{"id":18621,"date":"2022-03-29T11:20:56","date_gmt":"2022-03-29T19:20:56","guid":{"rendered":"https:\/\/www.palada.net\/index.php\/2022\/03\/29\/news-12354\/"},"modified":"2022-03-29T11:20:56","modified_gmt":"2022-03-29T19:20:56","slug":"news-12354","status":"publish","type":"post","link":"https:\/\/www.palada.net\/index.php\/2022\/03\/29\/news-12354\/","title":{"rendered":"Reconstructing PowerShell scripts from multiple Windows event logs"},"content":{"rendered":"

Credit to Author: Vikas Singh| Date: Tue, 29 Mar 2022 18:27:50 +0000<\/strong><\/p>\n

\n

Adversaries continue to abuse PowerShell to execute malicious commands and scripts. It is easy to understand its popularity among attackers: Not only is it present on all versions of Windows by default (and crucial to so many Windows applications that few choose to disable it), this powerful interactive CLI and scripting environment can execute code in-memory without malware ever touching the disk. This poses a problem for defenders and researchers alike.<\/span>\u00a0<\/span><\/p>\n

In a previous post, we <\/span>explained<\/span><\/a> various forensic artifacts left behind by PowerShell. With the release of PowerShell 5.0 back in 2015, Script Block Logging was enabled by default. This feature records commands and entire scripts in event logs as they execute. If a script is very large, PowerShell breaks it into multiple parts before logging those under <\/span>Event ID 4104, <\/span><\/b>which will be the focus of this article.<\/span>\u00a0<\/span><\/p>\n

The open-source community has a variety of effective tools to use when parsing or automatically hunting for suspicious events. In a recent post, we took a step-by-step look at <\/span>decoding<\/span><\/a> malicious PowerShell activity in a specific incident, using such tools. However, the ability to extract or reconstruct (partially or in full) a very large PowerShell script from multiple event records is still lacking in most of the tools available.\u00a0<\/span>\u00a0<\/span><\/p>\n

W<\/span>hen a large PowerShell script runs, it results<\/span> in <\/span>a number of<\/span> fragmented artifacts deposited across multiple logs. Filtering for event ID 4104 returns a list of those artifacts. <\/span>The content<\/span> o<\/span>f<\/span> one of these artifacts, contained in the\u00a0 C:WindowsSystem32winevtLogsMicrosoft-Windows-PowerShell%4Operational.evtx<\/code> event log, is shown in the lower portion of the Event Viewer screen in Figure 1.<\/span><\/p>\n

<\/span>\"\"<\/a><\/pre>\n
Figure 1: 4104 events in the Operational.evtx log<\/span><\/i>\u00a0<\/span><\/p>\n
The <\/span>ScriptBlock ID <\/span><\/b>for this fragment, 51baf005-40a5-4878-ab90-5ecc51cab9af<\/code>, appears on the right in Figure 2.<\/span>\u00a0<\/span><\/p>\n
\"\"<\/a><\/p>\n
Figure 2: Detail showing ScriptBlock ID for fragment 9<\/span><\/i>7<\/span>\u00a0<\/span><\/p>\n
To create a single PowerShell object containing all the artifacts found with this process, open PowerShell ISE, replace the location of the offline EVTX (in our example, Operational.evtx<\/code>) and ScriptBlock ID (in our example, 51baf005-40a5-4878-ab90-5ecc51cab9af<\/code>), and execute the following to create a single PowerShell object as shown in the example below.<\/span>\u00a0<\/span><\/p>\n
#Filtering out all the Event Records associated with the ScriptBlockID into a single PS Object<\/span>  $StoreArrayHere = Get-WinEvent -FilterHashtable @{ Path=\"C:SampleEVTXMicrosoft-Windows-PowerShell%4Operational.evtx<\/span>\"; ProviderName=\u201cMicrosoft-Windows-PowerShell\u201d; Id = 4104 } | Where-Object { $_.Message -like '*51baf005-40a5-4878-ab90-5ecc51cab9af<\/span>*' }  <\/span>#Sorting the objects in the sequence to maintain the order of script.<\/span>  $SortIt = $StoreArrayHere | sort { $_.Properties[0].Value }  <\/span>#Display a few columns of interest.<\/span>  $SortIt | select TimeCreated,ActivityId,Id,Message  <\/span><\/pre>\n
However, even partial data may be helpful during an incident-response investigation, making this extraction technique useful even when the condition of the log data cannot be <\/span>ascertained<\/span> prior to the operation.<\/span><\/span>\u00a0<\/span><\/p>\n
To <\/span>attempt<\/span> the <\/span><\/span>Listing<\/span><\/span> and <\/span><\/span>Extraction <\/span><\/span>process <\/span><\/span>via a simple script<\/span><\/span><\/a> available on GitHub, <\/span><\/span>use the PowerShell script ExtractAllScripts.ps1<\/code> by giving it the -List<\/code> parameter, as shown in Figure 4. (As a convenience, we link to and show the full script at the end of this post.)<\/span><\/span><\/p>\n
\"\"<\/a>Figure 4: Concatenating the results<\/em><\/p>\n
To extract selected scripts, give the ExtractAllScripts.ps1<\/code> script the -ScriptBlockID [ID]<\/strong><\/code>\u00a0 parameter. An excerpt from the script shows what happens behind the scenes:<\/p>\n
$StoreArrayHere = Get-WinEvent -FilterHashtable @{ Path=\"C:SampleEVTXMicrosoft-Windows-PowerShell%4Operational.evtx<\/span>\"; ProviderName=\u201cMicrosoft-Windows-PowerShell\u201d; Id = 4104 } | Where-Object { $_.Message -like '*97b04021-6c0b-4fd2-8f57-39ada2599db8<\/span>*' }   $SortIt = $StoreArrayHere | sort { $_.Properties[0].Value }   #Joining the specific property of all event records and exporting to a single file.<\/span>   $MergedScript = -join ($SortIt | % { $_.Properties[2].Value }) | Out-File 34CE.  <\/span><\/pre>\n
PowerShell\u2019s popularity among attackers stems in part from its ubiquity and its ability to run malicious code in memory. Defenders must therefore examine whatever script traces may be found in logs, even if such traces may be scattered across multiple locations. Since log-rotation intervals and script sizes both vary, the ultimate output of the process detailed in this post may retrieve some, most, or all of the script in question. The technique itself, however, enables defenders to make the most of what is available.<\/p>\n
Appendix<\/span>: ExtractAllScripts.ps1<\/span><\/h3>\n
https:\/\/gist.github.com\/vikas891\/841ac223e69913b49dc2aa9cc8663e34.js<\/a><\/span><\/span>\u00a0<\/span><\/p>\n
#Usage:  #Usage:\u00a0  #\u00a0  #NOTE: Remember to include the path to Microsoft-Windows-PowerShell%4Operational.evtx below.\u00a0\u00a0  #\u00a0  #C:>ExtractAllScripts.ps1\u00a0\u00a0\u00a0  #The default behavior of the script is to assimilate and extract every script\/command to disk.\u00a0  #\u00a0  #C:ExtractAllScripts -List\u00a0  #This will only list Script Block IDs with associated Script Names(if logged.)\u00a0  #\u00a0  #C:>ExtractAllScripts.ps1 -ScriptBlockID aeb8cd23-3052-44f8-b6ba-ff3c083e912d\u00a0  #This will only extract the script corresponding to the user specified ScriptBlock ID\u00a0  #\u00a0  #Twitter: @vikas891\u00a0  \u00a0  param ($ScriptBlockID, [switch]$List)\u00a0  $StoreArrayHere = Get-WinEvent -FilterHashtable @{ Path=\"Microsoft-Windows-PowerShell%4Operational.evtx\"; ProviderName=\u201cMicrosoft-Windows-PowerShell\u201d; Id = 4104 }\u00a0\u00a0  $Desc = $StoreArrayHere | sort -Descending { $_.Properties[1].Value }\u00a0\u00a0  $ArrayofUniqueIDs = @()\u00a0  \u00a0\u00a0\u00a0\u00a0\u00a0  if(!$ScriptBlockID)\u00a0  {\u00a0  \u00a0\u00a0\u00a0 $Desc | %{ $ArrayofUniqueIDs += $_.Properties[3].Value }\u00a0  }\u00a0  else\u00a0  {\u00a0  \u00a0\u00a0\u00a0 $Desc | %{ $ArrayofUniqueIDs += $_.Properties[3].Value }\u00a0  \u00a0\u00a0\u00a0 if($ScriptBlockID -in $ArrayofUniqueIDs)\u00a0  \u00a0\u00a0\u00a0 {\u00a0  \u00a0\u00a0\u00a0 $ArrayofUniqueIDs = $ScriptBlockID\u00a0  \u00a0\u00a0\u00a0 }\u00a0  \u00a0\u00a0\u00a0 else\u00a0  \u00a0\u00a0\u00a0 {\u00a0  \u00a0\u00a0\u00a0 \"\"\u00a0  \u00a0\u00a0\u00a0 Write-Host \"[!] Specified Script Block ID does not exist. Exiting..\" -ForegroundColor Red\u00a0  \u00a0\u00a0\u00a0 break\u00a0  \u00a0\u00a0\u00a0 }\u00a0  }\u00a0  $ArrayofUniqueIDs = $ArrayofUniqueIDs | select -Unique\u00a0  \u00a0  if($List)\u00a0  {\u00a0  \u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 foreach ($a in $ArrayofUniqueIDs)\u00a0  \u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 {\u00a0  \u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 $Temp = $StoreArrayHere | Where-Object { $_.Message -like \"*$a*\" }\u00a0  \u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 $SortIt = $Temp | sort { $_.Properties[0].Value }\u00a0\u00a0  \u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 \"\"\u00a0  \u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 if($SortIt[0].Properties[4].Value)\u00a0  \u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 {\u00a0  \u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 $OriginalName = Split-Path -Path $SortIt[0].Properties[4].Value -Leaf\u00a0  \u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 $FileName = \"$($a)_$($OriginalName)\"\u00a0  \u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 $DisplayName = $SortIt[0].Properties[4].Value\u00a0  \u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 }\u00a0  \u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 else\u00a0  \u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 {\u00a0  \u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 $OriginalName = ''\u00a0  \u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 $FileName = $a\u00a0  \u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 $DisplayName = 'NULL'\u00a0  \u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 }\u00a0  \u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 Write-Host -NoNewline \"Script ID: \"\u00a0\u00a0  \u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 Write-Host -NoNewline $a -ForegroundColor Yellow\u00a0  \u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 Write-Host -NoNewline \" | \" -ForegroundColor White\u00a0  \u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 Write-Host -NoNewline \"Script Name:\"\u00a0  \u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 Write-Host -NoNewline $DisplayName -ForegroundColor Magenta\u00a0  \u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 $NumberOfRecords = $Temp.Count\u00a0  \u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 $MessageTotal = $Temp[0] | % {$_.Properties[1].Value}\u00a0  \u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 if($NumberOfRecords -eq $MessageTotal)\u00a0  \u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 {\u00a0  \u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 Write-Host -NoNewline \" | Complete Script \" -ForegroundColor Green\u00a0  \u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 Write-Host -NoNewline \" | Event Records Logged\"$NumberOfRecords\/$MessageTotal\u00a0  \u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 \"\"\u00a0  \u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 }\u00a0  \u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 else\u00a0  \u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 {\u00a0  \u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 Write-Host -NoNewline \" | InComplete Script Logged\" -ForegroundColor Red\u00a0  \u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 Write-Host -NoNewline \" | Event Records Logged\"$NumberOfRecords\/$MessageTotal\u00a0  \u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 \"\"\u00a0  \u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 }\u00a0\u00a0\u00a0\u00a0\u00a0  \u00a0\u00a0\u00a0 }\u00a0  break\u00a0  }\u00a0  \u00a0\u00a0\u00a0\u00a0\u00a0  foreach ($a in $ArrayofUniqueIDs)\u00a0  {\u00a0  \u00a0\u00a0\u00a0 $Temp = $StoreArrayHere | Where-Object { $_.Message -like \"*$a*\" }\u00a0  \u00a0\u00a0\u00a0 $SortIt = $Temp | sort { $_.Properties[0].Value }\u00a0\u00a0  \u00a0\u00a0\u00a0 \"\"\u00a0  \u00a0\u00a0\u00a0 if($SortIt[0].Properties[4].Value)\u00a0  \u00a0\u00a0\u00a0 {\u00a0  \u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 $OriginalName = Split-Path -Path $SortIt[0].Properties[4].Value -Leaf\u00a0  \u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 $FileName = \"$($a)_$($OriginalName)\"\u00a0  \u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 $DisplayName = $SortIt[0].Properties[4].Value\u00a0  \u00a0\u00a0\u00a0 }\u00a0  \u00a0\u00a0\u00a0 else\u00a0  \u00a0\u00a0\u00a0 {\u00a0  \u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 $OriginalName = ''\u00a0  \u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 $FileName = $a\u00a0  \u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 $DisplayName = 'NULL'\u00a0  \u00a0\u00a0\u00a0 }\u00a0  \u00a0\u00a0\u00a0 Write-Host -NoNewline \"Extracting \"\u00a0\u00a0  \u00a0\u00a0\u00a0 Write-Host -NoNewline $a -ForegroundColor Yellow\u00a0  \u00a0\u00a0\u00a0 if ($OriginalName)\u00a0  \u00a0\u00a0\u00a0 {\u00a0  \u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 Write-Host -NoNewline _$OriginalName -ForegroundColor Magenta\u00a0  \u00a0\u00a0\u00a0 }\u00a0  \u00a0\u00a0\u00a0 Write-Host -NoNewline \" | \" -ForegroundColor White\u00a0  \u00a0\u00a0\u00a0 Write-Host -NoNewline \"ScriptName:\"\u00a0  \u00a0\u00a0\u00a0 Write-Host -NoNewline $DisplayName -ForegroundColor Magenta\u00a0  \u00a0\u00a0\u00a0 $MergedScript = -join ($SortIt | % { $_.Properties[2].Value }) | Out-File $FileName\u00a0  \u00a0\u00a0\u00a0 $NumberOfRecords = $Temp.Count\u00a0  \u00a0\u00a0\u00a0 $MessageTotal = $Temp[0] | % {$_.Properties[1].Value}\u00a0  \u00a0\u00a0\u00a0 if($NumberOfRecords -eq $MessageTotal)\u00a0  \u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 {\u00a0  \u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 Write-Host -NoNewline \" | Complete Script Logged\u00a0 \" -ForegroundColor Green\u00a0  \u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 Write-Host -NoNewline \" | Event Records Exported\"$NumberOfRecords\/$MessageTotal\u00a0  \u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 Write-Host -NoNewline \" | Number of lines\" (Get-Content $FileName).Length\u00a0  \u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 \"\"\u00a0  \u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 }\u00a0  \u00a0\u00a0\u00a0 else\u00a0  \u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 {\u00a0  \u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 Write-Host -NoNewline \" | InComplete Script Logged\" -ForegroundColor Red\u00a0  \u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 ren $FileName \"$FileName.partial\"\u00a0  \u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 Write-Host -NoNewline \" | Event Records Exported\"$NumberOfRecords\/$MessageTotal\u00a0  \u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 Write-Host -NoNewline \" | Number of lines\" (Get-Content \"$FileName.partial\").Length\u00a0  \u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 \"\"\u00a0  \u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 }\u00a0  \u00a0\u00a0\u00a0 $FileName = ''\u00a0\u00a0\u00a0\u00a0\u00a0  }<\/pre>\n<\/p><\/div>\n
http:\/\/feeds.feedburner.com\/sophos\/dgdY<\/a><\/p>\n","protected":false},"excerpt":{"rendered":"
<\/p>\n
Credit to Author: Vikas Singh| Date: Tue, 29 Mar 2022 18:27:50 +0000<\/strong><\/p>\n
On the trail of malicious PowerShell artifacts too large to be contained in a single log? Help is on the way.<\/p>\n","protected":false},"author":4,"featured_media":0,"comment_status":"open","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"colormag_page_container_layout":"default_layout","colormag_page_sidebar_layout":"default_layout","footnotes":""},"categories":[10378,10377],"tags":[25539,12749,11191,24552,16771],"class_list":["post-18621","post","type-post","status-publish","format-standard","hentry","category-security","category-sophos","tag-25539","tag-forensics","tag-powershell","tag-security-operations","tag-threat-research"],"_links":{"self":[{"href":"https:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/posts\/18621","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/users\/4"}],"replies":[{"embeddable":true,"href":"https:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/comments?post=18621"}],"version-history":[{"count":0,"href":"https:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/posts\/18621\/revisions"}],"wp:attachment":[{"href":"https:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/media?parent=18621"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/categories?post=18621"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/tags?post=18621"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}
In Figure 3,<\/span> only a <\/span>portion<\/span> of the script <\/span>is <\/span>recorded in the event logs, specifically segments 97 to 121<\/span>. D<\/span>ue to<\/span> scheduled<\/span> log rotation, <\/span>dozens of<\/span> segments are no longer available.<\/span><\/span>\u00a0<\/span>
 
 \"\"<\/a>Figure 3: Fragments appearing in the event log<\/span><\/span><\/em><\/p>\n