While I'm making my way through lab L1120 of BHIS' "Applied Purple Teaming" course, I noticed something interesting: none of my nefarious commands were showing up in HELK, despite me having enabled Powershell logging through a GPO.

In this lab, we're grabbing Sharphound.ps1 from the Bloodhound project, and either download and run it, or just load it into memory using Invoke-Expression. But none of that stuff was showing up in my Kibana dashboard, despite a "whoami" run from Powershell appearing correctly.

That's when I learned that A) downgrading your session to Powershell 2 kills all your logging, B) most of what you run in Powershell ISE (a script editor) is flat-out never logged. In my case: I make it a habit to work inside ISE, because I can easily edit script blocks.

Luckily you can disable Powershell 2 with a GPO (which could end up breaking older scripts). But with regards to ISE: you'll have to completely uninstall, or deny-list it... if possible.

EDIT:

Based on this article by Microsoft themselves, it seems that turning on transcription will also work on Powershell ISE. I'll need to investigate a bit deeper... See if I haven't misconfigured my setup.

EDIT 2:

Yeah. The Powershell 2 logging bypass is valid, but the lack of logging through Powershell ISE was a case of #PEBCAK.

kilala.nl tags: work, studies,

View or add comments (curr. 0)

All content, with exception of "borrowed" blogpost images, or unless otherwise indicated, is copyright of Tess Sluijter. The character Kilala the cat-demon is copyright of Rumiko Takahashi and used here without permission.

Kilala.nl - Personal website of Tess Sluijter

About me

Blog archives

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

2010

2009

2008

2007

2006

2005

2004

2003

> Weblog

> Sysadmin articles

> Maths teaching

Powershell auditing: easy bypasses