
  2. Check the box beside the package and choose Edit.
  3. Scroll down to the file attachments, download the patterns.txt file to your local machine.
  4. Edit the file to remove false positives and/or add new keywords. Save it.
  5. Back in the Tanium package console, remove the current patterns.txt file on the package using the trash can icon.
  6. Add a local file to the package and select the version of the file you just now updated.
  7. Save the package. The old version of the file is still cached on the package scheduled to scan the environment. You must now delete the old scheduled action and recreate it:
  8. Go to Scheduled Actions: main menu, Actions, Scheduled Actions.
  9. Identify the action(s) currently deploying the package PowerShell Search CommandHistory.
  10. Open the package and document the settings (Distribute Over Time, Reissue, etc.).
  11. Delete this package.
  12. Go to Interact and ask the question get online from all machines.
  13. Check the box for True and choose Deploy Action.
  14. Set up the package deployment using the settings from the previous action you documented. At the bottom be sure to filter by the Action Group you created for the PowerShell Security deployment.
  15. Deploy the action.

PowerShell Forensics Workflow

The content feature so far will illuminate machines and where specific malicious commands have been used. Use the Tanium Threat Response module to investigate these machines and commands further.

  1. Deploy content per instructions above.
  2. In Tanium Interact favorite and use the PowerShell Forensics dashboard to see hits in the environment.
  3. Drill down for more information on a specific keyword or endpoint for more information.
  4. Deploy the [Threat Response] Live Response - Windows or Live Response - Windows package (if owned) and use the custom collection template found in this guide to retrieve the local client transcripts, PSReadline history, and event log files.
  5. Optionally use the Live Connection feature of Threat Response to connect to the endpoint, and then use the Live File Browser to select and download the files listed in the custom collection json below.
  6. The file collection list includes the \Search-PS\ directory contents under the Tanium client path. These files with a .raw extension will provide the exact strings to find in the logs and the file paths of the transcript and PSReadline files containing the evidence.
  7. Look for the keywords from the PowerShell Forensics dashboard in these files transferred from the endpoint.
  8. The transcription files will include date, time, and process ID (PID) that can then correlate with Trace or Threat Response data from the endpoint for greater context around the malicious incident.
  9. Create a Tanium Connect connection using the saved questions PowerShell Forensics By Endpoint to go to your SIEM (Splunk, QRadar, etc.) hourly. Add a filter to the connection to only send new items.
  10. Configure notifications from the SIEM to send alerts on new findings.

The (pre-Threat Response) Tanium Live Response package default Extended collection will get all the Windows event logs, including the PowerShell logs. To get only the PowerShell logs, and then all of the other command history sources (transcript, PSReadline history, Tanium sensor result files) create a Tanium Live Response Custom_Collection.json file as below and replace the default file on the package. Put the code below into the custom json file:

{
	"options": {
		"disk_info": false,
		"copy": true,
		"depth": 0,
		"max_num_files": 100,
		"raw": false,
		"raw_fallback": true,
		"hashes": ["md5","sha256"],
		"log_level": "info"
	},
	"files": [{
			"name": "PSReadline history",
			"path": "%APPDATA%\\Microsoft\\Windows\\PowerShell\\PSReadline\\",
			"regex": ".*txt$",
			"enabled": true,
			"order": 1
		},
		{
			"name": "Transcripts",
			"path": "C:\\PSTranscript\\",
			"regex": ".*txt$",
			"enabled": true,
			"depth": 2,
			"order": 2
		},
		{
			"name": "Search command history package output (64 bit)",
			"path": "%ProgramFiles(x86)%\\Tanium\\Tanium Client\\Tools\\Search-PS\\",
			"regex": ".*$",
			"raw": true,
			"enabled": true,
			"depth": 1,
			"order": 3
		},
		{
			"name": "Search command history package output (32 bit)",
			"path": "%ProgramFiles%\\Tanium\\Tanium Client\\Tools\\Search-PS\\",
			"regex": ".*$",
			"raw": true,
			"enabled": true,
			"depth": 1,
			"order": 4
		},
		{
			"name": "Event Logs",
			"path": "%SystemDrive%\\Windows\\System32\\winevt\\Logs\\",
			"regex": "(.*PowerShell.*\\.evtx)|(.*WinRM.*\\.evtx)|(.*Defender.*Operational\\.evtx)",
			"enabled": true,
			"order": 5
		}
	]
}

Optionally you can build a Threat Response ad-hoc collector for file acquisition by manually entering the file path data above.

This will pull back all related Windows event logs, transcripts, PSreadline command history, and the sensor data files to give you clues where to look for the offending patterns. Adjust the file path for the location where you have configured transcript files to go.

NOTE: Antivirus on the destination file transfer server may delete the files containing known malware patterns. Take this into account for antivirus exclusions.

WARNING: If you analyze these log files with PowerShell on a machine that has the policies enabled, then you will corrupt the logs with known-bad strings in your research process. In other words, you will be entering the bad keywords into the logs in the act of searching for them, thus corrupting your logs. Be sure to do this analysis on a dedicated machine.

Design Limitations

  • The default patterns.txt file is not inclusive of all exploits and cannot be held liable for missing other malicious commands used in your environment. It is intended to be a sample that is expanded by users. If you find commands that should be added or removed, please email them to [email protected].
  • The PowerShell policy GPO settings are managed and reported on the Computer/Machine side only (not User side, because you want to capture all activity on the machine).
  • If the GPO for execution policy is set on a machine, it may block execution of some packages in this content (PowerShell Remoting Disable, PowerShell Remoting Enable, etc.). You may need to override this in an emergency with the package to directly delete this policy in the machine side of the registry (PowerShell Policy Remove GPOExecutionPolicy). After running this package on an endpoint you can reissue the packages that were blocked. However, GPO can reapply the setting within any random interval of one minute to two hours. Domain Controllers refresh GPO every five minutes. Package results are not guaranteed in this case.
  • AppLocker or DeviceGuard could potentially block Tanium PowerShell content execution if the Tanium Client path is not excluded. This would impact other Tanium modules as well.
  • There is no log suppression for repeated events built into the sensors. They are designed to report on any activity in the last six hours (except for PSReadline history which does not have date/time data.) However, you can send output through Tanium Connect and filter for only new items.
  • DO NOT add “Invoke-Expression” to the patterns file for searching command history. This cmdlet, while contrary to PowerShell best practices, is common in use and will trigger false positives. It also catches some Tanium Content executing PowerShell using that method as well.
  • The policy registry keys are not hardened. Some malware may evading logging by deleting the registry keys and/or transcript files. The transcript files and event logs can be hardened with the respective package.
  • Do not put the transcription output directory on a network share when using this content. The sensors and packages are designed to work with a local directory.

Known Issues

  • Do not end the transcription directory path with a "\". This will break the hardening package.
  • Do not apply the transcription hardening package to machines running PowerShell v4 (Windows 8.1 and Windows Server 2012 R2 natively unless WMF 5.1 has been installed, or older operating systems that have installed WMF 4.0). Transcription hardening will break PowerShell in v4.
  • Event log hardening may require a restart of the EventLog service or a reboot to take effect fully.
  • PowerShell Transcription is known to break some applications: Citrix, Active Directory Administration Center (ADAC the PowerShell-based tool, not ADUC). Exclude Citrix from the PowerShell Transcription policy, however Script Block Logging and Module Logging are safe.
  • If using VSCode to edit PowerShell scripts, the Script Analyzer functionality in the background will generate logging activity. This should be addressed in a future release of the PowerShell Extension for VSCode.
  • The Transcription directory needs to be added to antivirus exceptions on endpoints. If malicious strings are found in the transcript directory, then antivirus products may quarantine the file, removing this evidence which is otherwise harmless. Then the content cannot identify that fingerprint in transcription, although the event logs should still be in tact. The same goes for the Live Response destination server where evidence will be transferred.
  • Some reports from the field claim that a certain Microsoft System Center component may rely on PowerShell v2 engine to be installed. Test this carefully before removing everywhere. Windows 10 default is that the PowerShell v2 engine is installed but missing required .NET version to function.

Release History

v1.0.0.131 - November 2019 - Updated patterns.txt in the search package to remove false positives.

v1.0.0.122 - October 2019 - Updated patterns.txt in the search package to include all known Empire PowerShell functions.

v1.0.0.120 - September 2019 - Added hardening and reporting for event logs. Removed deprecated content. Revised the saved questions and dashboards.

v1.0.0.95 - August 2019 - Added package to harden transcription directory, enhanced Clean Transcription package to drop a file with directory stats & adjusted transcription sensor to collect it.

v1.0.0.66 - July 2019 - Updated package Search Command History to only return the matching strings. Added CommandHistory Summary sensors.

v1.0.0.58 - June 2019 - Consolidated policy packages and event log size package into a single package. Added ModuleLoggingLegacy sensors. Added script signing.

v1.0.0.39 - November 2018 - Refactor of many PowerShell sensors (12) and packages (5) to VBScript

v1.0.0.28 - November 2018 - First release

Support Information

This content was created by TAM Ashley McGlone [email protected]. Contact him for questions or support.

Dashboard Groups

PowerShell Security

Dashboards:

Dashboards

PowerShell Policy

Saved questions:

PowerShell Forensics

Saved questions:

PowerShell Remoting

Saved questions:

PowerShell Security Targeting

Saved questions:

Questions

PowerShell ExecutionPolicy

Get PowerShell ExecutionPolicy from all machines with Is Windows equals true

PowerShell ExecutionPolicy GPO Machine

Get Registry Value Data[HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\PowerShell,EnableScripts] and Registry Value Data[HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\PowerShell,ExecutionPolicy] from all machines with Is Windows equals true

PowerShell FeatureV2

Get Computer Name and Operating System and PowerShell Version and PowerShell FeatureV2 from all machines with Operating System contains windows

PowerShell Forensics Summary

Get PowerShell CommandHistory Details Summary from all machines with ( Operating System contains windows and all PowerShell CommandHistory Details Summary not equals No results )

PowerShell Forensics By Endpoint

Get Computer Name and PowerShell CommandHistory Details Summary and PowerShell CommandHistory Details ModuleLogging and PowerShell CommandHistory Details ModuleLoggingLegacy and PowerShell CommandHistory Details ScriptBlockLogging and PowerShell CommandHistory Details Transcription and PowerShell CommandHistory Details PSReadline from all machines with ( Operating System contains windows and all PowerShell CommandHistory Details Summary not equals No results )

PowerShell PSSessionConfiguration

Get PowerShell PSSessionConfiguration from all machines with ( Is Windows equals true and PowerShell Remoting Enabled equals True )

PowerShell Policy Audit

Get PowerShell Policy Transcription and PowerShell Policy ScriptBlockLogging and PowerShell Policy ModuleLogging from all machines with ( Is Windows equals true and PowerShell Version > 4 )

PowerShell Policy Event Log Statistics

Get PowerShell Policy Event Logs from all machines with ( Is Windows equals true and PowerShell Version > 4 )

PowerShell Remoting

Get Windows OS Type and Operating System and PowerShell Remoting Enabled from all machines with ( Is Windows equals true and PowerShell Version > 2 )

PowerShell Set Remoting

Get PowerShell Remoting Enabled from all machines with Operating System contains windows
Packages:

PowerShell Version Audit

Get Operating System and PowerShell Version and PowerShell FeatureV2 from all machines with Is Windows equals true

Packages

PowerShell FeatureV2 Disable

This package contains 1 files and 0 sensors.

Properties:

Property Value
Command Line cmd /c nativelauncher.cmd dism /online /disable-feature /featurename:MicrosoftWindowsPowerShellV2
Command Timeout 60


Files:

Name
nativelauncher.cmd

PowerShell FeatureV2 Enable

This package contains 1 files and 0 sensors.

Properties:

Property Value
Command Line cmd /c nativelauncher.cmd dism /online /enable-feature /featurename:MicrosoftWindowsPowerShellV2
Command Timeout 60


Files:

Name
nativelauncher.cmd

PowerShell Policy Clean Transcription

This package contains 1 files and 0 sensors.

Properties:

Property Value
Command Line powershell.exe -NoLogo -NoProfile -NonInteractive -OutputFormat Text -ExecutionPolicy ByPass -File PowerShellPolicyTranscriptionClean.ps1 "$1"
Command Timeout 180

Parameters:

Name Description Type Default Value
Retention Time in Days Number of days to keep PowerShell transcription policy logs. Everything older will be deleted. Numeric 14

Files:

Name
PowerShellPolicyTranscriptionClean.ps1

PowerShell Policy Remove GPOExecutionPolicy

This package contains 1 files and 0 sensors.

Properties:

Property Value
Command Line cmd.exe /c cscript.exe //E:VBScript //T:60 PowerShellPolicyRemoveGPOExecutionPolicy.vbs
Command Timeout 60


Files:

Name
PowerShellPolicyRemoveGPOExecutionPolicy.vbs

PowerShell Policy Set

This package contains 1 files and 0 sensors.

Properties:

Property Value
Command Line cmd.exe /c cscript.exe //E:VBScript //T:60 PowerShellPolicySet.vbs "$1" "$2" "$3" "$4" "$5" "$6" "$7" "$8" "$9" "$10" "$11" "$12" "$13"
Command Timeout 60

Parameters:

Name Description Type Default Value
CONFIGURE TRANSCRIPTION Check this box to configure transcription. Checkbox UnChecked
EnableTranscripting Clear checkbox to disable Checkbox UnChecked
OutputDirectory Must be a valid file path, local to the endpoint. Cannot end with a slash. Text C:\PSTranscript
EnableInvocationHeader Adds date and time stamp for each command logged Checkbox UnChecked
CONFIGURE SCRIPT BLOCK LOGGING Check this box to configure script block logging. Checkbox UnChecked
EnableScriptBlockLogging Clear checkbox to disable Checkbox UnChecked
EnableScriptBlockInvocationLogging Adds log events for start/stop of each command. Preferred to leave this disabled due to high logging volume. Checkbox UnChecked
CONFIGURE MODULE LOGGING Check this box to configure module logging. Checkbox UnChecked
EnableModuleLogging Clear checkbox to disable. Checkbox UnChecked
ModuleNames Comma-delimited list of module names for logging enforcement. Wildcards permitted. A single asterisk (*) will log all modules. Text *
SET EVENT LOG SIZE Check this box to configure event log sizes. Checkbox UnChecked
Microsoft-Windows-PowerShell/Operational Primary log. Events 4103-4106. OS default is 15MB. Numeric 1048576
Windows PowerShell Legacy log for event 800 Module Logging. OS default is 15MB. Numeric 1048576

Files:

Name
PowerShellPolicySet.vbs

PowerShell Policy Hardening

This package contains 2 files and 0 sensors.

Properties:

Property Value
Command Line cmd /c psharden.bat $1 $2 $3 $4
Command Timeout 60

Parameters:

Name Description Type Default Value
CONFIGURE TRANSCRIPTION HARDENING Checkbox UnChecked
Hide and secure the transcription directory Sets Transcription OutputDirectory attributes to system and hidden. Allows Everyone write and full control to only administrators and SYSTEM. Clear the checkbox to un-harden. NOTE: Transcript directory path must not end with a backslash. Checkbox UnChecked
CONFIGURE EVENT LOG HARDENING Checkbox UnChecked
Secure the event logs Harden both the [Microsoft-Windows-PowerShell/Operational] and [Windows PowerShell] event logs. Clear the checkbox to un-harden. Checkbox UnChecked

Files:

Name
PowerShellPolicySetEventLogsHarden.vbs
psharden.bat

PowerShell Remoting Disable

This package contains 0 files and 0 sensors.

Properties:

Property Value
Command Line cmd /c powershell.exe -NoLogo -NoProfile -NonInteractive -OutputFormat Text -ExecutionPolicy ByPass -Command "& {Disable-PSRemoting -Force;Set-Service -Name WinRM -StartupType Disabled;Stop-Service WinRM}"
Command Timeout 60


PowerShell Remoting Enable

This package contains 0 files and 0 sensors.

Properties:

Property Value
Command Line cmd /c powershell.exe -NoLogo -NoProfile -NonInteractive -OutputFormat Text -ExecutionPolicy ByPass -Command "& {Enable-PSRemoting -Force}"
Command Timeout 60


PowerShell Search CommandHistory

This package contains 3 files and 0 sensors.

Properties:

Property Value
Command Line cmd /c search-ps.bat
Command Timeout 300


Files:

Name
search-ps.bat
search-ps.vbs
patterns.txt

Sensors

PowerShell CommandHistory Details ModuleLogging

Returns content of command history containing known commands for PowerShell post-exploitation toolkits. Must run the package "PowerShell Search CommandHistory" on the endpoint first.

Supported Platforms:

Platform Query Type
Windows VBScript

PowerShell CommandHistory Details ModuleLoggingLegacy

Returns content of command history containing known commands for PowerShell post-exploitation toolkits. Must run the package "PowerShell Search CommandHistory" on the endpoint first.

Supported Platforms:

Platform Query Type
Windows VBScript

PowerShell CommandHistory Details PSReadline

Returns content of command history containing known commands for PowerShell post-exploitation toolkits. Must run the package "PowerShell Search CommandHistory" on the endpoint first.

Supported Platforms:

Platform Query Type
Windows VBScript

PowerShell CommandHistory Details ScriptBlockLogging

Returns content of command history containing known commands for PowerShell post-exploitation toolkits. Must run the package "PowerShell Search CommandHistory" on the endpoint first.

Supported Platforms:

Platform Query Type
Windows VBScript

PowerShell CommandHistory Details Summary

Returns content of command history containing known commands for PowerShell post-exploitation toolkits. Must run the package "PowerShell Search CommandHistory" on the endpoint first.

Supported Platforms:

Platform Query Type
Windows VBScript

PowerShell CommandHistory Details Transcription

Returns content of command history containing known commands for PowerShell post-exploitation toolkits. Must run the package "PowerShell Search CommandHistory" on the endpoint first.

Supported Platforms:

Platform Query Type
Windows VBScript

PowerShell CommandHistory ModuleLogging

Returns "true" if command history contains known commands for PowerShell post-exploitation toolkits. Must run the package "PowerShell Search CommandHistory" on the endpoint first.

Supported Platforms:

Platform Query Type
Windows VBScript

PowerShell CommandHistory ModuleLoggingLegacy

Returns "true" if command history contains known commands for PowerShell post-exploitation toolkits. Must run the package "PowerShell Search CommandHistory" on the endpoint first.

Supported Platforms:

Platform Query Type
Windows VBScript

PowerShell CommandHistory PSReadline

Returns "true" if command history contains known commands for PowerShell post-exploitation toolkits. Must run the package "PowerShell Search CommandHistory" on the endpoint first.

Supported Platforms:

Platform Query Type
Windows VBScript

PowerShell CommandHistory ScriptBlockLogging

Returns "true" if command history contains known commands for PowerShell post-exploitation toolkits. Must run the package "PowerShell Search CommandHistory" on the endpoint first.

Supported Platforms:

Platform Query Type
Windows VBScript

PowerShell CommandHistory Summary

Returns "true" if command history contains known commands for PowerShell post-exploitation toolkits. Must run the package "PowerShell Search CommandHistory" on the endpoint first.

Supported Platforms:

Platform Query Type
Windows VBScript

PowerShell CommandHistory Transcription

Returns "true" if command history contains known commands for PowerShell post-exploitation toolkits. Must run the package "PowerShell Search CommandHistory" on the endpoint first.

Supported Platforms:

Platform Query Type
Windows VBScript

PowerShell ExecutionPolicy

Get-ExecutionPolicy -List to show all levels of execution policy.

Columns:

Name Description Type Hidden
Scope Text
ExecutionPolicy Text

Supported Platforms:

Platform Query Type
Windows PowerShell

PowerShell FeatureV2

For Windows OS greater than Windows 7/2008 R2 determine if the PowerShell v2 engine Windows feature is installed. If it is enabled, then it is a potential security risk for version downgrade attacks that attempt to avoid detection via logging and transcription policies.

Supported Platforms:

Platform Query Type
Windows PowerShell

PowerShell PSSessionConfiguration

Displays the remoting session configurations and true/false whether it is a default. Use to identify custom remoting endpoints like JEA.

Columns:

Name Description Type Hidden
Name Text
IsDefault Text

Supported Platforms:

Platform Query Type
Windows PowerShell

PowerShell PSVersionTable

$PSVersionTable properties. Use to see specifics of the PowerShell versions in the environment.

Columns:

Name Description Type Hidden
Property Text
Value Text

Supported Platforms:

Platform Query Type
Windows PowerShell

PowerShell Policy Event Logs

Reports on the size, age, and hardening status of the two PowerShell event logs.

Columns:

Name Description Type Hidden
LogName Text
ActualSizeIn16MB Numeric
MaxSizeInMB Numeric
OldestEventInWeeks Numeric
IsHardened Text
SDDL Text True

Supported Platforms:

Platform Query Type
Windows PowerShell

PowerShell Policy ModuleLogging

Reports the computer policy settings for PowerShell module logging. Does not report the user policy settings.

Columns:

Name Description Type Hidden
EnableModuleLogging Text
ModuleNames Text

Supported Platforms:

Platform Query Type
Windows VBScript

PowerShell Policy ScriptBlockLogging

Reports the computer policy settings for PowerShell script block logging. Does not report the user policy settings.

Columns:

Name Description Type Hidden
EnableScriptBlockLogging Text
EnableScriptBlockInvocationLogging Text

Supported Platforms:

Platform Query Type
Windows VBScript

PowerShell Policy Transcription

Reports the computer policy settings for PowerShell transcription. (Does not report the user policy settings.) Reports the hardening status and file statistics of the transcription output directory. The file statistics rely on the package PowerShell Policy Clean Transcription to update the statistics.

Columns:

Name Description Type Hidden
EnableTranscripting Text
OutputDirectory Text
EnableInvocationHeader Text
IsHidden Text
IsHardened Text
FileCountBy100 Numeric
DirectorySizeIn5MB Numeric
OldestFileInWeeks Numeric

Supported Platforms:

Platform Query Type
Windows VBScript

PowerShell Remoting Enabled

Determines if PowerShell remoting is enabled on the endpoint by checking for WinRM listening ports 5985 or 5986.

Supported Platforms:

Platform Query Type
Windows PowerShell