<img height="1" width="1" style="display:none;" alt="" src="https://px.ads.linkedin.com/collect/?pid=2815180&amp;fmt=gif">

Improving Visibility and Preventing a Miss: Custom PowerShell Collection

A worrisome risk for a SIEM or SOAR is not collecting key logs used or required for the advanced modeling in today's platforms.

In our experience, incorrect/empty logs or lack of logging required for advanced detection (as we discussed in the first post on this topic), is obviously bad, yet failing to pick them up and sticking to collecting in just System, Security, Application leaves machine learning and modeling missing key items to with which to model behavior.


First, learn "how" to engage minimum logging for PowerShell. ⤵️

Keep Reading


How to Collect Key PowerShell Logs

Beyond the basic logging configured in the previous blog, we will also need to be collecting these Powershell logs from these locations:

WMI-Activity/Operational Logs

  • 5857 - Indicates time of wmiprvse execution and path to provider DLL
  • 5858 - Query errors, the data include the error code in the element ResultCode and the Query that caused it under the element Operation
  • 5859 - EventFilter class
  • 5860 - Registration of Temporary (5860) and Permanent (5861) Event Consumers
  • 5861 - Registration of Temporary (5860) and Permanent (5861) Event Consumers 

Microsoft-Windows- WinRM/Operational

  • 6 – WSMan session initialized
  • 8 – WSMan session deinitialization
  • 15 – WSMan session deinitialization
  • 16 – WSMan session deinitialization
  • 33 – WSMan session deinitialization
  • 91 – Session creation
  • 168 – Records authenticating user

PowerShell/Operational Logs

  • 4103 – PowerShell Module Logging
  • 4104 – PowerShell Script Block Logging
  • 8193 – Session Created
  • 8194 – Session Created
  • 8197 – Session Closed
  • 40961 – Records the local initiation of PowerShell and associated user account
  • 40962 – Records the local initiation of PowerShell and associated user account
  • 53504 - Records the authenticating user

Windows PowerShell Logs

  • 400 – ServerRemoteHost session starting
  • 403 – ServerRemoteHost session ending
  • 800 – Includes partial script code

Many systems use NXlog to transmit logs back to a SIEM, though the examples below can be translated into OSquery as well. Further down we will use examples for Exabeam.

NXlog

A basic input section for an NXlog config might look simple like this:

##
## Inputs:
##

## Windows event log:
<Input in_windows_events>
Module im_msvistalog
SavePos FALSE
ReadFromLast TRUE

Query <QueryList>\
   <Query Id="0">\
     <Select Path="Security">*</Select>\
     <Select Path="System">*</Select>\
     <Select Path="Application">*</Select>\
     <Select Path="Windows Powershell>*</Select>\
   </Query>\
</QueryList>
</Input>

But with a quick edit we can grab the additional logs we need:

##
## Inputs:
##

## Windows event log:
## Additions
## WMI-Activity/Operational Logs
## Microsoft-Windows- WinRM/Operational
## PowerShell/Operational Logs
## Windows PowerShell Logs (focused option and all option below, choose one)

<Input in_windows_events>
Module im_msvistalog
SavePos FALSE
ReadFromLast TRUE

Query <QueryList>\
   <Query Id="0">\
     <Select Path="Security">*</Select>\
     <Select Path="System">*</Select>\
     <Select Path="Application">*</Select>\
     <Select Path="Microsoft-Windows-WMI-Activity/Operational">*[System[(Level=1 or Level=2 or Level=3 or Level=4 or Level=0) and ( (EventID &gt;= 5857 and EventID &lt;= 5861) )]]</Select>\
     <Select Path="Microsoft-Windows-WinRM/Operational">*[System[(Level=1 or Level=2 or Level=3 or Level=4 or Level=0) and (EventID=6 or EventID=8 or EventID=15 or EventID=16 or EventID=33 or EventID=91 or EventID=168)]]</Select>\
     <Select Path="Microsoft-Windows-PowerShell/Operational">*[System[(Level=1 or Level=2 or Level=3 or Level=4 or Level=0) and (EventID=4103 or EventID=4104 or EventID=8193 or EventID=8194 or EventID=8197 or EventID=40961 or EventID=40962 or EventID=53504)]]</Select>\
     <Select Path="Windows PowerShell">*[System[(Level=1 or Level=2 or Level=3 or Level=4 or Level=0) and (EventID=400 or EventID=403 or EventID=800)]]</Select>\
     <Select Path="Windows Powershell>*</Select>\
   </Query>\
</QueryList>

</Input>

For Exabeam

image-png-3

Here, I just added the 3 new channels for PowerShell:

## WMI-Activity/Operational Logs
## Microsoft-Windows- WinRM/Operational
## PowerShell/Operational Logs

image-png-4

This allows us to collect PowerShell logs that help show encrypted channeling, encrypted arguments in a command, hidden arguments in a command, hiding PowerShell history in a PSReadLine, and more! We will get into writing those rules in our next blog.


If you have any questions about these instructions, please reach out to Castra so that we can help walk you through these concepts, as well as ensure the logs are in your platform of choice.