Greater Visibility Through PowerShell Logging | Mandiant
Common Information
Type Value
UUID 216d9714-6ca1-4753-88d7-4ed9ae37330e
Fingerprint 8457aeb7dd3548c0
Analysis status DONE
Considered CTI value 0
Text language
Published Feb. 11, 2016, midnight
Added to db Nov. 6, 2023, 7:10 p.m.
Last updated Dec. 25, 2024, 1:26 p.m.
Headline Greater Visibility Through PowerShell Logging
Title Greater Visibility Through PowerShell Logging | Mandiant
Detected Hints/Tags/Attributes 42/1/19
RSS Feed
Details Id Enabled Feed title Url Added to db
Details 330 Threat Intelligence https://www.mandiant.com/resources/blog/rss.xml 2024-08-30 22:08
Attributes
Details Type #Events CTI Value
Details Domain 21
blogs.msdn.com
Details Domain 4724
github.com
Details Domain 147
archive.org
Details File 1
windows-management-framework-wmf-4-0-update-now-available-for-windows-server-2012-windows-server-2008-r2-sp1-and-windows-7-sp1.aspx
Details File 1
powershell-the-blue-team.aspx
Details File 1
wp-lazanciyan-investigating-powershell-attacks.pdf
Details Github username 1
matthewdunwoody
Details Microsoft Patch Numbers 1
KB3000850
Details Microsoft Patch Numbers 1
KB3119938
Details Microsoft Patch Numbers 1
KB3109118
Details Url 1
http://blogs.msdn.com/b/powershell/archive/2016/01/19/windows-management-framework-wmf-4-0-update-now-available-for-windows-server-2012-windows-server-2008-r2-sp1-and-windows-7-sp1.aspx
Details Url 1
http://blogs.msdn.com/b/powershell/archive/2015/06/09/powershell-the-blue-team.aspx
Details Url 1
https://www.fireeye.com/content/dam/fireeye-www/global/en/solutions/pdfs/wp-lazanciyan-investigating-powershell-attacks.pdf
Details Url 1
https://blogs.msdn.microsoft.com/powershell/2016/02/24/windows-management-framework-wmf-5-0-rtm-packages-has-been-republished
Details Url 1
https://github.com/matthewdunwoody/block-parser
Details Url 1
https://archive.org/details/no_easy_breach.
Details Windows Registry Key 2
HKLM\SOFTWARE\Wow6432Node\Policies\Microsoft\Windows\PowerShell\ModuleLogging
Details Windows Registry Key 2
HKLM\SOFTWARE\Wow6432Node\Policies\Microsoft\Windows\PowerShell\ScriptBlockLogging
Details Windows Registry Key 1
HKLM\SOFTWARE\Wow6432Node\Policies\Microsoft\Windows\PowerShell\Transcription