Windows Auditing & Logging FG

Terminal Learning Objectives

1. Identify Windows Artifacts

2. Describe Windows Auditing & Logging

3. Complete Windows Auditing & Logging CTFd Challenges PE


1. Windows Artifacts

Gain an understanding of what artifacts are and to track user or system activity with them.

At the end of this lesson you will be able to describe and pull information from the following artifacts:

  • UserAssist

  • Windows Background Activity Moderator (BAM)

  • Recycle Bin

  • Prefetch

  • Jump Lists

  • Recent Files

  • Browser Artifacts

1.1 What is an artifact?

Artifacts are objects or areas within a computer system that contain important information relevant to the activities performed on the system by the user.

These artifacts must be identified, processed, and analyzed in order to prove or disprove any observations made during forensic analysis.However, the absence of information in an artifact does not indicate that an activity didn’t occur.

There are multiple artifacts in the Windows environment that serve as important evidence in the forensic examination process.

SANS Windows Artifact Analysis

Forensically relevent Registry locations


Many artifacts will require the use of a Security Identifer (SID) to dig into the user specific registry locations for the artifact information.

PS C:\> Get-LocalUser | select Name,SID (1)
Name               SID
----               ---
Admin              S-1-5-21-1584283910-3275287195-1754958050-1000
Administrator      S-1-5-21-1584283910-3275287195-1754958050-500
cloudbase-init     S-1-5-21-1584283910-3275287195-1754958050-1002
DefaultAccount     S-1-5-21-1584283910-3275287195-1754958050-503
Guest              S-1-5-21-1584283910-3275287195-1754958050-501
andy.dwyer         S-1-5-21-1584283910-3275287195-1754958050-1005
sshd               S-1-5-21-1584283910-3275287195-1754958050-1003
student            S-1-5-21-1584283910-3275287195-1754958050-1004
WDAGUtilityAccount S-1-5-21-1584283910-3275287195-1754958050-504

PS C:\> Get-WmiObject win32_useraccount | select name,sid (2)
name               sid
----               ---
Admin              S-1-5-21-1584283910-3275287195-1754958050-1000
Administrator      S-1-5-21-1584283910-3275287195-1754958050-500
cloudbase-init     S-1-5-21-1584283910-3275287195-1754958050-1002
DefaultAccount     S-1-5-21-1584283910-3275287195-1754958050-503
Guest              S-1-5-21-1584283910-3275287195-1754958050-501
andy.dwyer         S-1-5-21-1584283910-3275287195-1754958050-1005
sshd               S-1-5-21-1584283910-3275287195-1754958050-1003
student            S-1-5-21-1584283910-3275287195-1754958050-1004
WDAGUtilityAccount S-1-5-21-1584283910-3275287195-1754958050-504
_Output_Truncated_
1 Get-LocalUser will show local Users and SID on a system
2 Get-WmiObject will show local and domain Users and SID 
{empty} +
2. Get SIDS in Command Prompt
C:\windows\system32>wmic UserAccount get name,sid (1)
Name                SID
Admin               S-1-5-21-1584283910-3275287195-1754958050-1000
Administrator       S-1-5-21-1584283910-3275287195-1754958050-500
cloudbase-init      S-1-5-21-1584283910-3275287195-1754958050-1002
DefaultAccount      S-1-5-21-1584283910-3275287195-1754958050-503
Guest               S-1-5-21-1584283910-3275287195-1754958050-501
andy.dwyer          S-1-5-21-1584283910-3275287195-1754958050-1005
sshd                S-1-5-21-1584283910-3275287195-1754958050-1003
student             S-1-5-21-1584283910-3275287195-1754958050-1004
WDAGUtilityAccount  S-1-5-21-1584283910-3275287195-1754958050-504
1 wmic useraccount get name,sid will show local Users and SID


2. UserAssist

Run ALL Artifacts demos on Workstation2 while in a ssh from the Admin-Station

The UserAssist registry key tracks the GUI-based programs that were ran by a particular user.

2.1 Location

They are located in HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{GUID}\Count\ * they are encoded in ROT13

The GUID represents a particular file extension.

  • CEBFF5CD-ACE2-4F4F-9178-9926F41749EA A list of applications, files, links, and other objects that have been accessed

  • F4E57C4B-2036-45F0-A9AB-443BCFE33D9F Lists the Shortcut Links used to start programs


2.2 Demo

CEBFF5CD: Executable File Execution
PS C:\> Get-ItemProperty "HKCU:\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{CEBFF5CD-ACE2-4F4F-9178-9926F41749EA}\Count" (1)

HRZR_PGYPHNPbhag:pgbe                                                            : {255, 255, 255, 255...}
Zvpebfbsg.Trgfgnegrq_8jrxlo3q8oojr!Ncc                                           : {0, 0, 0, 0...}
HRZR_PGYFRFFVBA                                                                  : {0, 0, 0, 0...}
Zvpebfbsg.JvaqbjfSrrqonpxUho_8jrxlo3q8oojr!Ncc                                   : {0, 0, 0, 0...}
Zvpebfbsg.JvaqbjfZncf_8jrxlo3q8oojr!Ncc                                          : {0, 0, 0, 0...}
Zvpebfbsg.Crbcyr_8jrxlo3q8oojr!k4p7n3o7ql2188l46q4ln362l19np5n5805r5k            : {0, 0, 0, 0...}
Zvpebfbsg.ZvpebfbsgFgvpxlAbgrf_8jrxlo3q8oojr!Ncc                                 : {0, 0, 0, 0...}
{1NP14R77-02R7-4R5Q-O744-2RO1NR5198O7}\FavccvatGbby.rkr                          : {0, 0, 0, 0...}
Zvpebfbsg.JvaqbjfPnyphyngbe_8jrxlo3q8oojr!Ncc                                    : {0, 0, 0, 0...}
{1NP14R77-02R7-4R5Q-O744-2RO1NR5198O7}\zfcnvag.rkr                               : {0, 0, 0, 0...}
{1NP14R77-02R7-4R5Q-O744-2RO1NR5198O7}\abgrcnq.rkr                               : {0, 0, 0, 0...}
Zvpebfbsg.Jvaqbjf.Pbegnan_pj5a1u2gklrjl!PbegnanHV                                : {0, 0, 0, 0...}
{1NP14R77-02R7-4R5Q-O744-2RO1NR5198O7}\JvaqbjfCbjreFuryy\i1.0\CbjreFuryy_VFR.rkr : {0, 0, 0, 0...}
_Output_Truncated_
1 Output shows the Executable files encoded with ROT13. Copy/ Paste the output into a decdoer site like Rot13 or CyberChef


F4E57C4B: Shortcut File Execution
PS C:\> Get-ItemProperty "HKCU:\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{F4E57C4B-2036-45F0-A9AB-443BCFE33D9F}\Count" (1)

HRZR_PGYPHNPbhag:pgbe                                                            : {255, 255, 255, 255...}
{0139Q44R-6NSR-49S2-8690-3QNSPNR6SSO8}\Npprffbevrf\Favccvat Gbby.yax             : {0, 0, 0, 0...}
HRZR_PGYFRFFVBA                                                                  : {0, 0, 0, 0...}
{0139Q44R-6NSR-49S2-8690-3QNSPNR6SSO8}\Npprffbevrf\Cnvag.yax                     : {0, 0, 0, 0...}
{N77S5Q77-2R2O-44P3-N6N2-NON601054N51}\Npprffbevrf\Abgrcnq.yax                   : {0, 0, 0, 0...}
{N77S5Q77-2R2O-44P3-N6N2-NON601054N51}\Jvaqbjf CbjreFuryy\Jvaqbjf CbjreFuryy.yax : {0, 0, 0, 0...}
{N77S5Q77-2R2O-44P3-N6N2-NON601054N51}\Flfgrz Gbbyf\Pbzznaq Cebzcg.yax           : {0, 0, 0, 0...}
{0139Q44R-6NSR-49S2-8690-3QNSPNR6SSO8}\Nqzvavfgengvir Gbbyf\Ertvfgel Rqvgbe.yax  : {0, 0, 0, 0...}
{0139Q44R-6NSR-49S2-8690-3QNSPNR6SSO8}\Npprffbevrf\Erzbgr Qrfxgbc Pbaarpgvba.yax : {0, 0, 0, 0...}
{9R3995NO-1S9P-4S13-O827-48O24O6P7174}\GnfxOne\Svyr Rkcybere.yax                 : {0, 0, 0, 0...}
{0139Q44R-6NSR-49S2-8690-3QNSPNR6SSO8}\Tbbtyr Puebzr.yax                         : {0, 0, 0, 0...}
_Output_Truncated_
1 Output shows the files run from Shortcut locations encoded with ROT13.


Q: Where can you look to pull all users that have logged on to the computer and have ran executables?

Q: How can we change our command to look at all users Userassist artifacts?

A: From

PS C:\> Get-ItemProperty "HKCU:\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{CEBFF5CD-ACE2-4F4F-9178-9926F41749EA}\Count"

To

PS C:\> Get-ItemProperty "Registry::Hkey_Users\*\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{CEBFF5CD-ACE2-4F4F-9178-9926F41749EA}\Count"


Windows User Assist Key Additional Information

3. Windows Background Activity Moderator (BAM)


Windows Background Activity Moderator (BAM) BAM is a Windows service that Controls activity of background applications.This service exists in Windows 10 only after Fall Creators update – version 1709.

BAM Provides the following:

  • full path of an executable

  • last execution date/time.

Q: What is the importance of knowing the path of an executable?


3.1 Location


Show in Reg Edit:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\bam\State\UserSettings #On 1809 and Newer

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\bam\UserSettings #On 1803 and below

CMD command to get Windows OS Version - Ran in Admin-Station

  • systeminfo

C:\WINDOWS\system32>systeminfo

Host Name:                 ADMIN-STATION
OS Name:                   Microsoft Windows 10 Enterprise
OS Version:                10.0.19045 N/A Build 19045 (1)
OS Manufacturer:           Microsoft Corporation
OS Configuration:          Standalone Workstation
/----Output Truncated----/
1 see table below - 19045 (Windows 10 (22H2)) is the last Windows 10 Version

Powershell cmdlet to get Windows OS Version - Ran in Admin-Station

  • Get-Computerinfo

Get-ComputerInfo | select osname,osversion,OsHardwareAbstractionLayer

OsName                           OsVersion   OsHardwareAbstractionLayer
------                           ---------   --------------------------
Microsoft Windows 10 Enterprise  10.0.19045  10.0.19041.2251
                                    (1)
1 see table below - 19045 (Windows 10 (22H2)) is the last Windows 10 Version

Operating System

Version Details

Build Number

Windows 11

Windows 11 (22H2)

10.0.22621

Windows 11 (21H2)

10.0.22000

Windows 10

Windows 10 (22H2)

10.0.19045

Windows 10 (21H2)

10.0.19044

Windows 10 (21H1)

10.0.19043

Windows 10 (20H2)

10.0.19042

Windows 10 (2004)

10.0.1904

Windows 10 (1909)

10.0.18363

Windows 10 (1903)

10.0.18362

Windows 10 (1809)

10.0.17763

Windows 10 (1803)

10.0.17134

Windows 10 (1709)

10.0.16299

Windows 10 (1703)

10.0.15063

Windows 10 (1607)

10.0.14393

3.2 Demo


BAM entries for every user on the system
PS C:\> Get-Item HKLM:\SYSTEM\CurrentControlSet\Services\bam\state\UserSettings\* (1)

   Hive: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\bam\state\UserSettings
Name                           Property
----                           --------
S-1-5-18                       Version        : 1
                               SequenceNumber : 170
S-1-5-21-1584283910-3275287195 Version                                             : 1
-1754958050-1001               SequenceNumber                                      : 2
                               Microsoft.Windows.CloudExperienceHost_cw5n1h2txyewy : {102, 101, 158, 153...}
S-1-5-21-1584283910-3275287195 Version                                             : 1
-1754958050-1004               SequenceNumber                                      : 179
                               Microsoft.Windows.ShellExperienceHost_cw5n1h2txyewy : {131, 170, 94, 228...}
                               Microsoft.Windows.Cortana_cw5n1h2txyewy             : {69, 3, 57, 6...}
                               Microsoft.MicrosoftEdge_8wekyb3d8bbwe               : {37, 64, 172, 83...}
                               InputApp_cw5n1h2txyewy                              : {72, 27, 34, 188...}
S-1-5-21-1584283910-3275287195 Version                                                                    : 1
-1754958050-1005               SequenceNumber                                                             : 182
                               Microsoft.Windows.ShellExperienceHost_cw5n1h2txyewy                        : {155, 178, 178, 246...}
                               Microsoft.Windows.Cortana_cw5n1h2txyewy                                    : {14, 234, 70, 240...}
                               Microsoft.MicrosoftEdge_8wekyb3d8bbwe                                      : {9, 49, 55, 39...}
                               \Device\HarddiskVolume1\Windows\System32\cmd.exe                           : {5, 160, 0, 6...}
_Output_Truncated_
1 Output shows all users BAM artifacts
Single User on the System
PS C:\> wmic useraccount  get caption,sid | more (1)
Caption                           SID
ADMIN-STATION\Admin               S-1-5-21-1584283910-3275287195-1754958050-1000
ADMIN-STATION\Administrator       S-1-5-21-1584283910-3275287195-1754958050-500
ADMIN-STATION\cloudbase-init      S-1-5-21-1584283910-3275287195-1754958050-1002
ADMIN-STATION\DefaultAccount      S-1-5-21-1584283910-3275287195-1754958050-503
ADMIN-STATION\Guest               S-1-5-21-1584283910-3275287195-1754958050-501
ADMIN-STATION\andy.dwyer          S-1-5-21-1584283910-3275287195-1754958050-1005
_Output_Truncated_

PS C:\> Get-Itemproperty 'HKLM:\SYSTEM\CurrentControlSet\Services\bam\State\UserSettings\S-1-5-21-1584283910-3275287195-1754958050-1005' (2)

Version                                                                    : 1
SequenceNumber                                                             : 182
Microsoft.Windows.ShellExperienceHost_cw5n1h2txyewy                        : {155, 178, 178, 246...}
Microsoft.Windows.Cortana_cw5n1h2txyewy                                    : {14, 234, 70, 240...}
Microsoft.MicrosoftEdge_8wekyb3d8bbwe                                      : {9, 49, 55, 39...}
\Device\HarddiskVolume1\Windows\System32\cmd.exe                           : {5, 160, 0, 6...}
InputApp_cw5n1h2txyewy                                                     : {89, 33, 209, 53...}
Microsoft.WindowsCalculator_8wekyb3d8bbwe                                  : {66, 111, 53, 155...}
\Device\HarddiskVolume1\Windows\System32\conhost.exe                       : {96, 89, 201, 207...}
\Device\HarddiskVolume1\Users\andy.dwyer\Desktop\Sys Int\Autoruns.exe      : {82, 232, 89, 79...}
\Device\HarddiskVolume1\Windows\System32\notepad.exe                       : {80, 246, 8, 221...}
_Output_Truncated_

Look at the programs that have been launched and their paths.
1 Get the SID of every local user on the machine
2 Insert the SID of andy.dwyer from above. Output shows the BAM artifact from andy.dwyer

Note any programs that might have been launched from an irregular location.

4. Recycle Bin


When a user deletes a file in Windows it goes into the Recycle bin. This data is recoverable during an investigation using built in tools.

Content in the recycle bin is identified by:

  • SID - determines which user deleted it

  • Timestamp - When it was deleted

  • $RXXXXXX - content of deleted files

  • $IXXXXXX - original PATH and name

SIDs are identified using WMIC or the Registry


4.1 Location:

C:\$Recycle.bin (Hidden System Folder)


4.2 Demo

Find the Contents of the Recycle Bin
PS C:\> Get-Childitem 'C:\$RECYCLE.BIN' -Recurse -Verbose -Force | select FullName (1)
FullName
--------
C:\$RECYCLE.BIN\S-1-5-18
C:\$RECYCLE.BIN\S-1-5-21-1584283910-3275287195-1754958050-1004
C:\$RECYCLE.BIN\S-1-5-21-1584283910-3275287195-1754958050-1005
C:\$RECYCLE.BIN\S-1-5-21-950816436-4199619115-1663388479-500
C:\$RECYCLE.BIN\S-1-5-18\desktop.ini
C:\$RECYCLE.BIN\S-1-5-21-1584283910-3275287195-1754958050-1004\desktop.ini
C:\$RECYCLE.BIN\S-1-5-21-1584283910-3275287195-1754958050-1005\$I8QZ1U8.txt
C:\$RECYCLE.BIN\S-1-5-21-1584283910-3275287195-1754958050-1005\$IBBLWX1.txt
C:\$RECYCLE.BIN\S-1-5-21-1584283910-3275287195-1754958050-1005\$IGJUCO3.txt
C:\$RECYCLE.BIN\S-1-5-21-1584283910-3275287195-1754958050-1005\$R8QZ1U8.txt
C:\$RECYCLE.BIN\S-1-5-21-1584283910-3275287195-1754958050-1005\$RBBLWX1.txt
C:\$RECYCLE.BIN\S-1-5-21-1584283910-3275287195-1754958050-1005\$RGJUCO3.txt
_Output_Truncated_
1 Output shows all of the contents of the Recycle Bin. -Recurse will look at all user’s/SID’s contents

Look at the different directories (SIDs) discuss how you would determine what users they belong to.

Q: Since this gives us all the users on the machine, how would you find the specific user this information belogs to?

Match SID to USER:
 PS C:\> wmic useraccount where 'sid="S-1-5-21-1584283910-3275287195-1754958050-1005"' get name (1)
Name
andy.dwyer
1 To find Recycle Bin artifacts for a specific user, match the SID, then append it to the previous command:
 
PS C:\> Get-Content 'C:\$Recycle.Bin\S-1-5-21-1584283910-3275287195-1754958050-1005\$R8QZ1U8.txt' (1)
This is the file for Auditing
1 Reads the contents of a particular file within the Recycle BIN

5. Prefetch


Prefetch files are created by the windows operating system when an application is run from a specific location for the first time.

Q: What is the windows prefetch used for?

  • These files are named in a predetermined format and the prefetch name consists name of the application, hash noting the location from which the application was run, and a “.PF” file extension.

Q: What is the purpose of analysing the prefetch?

Q: If you found a program in prefetch that you know you did not run, what would that be an indicator of?

For example, the prefetch file for calc.exe would appear as CALC.EXE-0FE8F3A9.pf, where 0FE8F3A9 is a hash of the path from where the file was executed.

The prefetch files are stored in “\Root\Windows\Prefetch” folder.
* Analysis of prefetch files reveals the evidence of the intial program execution for a user and from a specific location at a specific time.

Prefetch entries may remain even after the program has been deleted or uninstalled.

  • This information together with timeline analysis helps in determining what programs have been executed in the system.

  • Evidence of program execution can be a valuable resource for forensic investigators. They can prove that a suspect ran a program like CCleaner to cover up any potential wrongdoing.

  • Limited to 128 files on Win7

  • Limited to 1024 files on Win8-10

    • Win8-10 Prefetch files store the last eight execution times. The file creation time of the prefetch file will indicate the original time of execution within 10 seconds leaving the investigator with a total of nine execution times.

  • Prefetch entries record the location of the associated executable and files referenced by that executable. Look for any files executed or referenced from a temp directory as this is typically an outlier.

  • By default, Windows Server does not have Prefetch enabled.

  • Use Eric Zimmerman’s PECmd.exe utility to analyze Prefetch data

  • General Format of a prefetch file: (exename)-(hash-of-path).pf

Prefetch Documentation


5.1 Location

Win7/8/10

C:\Windows\Prefetch


5.2 Demo

PS C:\> Get-Childitem -Path 'C:\Windows\Prefetch' -ErrorAction Continue | select -First 8 (1)
    Directory: C:\Windows\Prefetch
Mode                LastWriteTime         Length Name
----                -------------         ------ ----
d-----        2/11/2021   3:53 PM                ReadyBoot
-a----        2/11/2021   3:39 PM         334168 AgAppLaunch.db
-a----        2/16/2021   2:13 PM        1450197 AgCx_S1_S-1-5-21-1584283910-3275287195-1754958050-1004.snp.db
-a----        2/23/2021   7:29 PM        1690240 AgCx_S2_S-1-5-21-1584283910-3275287195-1754958050-1005.snp.db
-a----        3/11/2021   7:21 PM          83229 AgGlFaultHistory.db
-a----        3/11/2021   7:21 PM         420736 AgGlFgAppHistory.db
-a----        3/11/2021   7:21 PM        1629990 AgGlGlobalHistory.db
-a----        2/22/2021   5:19 PM         125687 AgGlUAD_P_S-1-5-21-1584283910-3275287195-1754958050-1004.db
1 Output shows the programs that were run and when they were executed that are stored in the Prefetch location.


6. Jump Lists

The Windows 7-10 taskbar (Jump List) is engineered to allow users to “jump” or access items they have frequently or recently used quickly and easily.

The data stored in the Automatic Destinations folder will each have a unique file prepended with the AppID of the associated application.

  • First time of execution of application.

  • Creation Time = First time item added to the AppID file.

  • Last time of execution of application w/file open.

  • Modification Time = Last time item added to the AppID file.

Jumplists allow us to get visibility about the intent or knowledge an attacker had when opening a particular file, launching a particular application or browsing a specific directory during the course of an interactive session.

JumpLists Documentation


6.1 Location

Win7/8/10

C:\%USERPROFILE%\AppData\Roaming\Microsoft\Windows\Recent\AutomaticDestinations (C:\Users\king\AppData\Roaming\Microsoft\Windows\Recent)

Show in Explorer:
C:\%USERPROFILE%\AppData\Roaming\Microsoft\Windows\Recent\AutomaticDestinations (C:\Users\king\AppData\Roaming\Microsoft\Windows\Recent)


6.2 Demo


Programs/Items that were recently used
PS C:\> Get-Childitem -Recurse C:\Users\*\AppData\Roaming\Microsoft\Windows\Recent -ErrorAction Continue | select FullName, LastAccessTime (1)
FullName                                                                                                                                     LastAccessTime
--------                                                                                                                                     --------------
C:\Users\andy.dwyer\AppData\Roaming\Microsoft\Windows\Recent\AutomaticDestinations                                                        3/11/2021 8:21:30 PM
C:\Users\andy.dwyer\AppData\Roaming\Microsoft\Windows\Recent\AutomaticDestinations\1bc392b8e104a00e.automaticDestinations-ms              3/11/2021 6:24:55 PM
C:\Users\andy.dwyer\AppData\Roaming\Microsoft\Windows\Recent\AutomaticDestinations\5f7b5f1e01b83767.automaticDestinations-ms              3/11/2021 8:16:30 PM
C:\Users\andy.dwyer\AppData\Roaming\Microsoft\Windows\Recent\AutomaticDestinations\9b9cdc69c1c24e2b.automaticDestinations-ms              3/11/2021 6:24:55 PM
C:\Users\andy.dwyer\AppData\Roaming\Microsoft\Windows\Recent\AutomaticDestinations\9d1f905ce5044aee.automaticDestinations-ms              3/11/2021 6:24:55 PM
C:\Users\andy.dwyer\AppData\Roaming\Microsoft\Windows\Recent\AutomaticDestinations\cf02284227526d80.automaticDestinations-ms              3/11/2021 7:02:30 PM

or

PS C:\> Get-Childitem -Recurse $env:USERPROFILE\AppData\Roaming\Microsoft\Windows\Recent -ErrorAction SilentlyContinue | select FullName,LastAccessTime (2)
FullName                                                                                                                                     LastAccessTime
--------                                                                                                                                     --------------
C:\Users\andy.dwyer\AppData\Roaming\Microsoft\Windows\Recent\AutomaticDestinations                                                        3/11/2021 8:21:30 PM
C:\Users\andy.dwyer\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations                                                           3/11/2021 8:21:30 PM
C:\Users\andy.dwyer\AppData\Roaming\Microsoft\Windows\Recent\14287.lnk                                                                    3/9/2021 6:15:30 PM
C:\Users\andy.dwyer\AppData\Roaming\Microsoft\Windows\Recent\Active_Directory.lnk                                                         3/8/2021 7:07:26 PM
C:\Users\andy.dwyer\AppData\Roaming\Microsoft\Windows\Recent\Artifacts (2).lnk                                                            3/3/2021 8:30:33 PM
C:\Users\andy.dwyer\AppData\Roaming\Microsoft\Windows\Recent\Artifacts.lnk                                                                3/3/2021 7:12:42 PM

or

- Make sure sysinternals is mounted or unzipped
- Gci C:\users\student\AppData\Roaming\Microsoft\Windows\Recent\AutomaticDestinations | % {z:\strings.exe -accepteula $_} >> c:\recentdocs.txt
1 Output shows all users Jump Lists artifacts
2 Output shows the Jump Lists Artifacts for the currently logged user
3 Output redirected through strings.exe and into a file provides more readable output.


7. Recent Files

Registry Key that will track the last files and folders opened and is used to populate data in “Recent” menus of the Start menu.

  • Tracks last 150 files or folders opened.

  • Entry and modification time of this key will be the time and location the last file of a specific extension was opened.

7.1 Location

  • HKCU:\Software\Microsoft\Windows\CurrentVersion\Explorer\RecentDocs

  • HKCU:\Software\Microsoft\Windows\CurrentVersion\Explorer\RecentDocs\.txt


7.2 Demo

Query the Hex Value Stored in the Key

PS C:\> Get-Item 'Registry::\HKEY_USERS\*\Software\Microsoft\Windows\CurrentVersion\Explorer\RecentDocs\.*' (1)
    Hive: \HKEY_USERS\S-1-5-21-1584283910-3275287195-1754958050-1005\Software\Microsoft\Windows\CurrentVersion\Explorer\RecentDocs
Name                           Property
----                           --------
.html                          MRUListEx : {0, 0, 0, 0...}
                               0         : {114, 0, 101, 0...}
.pdf                           0         : {49, 0, 52, 0...}
                               MRUListEx : {0, 0, 0, 0...}
.ps1                           0         : {65, 0, 114, 0...}
                               MRUListEx : {2, 0, 0, 0...}
                               1         : {65, 0, 99, 0...}
                               2         : {82, 0, 83, 0...}
.sh                            0         : {116, 0, 101, 0...}
                               MRUListEx : {0, 0, 0, 0...}
.txt                           0         : {114, 0, 101, 0...}
                               MRUListEx : {4, 0, 0, 0...}
                               1         : {114, 0, 101, 0...}
                               2         : {114, 0, 101, 0...}
                               3         : {97, 0, 117, 0...}
                               4         : {97, 0, 117, 0...}
.vcex                          MRUListEx : {0, 0, 0, 0...}
                               0         : {67, 0, 111, 0...}
1 With the * we can see the types of files/ information that was recently viewed. 
PS C:\> Get-Item 'Registry::\HKEY_USERS\*\Software\Microsoft\Windows\CurrentVersion\Explorer\RecentDocs\.txt' (1)
    Hive: \HKEY_USERS\S-1-5-21-1584283910-3275287195-1754958050-1005\Software\Microsoft\Windows\CurrentVersion\Explorer\RecentDocs
Name                           Property
----                           --------
.txt                           0         : {114, 0, 101, 0...}
                               MRUListEx : {4, 0, 0, 0...}
                               1         : {114, 0, 101, 0...}
                               2         : {114, 0, 101, 0...}
                               3         : {97, 0, 117, 0...}
1 With .txt we can see the text files/ information that was recently viewed. Queries the Hex Value Stored in the Key

This command will allow you to read some of the data stored within the keys:

Converting a Single Value from Hex to Unicode
[System.Text.Encoding]::Unicode.GetString((gp "REGISTRY::HKEY_USERS\*\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\RecentDocs\.txt")."0") (1)
recent1.txt b2     敲散瑮⸱湬kH	뻯    .              recent1.lnk
1 Shows the text file represented by 0, you can change number to veiw the rest of the files
Convert all of a users values from HEX to Unicode
[System.Text.Encoding]::Unicode.GetString((gp "REGISTRY::HKEY_USERS\*\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\RecentDocs\.txt")."0")
recent1.txt b2     敲散瑮⸱湬kH	뻯    .              recent1.lnk 

PS C:\> Get-Item "REGISTRY::HKEY_USERS\*\Software\Microsoft\Windows\CurrentVersion\Explorer\RecentDocs\.txt" | select -Expand property | ForEach-Object {
    [System.Text.Encoding]::Default.GetString((Get-ItemProperty -Path "REGISTRY::HKEY_USERS\*\Software\Microsoft\Windows\CurrentVersion\Explorer\RecentDocs\.txt" -Name $_).$_)
}   (1)
r e c e n t 1 . t x t   b 2           recent1.lnk H 	  ï¾        .                             r e c e n t 1 . l n k   
                ÿÿÿÿ
r e c e n t 2 . t x t   b 2           recent2.lnk H 	  ï¾        .                             r e c e n t 2 . l n k   
r e c e n t 3 . t x t   b 2           recent3.lnk H 	  ï¾        .                             r e c e n t 3 . l n k   
a u d i t i n g . t x t   f 2           auditing.lnk  J 	  ï¾        .                             a u d i t i n g . l n k   
a u d i t . t x t   \ 2           audit.lnk D 	  ï¾        .                             a u d i t . l n k
(Change/manipulate the extensions -.txt- to different extensions to view different sets of information)
1 Shows and converts all of the text files located in the Recent Files Registry location


8. Browser Artifacts

Stores details for each user account. Records number of times a site is visited (frequency). History will record the access to the file on the website that was accessed via a link. Many sites in history will list the files that were opened from remote sites and downloaded to the local system.

8.1 Location

Win7/8/10:

%USERPROFILE%\AppData\Local\Google\Chrome\User Data\Default\history

Q: Does anyone know what type of files are stored here?

Q: How might we view information from these files if we don’t have SQLlite Viewer installed?

  • Show Location in Explorer so students have a visual reference of where they’re pulling this information from.

Location: C:\Users\andy.dwyer\AppData\Local\Google\Chrome\User Data\Default\

The location is different for every browser.

Areas of interest in Google Chrome History Files:

1. URLS
The urls table contains the basic browsing history for Chrome. This will include a single instance for all the URLs visited, a timestamp for the last time visited, and a counter for the number of times visited.

2. Current Session/Tabs
If you are examining a system that still has an active session available, Chrome will store the browsing activity here under current session and if there are multiple tabs open it will store it under current tabs.

3. Top Sites
Chrome shows the user their most frequently visited sites in panels on a homepage, which allows the user to quickly click on a frequently visited site. We recover the data around any URL that is listed as a “Top Site” in Chrome.

8.2 Demo


For demo purposes, open some browsers before class and navigate to a few sites so you have can content to show during your demonstrations.
Location of the SQL Lite Text Files
# Frequency
PS C:\> Z:\strings.exe 'C:\users\andy.dwyer\AppData\Local\Google\Chrome\User Data\Default\History' -accepteula (1)
_Output_Truncated_
https://git.cybbh.space/users/sign_in
https://git.cybbh.space/users/auth/ldapmain/callback
https://git.cybbh.space/os/public/-/jobs/artifacts/master/file/os/modules/015_windows_sysinternals/pages/15_SysInternals_winSlides.html?job=generate_adoc-slides
https://git.cybbh.space/os/public/-/jobs/artifacts/master/file/os/modules/014_windows_ad/pages/12_BloodHound_Slides.html?job=generate_adoc-slides
https://git.cybbh.space/os/public/-/jobs/artifacts/master/file/os/modules/011_win_logging/pages/8_Win_Auditing_Logging.html?job=generate_adoc-slides+
_Output_Truncated_

# Most Visited
PS C:\> Z:\strings.exe 'C:\users\andy.dwyer\AppData\Local\Google\Chrome\User Data\Default\Top Sites' (2)
_Output_Truncated_
Fox News - Breaking News Updates | Latest News Headlines | Photos & News Videos
http://10.50.24.186:8000/themes/core/static/cyberchef.htm
https://github.com/volatilityfoundation/volatility/wiki/Command-Reference
http://172.20.25.182:8000/
http://cyberchef.com/
https://www.target.com/
http://vta.cybbh.space/
http://www.yahoo.com/
_Output_Truncated_

# User Names
PS C:\> Z:\strings.exe  'C:\users\andy.dwyer\AppData\Local\Google\Chrome\User Data\Default\Login Data' (3)
_Output_Truncated_
http://172.20.25.182:8000/ctfadmin
https://git.cybbh.space/<USERNAME>
d9Q
https://vta.cybbh.space/<USERNAME>
https://login.yahoo.com/<USERNAME>
http://172.20.25.182:8000/ctfadmin
https://git.cybbh.space/<USERNAME>
https://vta.cybbh.space/
_Output_Truncated_
Alternatively the Select-String cmdlet can be used if Sysinternals is not available.
1 The ouput includes the Links that were "clicked" on while on a site
2 The output includes the sites most visited
3 The output includes sites that captured where user credentials were entered
Find FQDNs in Sqlite Text files
$History = (Get-Content 'C:\users\student\AppData\Local\Google\Chrome\User Data\Default\History') -replace "[^a-zA-Z0-9\.\:\/]","" (1)

PS C:\> $History| Select-String -Pattern "(https|http):\/\/[a-zA-Z_0-9]+\.\w+[\.]?\w+" -AllMatches|foreach {$_.Matches.Groups[0].Value}| ft (2)
http://172.20.25
https://login.yahoo.com
https://os.cybbh.io
https://git.cybbh.space
http://172.20.25
_Output_Truncated_
1 Create a Variable to pull all contents from the Browswer History file
2 Output is cleaned up to only show the URLs


9. Auditing

9.1 Intro

The Auditing Windows portion of this FG covers the concept of Windows Auditing using native tools along with the analysis of generated artifacts using cmd, powershell, or the GUI based program Eventviewer.

Run all the Auditing Demos on the Admin-Station. Make sure to exit your pssession from Workstation2.

Q: Why is auditing Windows systems important?

9.2 Demo

Enable auditing on a text file

  • Create a text file on the Desktop

PS C:\Users\andy.dwyer\Desktop\Audit> new-item C:\Users\andy.dwyer\Desktop\Auditing.txt
    Directory: C:\Users\andy.dwyer\Desktop
Mode                LastWriteTime         Length Name
----                -------------         ------ ----
-a----         6/7/2021   2:45 PM              0 Auditing.txt

  • Add content to the file then show the contents


PS C:\Users\andy.dwyer\Desktop\Audit> set-content C:\Users\andy.dwyer\Desktop\Auditing.txt "This is the file for Auditing"

PS C:\Users\andy.dwyer\Desktop\Audit> get-content C:\Users\andy.dwyer\Desktop\Auditing.txt
This is the file for Auditing

  • Set audit policy to Full Control for the "User Name" object


Rt click <file> on the desktop > Properties > Security > Advanced > Auditing > Continue > Add > Select a Principle > Type <username> (andy.dwyer) > Check Names > Ok >  Full Control > Ok > Apply > Ok

  • Double click the file in Explorer, view that no auditing happened

  • In Event Viewer, observe no log was created ( eventvwr )

eventvwr (1)
> Windows Logs > Security

(1) Opens Event Viewer GUI


  • Enable the Audit Object Access

PS C:\Users\andy.dwyer> auditpol /get /category:* (1)
System audit policy
Category/Subcategory                      Setting
System
  Security System Extension               No Auditing
  System Integrity                        Success and Failure
  IPsec Driver                            No Auditing
  Other System Events                     Success and Failure
  Security State Change                   Success
Logon/Logoff
  Logon                                   Success and Failure
  Logoff                                  Success
  Account Lockout                         Success
_output_truncated_

(1) Shows all of the Audit Policy settings


PS C:\Users\andy.dwyer> auditpol /get /category:"Object Access" (1)
System audit policy
Category/Subcategory                      Setting
Object Access
  File System                             No Auditing
  Registry                                No Auditing
  Kernel Object                           No Auditing
  SAM                                     No Auditing
  Certification Services                  No Auditing
_output_truncated_

(1) Shows all of the Object Access Subcategory settings


PS C:\Users\andy.dwyer> auditpol /get /subcategory:"File System" (1)
System audit policy
Category/Subcategory                      Setting
Object Access
  File System                             No Auditing

(1) Shows the Fiel System subcategory setting


PS C:\Users\andy.dwyer> auditpol /set /subcategory:"File System" (1)
The command was successfully executed.
PS C:\Users\andy.dwyer> auditpol /get /subcategory:"File System" (2)
System audit policy
Category/Subcategory                      Setting
Object Access
  File System                             Success

(1) Sets the File System subcategory (2) Show that the File System setting changed


  • Open the .txt file again, and open Event Viewer to show that there is an entry in the Security log


Change the settings back to default

PS C:\Users\andy.dwyer> auditpol /set /subcategory:"File System" /success:disable
The command was successfully executed.
PS C:\Users\andy.dwyer>


10. Event Logs

Logs are records of events that happen in your computer, such as when a user logs on to the computer or when a program encounters an error. Users might find the details in event logs helpful when troubleshooting problems with Windows and other programs. They also help you track what happened.

Early windows editions, starting with Windows NT, came with three Windows logs: Application event log, System event log and Security event log. Modern versions of Windows come with more than a hundred of Windows eventlogs, and third party applications can create and integrate into Windows logging their own event logs.

Q: What type of information is logged in the Application Log?

Q: What type of information is logged in the Security Log?

Q: What type of information is logged in the System Log?


10.1 Locations

*.evtx files accessed by:

  1. Windows Event View Application

  2. Get-Eventlog or Get-WinEvent in Powershell

  3. wevtutil in Command Prompt


10.2 Demo

DEMO: Enable Auditing of a file

  • Create a .txt file in C:\Users\"User Name\Desktop

  • Add content to the file

  • Set audit policy to Full Control for the "User Name" object

  • Double click the file in Explorer, view that no auditing happened

  • In Event Viewer, observe no log was created

  • Enable the Audit Object Access

C:\windows\system32>auditpol /get /category:"Object Access" (1)
System audit policy
Category/Subcategory                      Setting
Object Access
  File System                             No Auditing
  Registry                                No Auditing
  Kernel Object                           No Auditing
  SAM                                     No Auditing
  Certification Services                  No Auditing
  Application Generated                   No Auditing

C:\windows\system32>auditpol /set /subcategory:"File System" (2)
The command was successfully executed.

C:\windows\system32>auditpol /get /category:"Object Access"
System audit policy
Category/Subcategory                      Setting
Object Access
  File System                             Success
  Registry                                No Auditing
  Kernel Object                           No Auditing

C:\windows\system32>auditpol /set /subcategory:"File System" /success:disable (3)
The command was successfully executed.
1 Shows the status of the subcategories in the Object Access category
2 Sets the File System subcategory to audit "Success"
3 Sets the File System subcategory back to "No Auditing"

  • Open the .txt file again, and open Event Viewer to see the Security log
Command Prompt: Checking System Wide Auditing Policy for all objects
 auditpol /get /category:* (1)
1 Shows a list of all the Audit Policy categories and cooresponding subcategories and their current settings. Run command and show the different Categories/Subcategories.


*Viewing Logs in Command Prompt *
C:\windows\system32>wevtutil el (1)

C:\windows\system32>wevtutil el | find /c /v "" (2)
1149

C:\windows\system32>wevtutil gli security (3)
creationTime: 2019-01-03T22:39:36.602Z
lastAccessTime: 2021-03-15T15:47:53.735Z
lastWriteTime: 2021-03-15T15:47:53.735Z
fileSize: 15798272
attributes: 32
numberOfLogRecords: 17595
oldestRecordNumber: 1

C:\windows\system32>wevtutil qe security /c:3 /f:text (4)
Event[0]:
  Log Name: Security
  Source: Microsoft-Windows-Eventlog
  Date: 2019-01-03T20:22:38.227
  Event ID: 1102

_Output_Truncated_
1 Use wevtutil (Windows Event Utility) to show all logs available to the command prompt tool using el (enumerate logs)
2 Shows the number of Windows logs, you can use find with \c to count the lines containing the following string \v to invert the following string "" (a null string)
3 Shows the Security Log information
4 Shows the last 3 events with qe (query event) from the security log and view in human readable format.


View Event Logs in Powershell
PS C:\> Get-EventLog -LogName System -Newest 10 (1)
   Index Time          EntryType   Source                 InstanceID Message
   ----- ----          ---------   ------                 ---------- -------
    1102 Mar 15 12:00  Information EventLog               2147489661 The system uptime is 2750871 seconds.
    1101 Mar 14 12:00  Information EventLog               2147489661 The system uptime is 2664471 seconds.
    1100 Mar 13 23:52  Information Microsoft-Windows...   16 The description for Event ID '16' in Source 'Microsoft-Windows-Kernel-Gen...
    1099 Mar 13 23:52  Information Microsoft-Windows...   16 The description for Event ID '16' in Source 'Microsoft-Windows-Kernel-Gen...
    1098 Mar 13 12:00  Information EventLog               2147489661 The system uptime is 2578071 seconds.
    1097 Mar 12 21:52  Information Microsoft-Windows...   16 The description for Event ID '16' in Source 'Microsoft-Windows-Kernel-Gen...
    1096 Mar 12 21:52  Information Microsoft-Windows...   16 The description for Event ID '16' in Source 'Microsoft-Windows-Kernel-Gen...
    1095 Mar 12 12:00  Information EventLog               2147489661 The system uptime is 2491671 seconds.
    1094 Mar 11 20:58  Error       DCOM                   10016 The description for Event ID '10016' in Source 'DCOM' cannot be found.  T...
    1093 Mar 11 18:27  Information Microsoft-Windows...   16 The description for Event ID '16' in Source 'Microsoft-Windows-Kernel-Gen...

PS C:\> Get-EventLog -LogName System -Newest 3 | Format-Table -Wrap (2)
   Index Time          EntryType   Source                 InstanceID Message
   ----- ----          ---------   ------                 ---------- -------
    1102 Mar 15 12:00  Information EventLog               2147489661 The system uptime is 2750871 seconds.
    1101 Mar 14 12:00  Information EventLog               2147489661 The system uptime is 2664471 seconds.
    1100 Mar 13 23:52  Information Microsoft-Windows-Ke   16 The description for Event ID '16' in Source
                                   rnel-General           'Microsoft-Windows-Kernel-General' cannot be found.  The local computer may not have the necessary registry information or message DLL files to display the message, or you may not have permission to access them. The following  information is part of the event:'119', '\??\C:\windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\DeliveryOptimization\State\dosvcState.dat', '4', '1'
1 Shows the newest/last 10 entries in the system log. Point out what the three dots (…​) mean and how to print the rest of the entry. (ex. | format-table -wrap)
2 Add the format-table -wrap option to print the truncated part of the entry.


Search the Security Event Log and show the entire message
PS C:\> Get-Eventlog -LogName Security | ft -wrap (1)
1 This is all of the information currently in the Security log. Point out the abundance of information that would need to be parsed through.


Search through the entire Security log for a specific string
PS C:\> Get-Eventlog -LogName Security | ft -wrap | findstr /i StR1nG (1)
1 Explain that you search through all of the log entries using findstr or select-string for specific strings, the biggest difference between the two is that findstr has a case insensitive option — findstr /i <string>

Get-EventLog is limited to the default Windows Logs of Security, Application, System,and Windows Powershell (Windows 8.1 and up)
Get-Winevent will cover all the default eventlogs and all of the remaining custom application logs


Finding Log Type to Query
PS C:\> Get-WinEvent -Listlog * (1)
LogMode   MaximumSizeInBytes RecordCount LogName
-------   ------------------ ----------- -------
Circular            20971520         993 Application
Circular            20971520           0 HardwareEvents
Circular             1052672           0 Internet Explorer
Circular            20971520           0 Key Management Service
Circular            20971520       17711 Security
Circular            20971520         576 System
Circular            15728640         176 Windows PowerShell
Circular            20971520             ForwardedEvents
Circular            10485760           0 Microsoft-AppV-Client/Admin
_Output_Trucncated_

PS C:\> (Get-WinEvent -Listlog *).count (2)
426

PS C:\> Get-WinEvent -Listlog * | findstr /i "Security" (3)
Circular            20971520       18179 Security
Circular             1052672           0 Microsoft-Windows-Security-Adminless/Operational
Circular             1052672           0 Microsoft-Windows-Security-Audit-Configuration-Client/Operational
Circular             1052672           0 Microsoft-Windows-Security-EnterpriseData-FileRevocationManager/Operational
Circular             1052672             Microsoft-Windows-Security-ExchangeActiveSyncProvisioning/Operational
Circular             1052672             Microsoft-Windows-Security-IdentityListener/Operational
_Output_Truncated_
1 Lists all of the logs available to Winevent
2 Shows the number of logs, point out the volume of possible information
3 Search through the list of logs to find logs that pertain to Security


Checking If a User Logged on
PS C:\> Get-Winevent -FilterHashtable @{logname='Security';id='4624'} | ft -Wrap (1)
   ProviderName: Microsoft-Windows-Security-Auditing
TimeCreated                     Id LevelDisplayName Message
-----------                     -- ---------------- -------                                    3/15/2021 7:42:19 PM          4624 Information      An account was successfully logged on.                                                        Subject:
                                                    	Security ID:		S-1-5-18
                                                    	Account Name:		ADMIN-STATION$
                                                    	Account Domain:		WORKGROUP
                                                    	Logon ID:		0x3E7
                                                    Logon Information:
                                                    	Logon Type:		5
                                                    	Restricted Admin Mode:	-
                                                    	Virtual Account:	No
                                                    	Elevated Token:		Yes
                                                    Impersonation Level:	Impersonation
                                                    New Logon:
                                                    	Security ID:		S-1-5-18
                                                    	Account Name:		SYSTEM
                                                    	Account Domain:		NT AUTHORITY
                                                    	Logon ID:		0x3E7
                                                    	Linked Logon ID:	0x0
                                                    	Network Account Name:	-
                                                    	Network Account Domain:	-
                                                    	Logon GUID:             {00000000-0000-0000-0000-000000000000}
_Output_Truncated_

PS C:\> Get-Winevent -FilterHashtable @{logname='Security';id='4624'} | ft -Wrap | findstr /i "generated" (2)
1 Using Get-WinEvent with -FilterHashtable allows you to filter for more than one criteria. In this instance filter for the Security log and the id of 4624 (discussed below).
2 Same command as above with a specific string search using findstr /i.


Checking Powershell Operational Logs
PS C:\> Get-WinEvent Microsoft-Windows-PowerShell/Operational | Where-Object {$_.Message -ilike "*RunspacePool*"} | Format-List (1)
TimeCreated  : 3/8/2021 7:28:43 PM
ProviderName : Microsoft-Windows-PowerShell
Id           : 8195
Message      : Opening RunspacePool

TimeCreated  : 3/8/2021 7:28:43 PM
ProviderName : Microsoft-Windows-PowerShell
Id           : 8194
Message      : Creating RunspacePool object
                	 InstanceId 18bed982-3d17-47b0-8f7a-0836900efea6
                	 MinRunspaces 1
                	 MaxRunspaces 1
_Output_Truncated_

Get-WinEvent Microsoft-Windows-PowerShell/Operational | Where-Object {$_.Message -ilike "*Pipeline ID = ##"} | Format-List (2)
1 Output shows searching through PowerShell Operational logs for a specific string.
2 Command used to search through PowerShell Operational logs for a specific Pipeline ID.
The Pipeline ID is used to correllate powershell Input with thier Output, see below.


Sample Event IDs to search for for malicious actors in your network

ID

Level

Event Log

Account Lockouts

4740

Informational

Security

User Added to Privileged Group

4728, 4732, 4756

Informational

Security

Security-Enabled group Modification

4735

Informational

Security

Successful User Account Login

4624

Informational

Security

Failed User Account Login

4625

Informational

Security

Account Login with Explicit Credentials

4648

Informational

Security

Event Log was Cleared

104

Audit Log was Cleared

1102

Security

System audit policy was changed

4719

PS Module Logging (Command Execution)

4103

PS Script-Block Logging (Script Execution)

4104,4105,4106

A more inclusive list of Windows Security Log Events


11. PowerShell Artifacts

11.1 PowerShell Transcripts

PowerShell Transcript is a feature that creates a record of all or part of a PowerShell session to a text file.

PS C:\> Start-Transcript (1)
Transcript started, output file is C:\Users\andy.dwyer\Documents\PowerShell_transcript.ADMIN-STATION.OGp3Fa
x7.20210316141734.txt
1 Creates a text file and records part of all of a PowerShell session.
You may specify the directory or path where you want to store the transcript by using the -Path parameter, by default it goes to the Documents folder of the user that enabled the transcript.

Start-Transcript Documentation

Q: Is there a way to bypass this security feature?

  • Short answer, Yes. If you open cmd.exe and then run PowerShell from within that session the Transcript will log nothing since it’s not a normal PowerShell session.

  • However, Start-Transcript can still be run to create a log of the session from which it is created from.


11.2 Powershell History

Powershell history is a record of every command entered during a Powershell Session.

PS C:\> Get-History (1)
  Id CommandLine
  -- -----------
   1 Get-PSDrive
   2 get-process | select name,id,Description | sort -Property id
   3 regedit
   4 cls
_Output_Truncated_
1 Shows all of the commands entered during the current session.
Location:

C:\Users\username\AppData\Roaming\Microsoft\Windows\PowerShell\PSReadline\ConsoleHost_history.txt


Use Get-Content to access the the history

PS C:\> Get-Content "C:\users\$env:username\AppData\Roaming\Microsoft\Windows\PowerShell\PSReadline\ConsoleHost_history.txt" (1)
Get-CimInstance Namespace root\securitycenter2 ClassName antispywareproduct
Get-CimInstance -Namespace root\securitycenter2 -ClassName antispywareproduct
hostname
whoami
exit
get-process
_Output_Truncated_
1 Prints the contents of the history file

Get-History Documentation


11.3 Powershell Script Block Logging

Script block logging records blocks of code as they are executed by the PowerShell engine, thereby capturing the full contents of code executed by an attacker, including scripts and commands. Due to the nature of script block logging, it also records de-obfuscated code as it is executed.

What logs are generated by PowerShell?

By default no logs are generated by PowerShell. This is dangerous since this basically means any actions in PowerShell have no trail to follow. By default a few of the more powerful features of Windows and PowerShell are turned off, but let’s discuss what each one means and how to use them to our advantage in defense of our machines.

  • "A PowerShell “script block” is the base level of executable code in PowerShell. It might represent a command typed interactively in the PowerShell console, supplied through the command line, or wrapped in a function, script, workflow, etc."

  • Script block logging doesn’t just look at the code that was supplied via the console or scripts that have been ran, but what the PowerShell engine actually runs.

  • This feature will show any obfuscated commands (i.e. Base64, Rot 13 or CaSe InSenSiTive StRingS, etc) as well as the decoded input that the PowerShell engine runs.

  • While not available in PowerShell 4.0, PowerShell 5.0 will automatically log code blocks if the block’s contents match on a list of suspicious commands or scripting techniques, even if script block logging is not enabled.

Q: How do I enable Script Block logging?

reg add HKLM\SOFTWARE\Wow6432Node\Policies\Microsoft\Windows\PowerShell\ScriptBlockLogging\ /v EnableScriptBlockLogging /t REG_DWORD /d 1 /f

  • 4103 is Verbose powershell command execution enabled via Script Block Logging.

  • 4104 show the actual scripts ran, the encoded and decodes versions. If it was a file it will show the files name run then another even will have the script within that file

  • 4105 is the time a script started aka the PowerShell engine was started

  • 4106 is the time a script ended aka the PowerShell engine was stopped

Script Block Logging