6 Investigating PowerShell Event Logs

Since 2017, security researchers have noted a high increase in the use of PowerShell during the different phases of the attack chain. Also, there are several ready-to-use PowerShell scripts and frameworks that help attackers to achieve their objectives such as stealing credentials, pivoting, internal discovery, and enumeration. As a SOC Analyst, you should have knowledge of PowerShell and its usages, along with how to investigate suspicious PowerShell activities and the event logs provided by Microsoft that help you to track and investigate suspicious PowerShell executions.

The objective of this chapter is to teach you what PowerShell is, why attackers prefer PowerShell, PowerShell’s usage in different attack ...

Get Effective Threat Investigation for SOC Analysts now with the O’Reilly learning platform.

O’Reilly members experience books, live events, courses curated by job role, and more from O’Reilly and nearly 200 top publishers.

Start your free trial

Effective Threat Investigation for SOC Analysts by Mostafa Yahia

6

Investigating PowerShell Event Logs

Don’t leave empty-handed

It’s yours, free.

Check it out now on O’Reilly