top of page

Using PowerShell for Security Investigations

GK

PowerShell is a powerful scripting language built into Windows that can be leveraged for blue team security operations. Security teams can use PowerShell for threat detection, incident response, and system monitoring.

This guide outlines how to use PowerShell effectively for blue team security testing.



Understanding PowerShell for Security

Before diving into security-specific use cases, it’s important to understand PowerShell’s capabilities:


  • Automation: Automate security tasks such as log analysis and event correlation.

  • System Administration: Manage processes, services, and user activities.

  • Forensics: Extract information from Windows logs, registry, and network connections.

  • Threat Hunting: Detect and respond to suspicious activities in real time.


 

Setting Up a Secure PowerShell Environment


Attackers often use PowerShell scripts to execute malicious commands. Restricting execution policies reduces the risk of running untrusted scripts.





  • Restricted – Blocks all scripts from running.

  • RemoteSigned – Allows locally created scripts but requires signatures for downloaded scripts.

  • AllSigned – Only signed scripts from trusted publishers can run.


To enforce execution policy restrictions:

Set-ExecutionPolicy RemoteSigned -Scope LocalMachine

Enable Logging

Enable script block logging to detect potentially malicious PowerShell commands:

Set-ItemProperty -Path "HKLM:\Software\Policies\Microsoft\Windows\PowerShell\ScriptBlockLogging" -Name EnableScriptBlockLogging -Value 1

This ensures that all executed PowerShell commands are recorded in event logs.


Monitor PowerShell Events

PowerShell activity can be tracked using Windows Event Viewer. Look for:


  • Event ID 4104 – Script block execution (detects suspicious commands).

  • Event ID 4688 – New process creation (identifies PowerShell-based attacks).

  • Event ID 4720 – New user account creation (detects unauthorized user additions).


To retrieve logs for security analysis:

Get-WinEvent -LogName "Microsoft-Windows-PowerShell/Operational" | Where-Object { $_.Id -eq 4104 }
 

Log Analysis & Threat Detection

Detecting Failed Login Attempts

Monitoring failed logins helps identify brute-force attacks:

Get-WinEvent -LogName Security | Where-Object { $_.Id -eq 4625 } | Format-List

This filters security logs for failed authentication attempts (Event ID 4625).


Finding Newly Created User Accounts

Attackers often create new accounts to maintain persistence:

Get-WinEvent -LogName Security | Where-Object { $_.Id -eq 4720 } | Select-Object TimeCreated, Message

This retrieves logs for all new user accounts created on the system.


Identifying Suspicious Network Connections

Monitor network activity for potential threats:

Get-NetTCPConnection | Where-Object { $_.State -eq "Established" -and $_.RemoteAddress -notlike "192.168.*" }

This command lists all active network connections excluding local IPs, highlighting possible external threats.


Checking Running Processes for Malware

Malicious processes often disguise themselves as legitimate system processes:


Get -Process
Get-Process | Where-Object { $_.Path -like "*AppData*" -or $_.ProcessName -match "powershell|cmd|wscript|cscript" }

This searches for suspicious processes running from uncommon directories or executing scripting engines.



 

Incident Response with PowerShell

Isolating a Compromised System

If a system is compromised, disconnect it from the network:

Disable-NetAdapter -Name "Ethernet" -Confirm:$false

This command disables the Ethernet adapter to cut off network access.


Killing Malicious Processes

Terminate suspicious processes identified in previous steps:

Stop-Process -Name "notepad" -Force

Replace "notepad" with the name of the suspected process.


Automatically kill all instances of PowerShell or cmd.exe (if an attacker is abusing them):

Get-Process | Where-Object { $_.ProcessName -match "powershell|cmd" } | Stop-Process -Force


Checking for Persistence Mechanisms

Attackers often use scheduled tasks for persistence:


Get-ScheduledTask
Get-ScheduledTask | Where-Object { $_.TaskPath -like "*\Microsoft\Windows\*" -and $_.Actions -match "powershell" }

This identifies scheduled tasks executing PowerShell commands, which may indicate persistence mechanisms.


Remove a suspicious scheduled task:

Unregister-ScheduledTask -TaskName "MaliciousTask" -Confirm:$false
 

Forensic Analysis with PowerShell

Retrieving Browser History for Investigation

Get-ChildItem "C:\Users\*\AppData\Local\Microsoft\Edge\User Data\Default\History" -Force

This retrieves browsing history from Microsoft Edge (similar paths apply for other browsers).



Checking Registry for Suspicious Entries

Malware often modifies the registry to maintain persistence:

Get-ItemProperty -Path "HKCU:\Software\Microsoft\Windows\CurrentVersion\Run"

This lists programs set to start automatically on user login.


Remove a registry key used to execute malware on startup:

Remove-ItemProperty -Path "HKCU:\Software\Microsoft\Windows\CurrentVersion\Run" -Name "Malware"

Dumping Recently Accessed Files

Get-ChildItem -Path "C:\Users\*\Recent" -Force


Lists recently accessed files that might contain evidence of compromise.

 

Automating Blue Team Tasks with PowerShell


Automating Log Collection

A script to collect logs and export them for analysis:

$logPath = "C:\SecurityLogs\"
New-Item -ItemType Directory -Path $logPath -Force
Get-WinEvent -LogName Security -MaxEvents 1000 | Export-Csv "$logPath\SecurityLogs.csv"

This collects the last 1,000 security logs and saves them as a CSV file.


Automated Threat Detection Script

A simple script to check for suspicious activity and alert administrators:

$logins = Get-WinEvent -LogName Security | Where-Object { $_.Id -eq 4625 }
if ($logins.Count -gt 10) {
    Send-MailMessage -To "admin@example.com" -From "alert@example.com" -Subject "High Failed Login Attempts" -Body "Multiple failed logins detected."
}

This script checks for more than 10 failed login attempts and sends an email alert if detected.


Conclusion

PowerShell is an essential tool for blue teams in cybersecurity. By leveraging its capabilities, security teams can:


  • Detect and analyze threats in real time.

  • Automate security monitoring and forensic analysis.

  • Respond quickly to incidents and prevent further damage.


By integrating these PowerShell techniques into daily operations, blue teams can enhance security visibility and proactively defend against cyber threats.


 

Quick Command list


Post Exploit

  • Find any file: PS C:\\> Get-ChildItem "C:\Users\" -recurse -include credentials.txt

  • List installed updated: PS C:\\> Get-HotFix

  • Access Registry: PS C:\\> cd HKLM:\ PS HKLM:\> ls

  • List Startup programs from the regsitry: PS C:\\> Get-ItemProperty HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\run

  • Get Firewall rules: PS C:\\> Get-NetFirewallRule –all


Frequently used

  • Copy: PS C:\\> Copy-Item src.txt dst.txt

  • Move: PS C:\\> Move-Item src.txt dst.txt

  • List Process info: PS C:\\> Get-Process

  • List Services: PS C:\\> Get-Service

  • Get SHA1 hash of a file: PS C:\\> Get-FileHash -Algorithm SHA1 file.txt

  • Export output to a CSV: PS C:\\> Get-Process | Export-Csv processes.csv

  • Get Help: PS C:\\> Get-Help


 


Combining Scripts (in progress)


# This script collects basic forensic information from a Windows system


# Create folder

New-Item -Path "C:\" -Name "Forensics" -ItemType "Directory"


# Collect system information

Write-Output "Collecting system information..."

$systemInfo = Get-ComputerInfo

$systemInfo | Out-File -FilePath "C:\Forensics\SystemInfo.txt"


# Collect user information

Write-Output "Collecting user information..."

$userInfo = Get-LocalUser

$userInfo | Out-File -FilePath "C:\Forensics\UserInfo.txt"


# Collect running processes

Write-Output "Collecting running processes..."

$processes = Get-Process

$processes | Out-File -FilePath "C:\Forensics\Processes.txt"


# Collect network connections

Write-Output "Collecting network connections..."

$networkConnections = Get-NetTCPConnection

$networkConnections | Out-File -FilePath "C:\Forensics\NetworkConnections.txt"


# Collect event logs

Write-Output "Collecting event logs..."

$eventLogs = Get-EventLog -LogName System -Newest 150

$eventLogs | Out-File -FilePath "C:\Forensics\EventLogs.txt"


Write-Output "Forensic data collection completed."

bottom of page