PowerShell Archives - Page 2 of 2

[SANS ISC] PowerShell: ScriptBlock Logging… Or Not?

June 19, 2018 PowerShell, SANS Internet Storm Center, Security Leave a comment

I published the following diary on isc.sans.org: “PowerShell: ScriptBlock Logging… Or Not?“: Here is an interesting piece of PowerShell code which is executed from a Word document (SHA256:Â eecce8933177c96bd6bf88f7b03ef0cc7012c36801fd3d59afa065079c30a559). The document is a classic one. Nothing fancy, spit executes the macro and spawns a first PowerShell command… [Read more]

[SANS ISC] Investigating Microsoft BITS Activity

January 26, 2018 Forensics, Malware, PowerShell, SANS Internet Storm Center, Security, Software 2 comments

I published the following diary on isc.sans.org: “Investigating Microsoft BITS Activity“: Microsoft BITS (â€œBackground Intelligent Transfer Serviceâ€) is a tool present[1] in all modern Microsoft Windows operating systems. As the name says, you can see it as a “curl” or “wget” tool for Windows. It helps to transfer files between

[SANS ISC] Fileless Malicious PowerShell Sample

November 29, 2017 Malware, PowerShell, SANS Internet Storm Center, Security 4 comments

I published the following diary on isc.sans.org: “Fileless Malicious PowerShell Sample“: Pastebin.com remains one of my favourite place for hunting. Iâ€™m searching for juicy content and report finding in a Splunk dashboard: Yesterday, I found an interesting pastie with a simple Windows CMD script… [Read more]

[SANS ISC] Keep An Eye on your Root Certificates

November 11, 2017 PowerShell, SANS Internet Storm Center, Security One comment

I published the following diary on isc.sans.org: “Keep An Eye on your Root Certificates“. A few times a year, we can read in the news that a rogue root certificate was installed without the user consent. The latest story that pops up in my mind is the Savitech audio drivers

[SANS ISC] Some Powershell Malicious Code

October 31, 2017 Malware, PowerShell, SANS Internet Storm Center, Security One comment

I published the following diary on isc.sans.org: “Some Powershell Malicious Code“. Powershell is a great language that can interact at a low-level with Microsoft Windows. While hunting, I found a nice piece of Powershell code. After some deeper checks, it appeared that the code was not brand new but it

[SANS ISC] Diverting built-in features for the bad

March 30, 2017 Malware, PowerShell, SANS Internet Storm Center, Security One comment

I published the following diary on isc.sans.org: “Diverting built-in features for the bad“. Sometimes you may find very small pieces of malicious code. Yesterday, I caught this very small Javascript sample with only 2 lines of code… [Read more]

Tracking Administrator Sessions in Windows Environments

September 24, 2015 Logs Management / SIEM, OS, PowerShell, Security 14 comments

Tracking users with privileged access is a critical taskÂ in your security policy (SANS Critical Security Control #12). If the key point is to restrict the number of “power users” to the lowest, it’s not always easy. Most of them will argue that they need administrator rights “to be able to

Sending Windows Event Logs to Logstash

August 24, 2015 Forensics, Incident Management, PowerShell, Security 23 comments

This topic is not brand new, there exists plenty of solutions to forwardÂ Windows event logs to Logstash (OSSEC,Â Snare or NXlogÂ amongst many others). They perform a decent job to collect events on running systems but they need to deploy extra piece of software on the target operating systems. For a specific

« 1 2