WINDOWS POWERSHELL LOGGING CHEAT SHEET - Win 7/Win 2008 or later
Common Information
| Type | Value |
|---|---|
| UUID | 33bbc0e2-c595-4f5a-970f-7c000c3658c3 |
| Fingerprint | c9ba4466660d6eb48f3880320653eea4b4e7059b6e94725f7cae8ea86cb01c27 |
| Analysis status | DONE |
| Considered CTI value | 0 |
| Text language | |
| Published | June 14, 2016, 8:39 a.m. |
| Added to db | March 10, 2024, 7:23 a.m. |
| Last updated | Aug. 31, 2024, 2:34 a.m. |
| Headline | WINDOWS POWERSHELL LOGGING CHEAT SHEET - Win 7/Win 2008 or later |
| Title | WINDOWS POWERSHELL LOGGING CHEAT SHEET - Win 7/Win 2008 or later |
| Detected Hints/Tags/Attributes | 64/1/45 |
Source URLs
URL Provider
Attributes
| Details | Type | #Events | CTI | Value |
|---|---|---|---|---|
| Details | Domain | 1 | malwarearchaeology.com |
|
| Details | Domain | 212 | technet.microsoft.com |
|
| Details | Domain | 184 | www.fireeye.com |
|
| Details | Domain | 11 | blogs.msdn.microsoft.com |
|
| Details | Domain | 4 | learn-powershell.net |
|
| Details | Domain | 1 | www.redblue.team |
|
| Details | Domain | 107 | system.management |
|
| Details | Domain | 3 | system.management.automation.ni |
|
| Details | Domain | 1 | digirati82.com |
|
| Details | File | 1 | hh847796.aspx |
|
| Details | File | 1 | hh849687.aspx |
|
| Details | File | 3 | greater_visibilityt.html |
|
| Details | File | 1 | us-14-kazanciyan-investigating-powershell-attacks-wp.pdf |
|
| Details | File | 1 | to.html |
|
| Details | File | 1 | cb-powershell-deep-dive-a-united-threat-research-report-1.pdf |
|
| Details | File | 8 | profile.ps1 |
|
| Details | File | 1208 | powershell.exe |
|
| Details | File | 1 | malicious.ps1 |
|
| Details | File | 1 | powershell_transcript.txt |
|
| Details | File | 13 | psversiontable.ps |
|
| Details | File | 165 | reg.exe |
|
| Details | File | 1 | %computername%_ps_cmds_executed_win7.log |
|
| Details | File | 32 | powershell_ise.exe |
|
| Details | File | 10 | automation.dll |
|
| Details | File | 16 | ni.dll |
|
| Details | File | 1 | reflection.dll |
|
| Details | File | 1 | _green_and_mccord.pdf |
|
| Details | File | 7 | powershell_profile.ps1 |
|
| Details | File | 1 | powershellise_profile.ps1 |
|
| Details | Url | 1 | http://technet.microsoft.com/en-us/library/hh847796.aspx |
|
| Details | Url | 1 | https://technet.microsoft.com/en-us/library/hh849687.aspx |
|
| Details | Url | 2 | https://www.fireeye.com/blog/threat-research/2016/02/greater_visibilityt.html |
|
| Details | Url | 1 | https://blogs.msdn.microsoft.com/powershell/2015/06/09/powershell-the-blue-team |
|
| Details | Url | 1 | https://www.blackhat.com/docs/us-14/materials/us-14-kazanciyan-investigating-powershell-attacks-wp.pdf |
|
| Details | Url | 1 | http://learn-powershell.net/2014/08/26/more-new-stuff-in-powershell-v5-extra-powershell-auditing |
|
| Details | Url | 1 | http://www.redblue.team/2016/01/powershell-traceless-threat-and-how- |
|
| Details | Url | 1 | https://www.carbonblack.com/wp-content/uploads/2016/04/cb-powershell-deep-dive-a-united-threat-research-report-1.pdf |
|
| Details | Url | 5 | https://technet.microsoft.com/en-us/sysinternals/sysmon |
|
| Details | Url | 1 | https://digirati82.com/wls-information |
|
| Details | Url | 1 | http://energy.gov/sites/prod/files/cioprod/documents/splunkified_-_the_next_evolution_of_log_analysis_- |
|
| Details | Windows Registry Key | 3 | HKLM\SOFTWARE\Policies\Microsoft\Windows\PowerShell |
|
| Details | Windows Registry Key | 1 | HKLM\SOFTWARE\Microsoft\PowerShell\1\ShellIds\Microsoft.PowerShell |
|
| Details | Windows Registry Key | 1 | HKLM\System\CurrentControlSet\Services\eventlog\Windows |
|
| Details | Windows Registry Key | 1 | HKLM\Software\Microsoft\PowerShell\1\ShellIds\Microsoft.PowerShell |
|
| Details | Windows Registry Key | 1 | HKLM\SYSTEM\CurrentControlSet\services\eventlog\Windows |