PowerShell is a powerful scripting language built into Windows that can be leveraged for blue team security operations. Security teams can use PowerShell for threat detection, incident response, and system monitoring.
This guide outlines how to use PowerShell effectively for blue team security testing.
Understanding PowerShell for Security
Before diving into security-specific use cases, it’s important to understand PowerShell’s capabilities:
Automation:Â Automate security tasks such as log analysis and event correlation.
System Administration:Â Manage processes, services, and user activities.
Forensics:Â Extract information from Windows logs, registry, and network connections.
Threat Hunting:Â Detect and respond to suspicious activities in real time.
Setting Up a Secure PowerShell Environment
Attackers often use PowerShell scripts to execute malicious commands. Restricting execution policies reduces the risk of running untrusted scripts.
Restricted – Blocks all scripts from running.
RemoteSigned – Allows locally created scripts but requires signatures for downloaded scripts.
AllSigned – Only signed scripts from trusted publishers can run.
To enforce execution policy restrictions:
Set-ExecutionPolicy RemoteSigned -Scope LocalMachineEnable Logging
Enable script block logging to detect potentially malicious PowerShell commands:
Set-ItemProperty -Path "HKLM:\Software\Policies\Microsoft\Windows\PowerShell\ScriptBlockLogging" -Name EnableScriptBlockLogging -Value 1This ensures that all executed PowerShell commands are recorded in event logs.
Monitor PowerShell Events
PowerShell activity can be tracked using Windows Event Viewer. Look for:
Event ID 4104 – Script block execution (detects suspicious commands).
Event ID 4688 – New process creation (identifies PowerShell-based attacks).
Event ID 4720 – New user account creation (detects unauthorized user additions).
To retrieve logs for security analysis:
Get-WinEvent -LogName "Microsoft-Windows-PowerShell/Operational" | Where-Object { $_.Id -eq 4104 }Log Analysis & Threat Detection
Detecting Failed Login Attempts
Monitoring failed logins helps identify brute-force attacks:
Get-WinEvent -LogName Security | Where-Object { $_.Id -eq 4625 } | Format-ListThis filters security logs for failed authentication attempts (Event ID 4625).
Finding Newly Created User Accounts
Attackers often create new accounts to maintain persistence:
Get-WinEvent -LogName Security | Where-Object { $_.Id -eq 4720 } | Select-Object TimeCreated, MessageThis retrieves logs for all new user accounts created on the system.
Identifying Suspicious Network Connections
Monitor network activity for potential threats:
Get-NetTCPConnection | Where-Object { $_.State -eq "Established" -and $_.RemoteAddress -notlike "192.168.*" }This command lists all active network connections excluding local IPs, highlighting possible external threats.
Checking Running Processes for Malware
Malicious processes often disguise themselves as legitimate system processes:
Get -ProcessGet-Process | Where-Object { $_.Path -like "*AppData*" -or $_.ProcessName -match "powershell|cmd|wscript|cscript" }This searches for suspicious processes running from uncommon directories or executing scripting engines.
Incident Response with PowerShell
Isolating a Compromised System
If a system is compromised, disconnect it from the network:
Disable-NetAdapter -Name "Ethernet" -Confirm:$falseThis command disables the Ethernet adapter to cut off network access.
Killing Malicious Processes
Terminate suspicious processes identified in previous steps:
Stop-Process -Name "notepad" -ForceReplace "notepad"Â with the name of the suspected process.
Automatically kill all instances of PowerShell or cmd.exe (if an attacker is abusing them):
Get-Process | Where-Object { $_.ProcessName -match "powershell|cmd" } | Stop-Process -ForceChecking for Persistence Mechanisms
Attackers often use scheduled tasks for persistence:
Get-ScheduledTaskGet-ScheduledTask | Where-Object { $_.TaskPath -like "*\Microsoft\Windows\*" -and $_.Actions -match "powershell" }This identifies scheduled tasks executing PowerShell commands, which may indicate persistence mechanisms.
Remove a suspicious scheduled task:
Unregister-ScheduledTask -TaskName "MaliciousTask" -Confirm:$falseForensic Analysis with PowerShell
Retrieving Browser History for Investigation
Get-ChildItem "C:\Users\*\AppData\Local\Microsoft\Edge\User Data\Default\History" -Force
This retrieves browsing history from Microsoft Edge (similar paths apply for other browsers).
Checking Registry for Suspicious Entries
Malware often modifies the registry to maintain persistence:
Get-ItemProperty -Path "HKCU:\Software\Microsoft\Windows\CurrentVersion\Run"This lists programs set to start automatically on user login.
Remove a registry key used to execute malware on startup:
Remove-ItemProperty -Path "HKCU:\Software\Microsoft\Windows\CurrentVersion\Run" -Name "Malware"Dumping Recently Accessed Files
Get-ChildItem -Path "C:\Users\*\Recent" -Force
Lists recently accessed files that might contain evidence of compromise.
Automating Blue Team Tasks with PowerShell
Automating Log Collection
A script to collect logs and export them for analysis:
$logPath = "C:\SecurityLogs\"New-Item -ItemType Directory -Path $logPath -ForceGet-WinEvent -LogName Security -MaxEvents 1000 | Export-Csv "$logPath\SecurityLogs.csv"This collects the last 1,000 security logs and saves them as a CSV file.
Automated Threat Detection Script
A simple script to check for suspicious activity and alert administrators:
$logins = Get-WinEvent -LogName Security | Where-Object { $_.Id -eq 4625 }if ($logins.Count -gt 10) { Send-MailMessage -To "admin@example.com" -From "alert@example.com" -Subject "High Failed Login Attempts" -Body "Multiple failed logins detected."}This script checks for more than 10 failed login attempts and sends an email alert if detected.
Conclusion
PowerShell is an essential tool for blue teams in cybersecurity. By leveraging its capabilities, security teams can:
Detect and analyze threats in real time.
Automate security monitoring and forensic analysis.
Respond quickly to incidents and prevent further damage.
By integrating these PowerShell techniques into daily operations, blue teams can enhance security visibility and proactively defend against cyber threats.
Quick Command list
Post Exploit
Find any file: PS C:\\> Get-ChildItem "C:\Users\" -recurse -include credentials.txt
List installed updated: PS C:\\> Get-HotFix
Access Registry: PS C:\\> cd HKLM:\ PS HKLM:\> ls
List Startup programs from the regsitry: PS C:\\> Get-ItemProperty HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\run
Get Firewall rules: PS C:\\> Get-NetFirewallRule –all
Frequently used
Copy: PS C:\\> Copy-Item src.txt dst.txt
Move: PS C:\\> Move-Item src.txt dst.txt
List Process info: PS C:\\> Get-Process
List Services: PS C:\\> Get-Service
Get SHA1 hash of a file: PS C:\\> Get-FileHash -Algorithm SHA1 file.txt
Export output to a CSV: PS C:\\> Get-Process | Export-Csv processes.csv
Get Help: PS C:\\> Get-Help
Combining Scripts (in progress)
# This script collects basic forensic information from a Windows system
# Create folder
New-Item -Path "C:\" -Name "Forensics" -ItemType "Directory"
# Collect system information
Write-Output "Collecting system information..."
$systemInfo = Get-ComputerInfo
$systemInfo | Out-File -FilePath "C:\Forensics\SystemInfo.txt"
# Collect user information
Write-Output "Collecting user information..."
$userInfo = Get-LocalUser
$userInfo | Out-File -FilePath "C:\Forensics\UserInfo.txt"
# Collect running processes
Write-Output "Collecting running processes..."
$processes = Get-Process
$processes | Out-File -FilePath "C:\Forensics\Processes.txt"
# Collect network connections
Write-Output "Collecting network connections..."
$networkConnections = Get-NetTCPConnection
$networkConnections | Out-File -FilePath "C:\Forensics\NetworkConnections.txt"
# Collect event logs
Write-Output "Collecting event logs..."
$eventLogs = Get-EventLog -LogName System -Newest 150
$eventLogs | Out-File -FilePath "C:\Forensics\EventLogs.txt"
Write-Output "Forensic data collection completed."