Securing your PowerShell Operational Logs

So you have actually upgraded to WMF5 and/or Win10 on your systems and have enabled script block logging (w/o invocation events as those are extremely noisy) and are getting this stuff into a SIEM and maybe you are even doing stuff like looking at Lee Holmes’s methods to detect obfuscated PowerShell on your network https://www.leeholmes.com/blog/2015/11/13/detecting-obfuscated-powershell/…

0

PSLockDownPolicy and PowerShell Constrained Language Mode

There have been number of great articles about PowerShell both from an Attack perspective as well as a Defensive perspective, see https://adsecurity.org/?p=2921 (Sean Metcalf) as well as http://www.darkoperator.com/blog/2013/3/21/powershell-basics-execution-policy-and-code-signing-part-2.html?rq=pslockdown (Carlos Perez). The first thing I guess is to mention there are different PowerShell Language modes which you can read about at https://msdn.microsoft.com/en-us/powershell/reference/5.1/microsoft.powershell.core/about/about_language_modes. Much of the ‘attack’…

0