Powershell map to build for later

Question

Powershell map to build for later

randomaccess3 opened this issue 5 years ago · 2 comments

randomaccess3 commented 5 years ago

40961 - Microsoft-Windows-PowerShell%4Operational.evtx

Powershell console is starting - This is a sign of a user starting a powershell console for input

https://www.blackhat.com/docs/us-14/materials/us-14-Kazanciyan-Investigating-Powershell-Attacks-WP.pdf

(Assign to me if possible and I'll get to it when i have a spare 5!)

Answer 1 · 2020-06-03T13:06:04.000Z

assigned! =)

Answer 2 · 2020-06-13T06:09:50.000Z

I played with this a bit more; the two that I was going to build aren't as atomic as I thought they would be.
Thought they would indicate that the user had direct access to the terminal, but seems to also apply if they run a script without opening the terminal.