Day 3: Windows PowerShell Log Lab

Objective: Monitor and analyze PowerShell activity via Windows event logs. PowerShell is often abused by attackers, so events like 4103 (command invocation) and 4104 (script block logging) are key indicators[4]. Learners will enable logging, execute PowerShell commands, and examine the generated events.

Challenge Description: A suspicious script is believed to have run on a Windows Server 2022 VM. Enable PowerShell logging, run a test command, and then check the PowerShell Operational log for evidence of that command.

Tools: Windows Event Viewer (PowerShell Operational log), PowerShell (as Administrator), Group Policy Editor (gpedit.msc).

Step-by-step Instructions: 1. Enable PowerShell Logging : Launch gpedit.msc (Win+R, type gpedit.msc). Navigate to Computer Configuration → Administrative Templates → Windows Components → Windows PowerShell. Enable Turn on Module Logging, Turn on Script Block Logging, and Turn on Module Execution Logging. Apply and close. This ensures full PowerShell events are recorded.

1. Generate a PowerShell Event: Open PowerShell as Administrator. Run a test command, for example:

// code
Start-Process "notepad.exe" -ArgumentList "C:\Windows\System32\drivers\etc\hosts"
        This command downloads a file, which will be logged.

1. Open the PowerShell Event Log: In Event Viewer, expand Applications and Services Logs → Microsoft → Windows → PowerShell → Operational.

2. Filter for Relevant Events: In the right pane, click Filter Current Log…, enter Event ID 4104 (script contents), then click OK.

3. Review the PowerShell Event: Click the latest 4104 event. The details pane shows the full command run (in XML under ScriptBlockText). You should see the ^{_{Invoke-WebRequest}} command and its parameters, as well as the user who ran it. A sample entry may look like:

4. Interpret the Log: The log shows exactly what PowerShell command was run and by ^_whom. In real analysis, such detailed logging (especially script blocks and modules) helps identify attacker activities[4]. Keep an eye out for ^₄₁₀₄ events, which include the actual script content (especially if commands are obfuscated).

Simulated Output: The above snippet is what you might see in a PowerShell Operational log entry. Notice it includes the full command line. This confirms PowerShell logging is working. In a SOC, filtering for Event IDs 4104 is a common way to detect malicious PowerShell execution[4].