Afternoon all,
I was doing some testing today via PowerShell and I have noticed that for example, when running commands, say “Set-ItemProperty” to modify a regkey when it eventually shows up in the log search, the cmd_line property only shows PowerShell was executed and not the associated command. Is this typical behaviour as I see this as a potential flaw, hopefully I have missed something.
You should look into turning on Script Block Logging
https://www.techtarget.com/searchwindowsserver/tutorial/Set-up-PowerShell-script-block-logging-for-added-security#:~:text=You%20can%20set%20PowerShell%20logging,on%20PowerShell%20Script%20Block%20Logging.
Hi Brandon,
I have done this and can see it is working as I can see the command in event viewer, however, when I search for example “Set-ItemProperty” nothing returns in the Log Search.
Sorry, I do not use IDR. I just know that was needed for other logging sources.
Hey, it isn’t an issue, I really appreciate the offer of help. What I have noticed is this though.
If powershell is already open and you enter the command such at Set-ItemProperty -Path HKLM.… this doesn’t get picked up in IDR however, if you prepend this with Powershell, even in the command window which technically makes no sense, so i.e. powershell Set-ItemProptery -Path HKLM.… this will be detected in IDR.
I am not sure if this is intentional but I can see this perhaps being a bit of a loophole to triggering certain alerts that rely on the command being prepended with “powershell” as part of the whole command/script block.
This is expected behavior @marten_cureton we catch process start events but don’t capture the contents of interactive powershell sessions
David
Right okay, isn’t this considered a gap in visibility though? Thank you for letting me know though so as to stop chasing my tail.