[BLUE TEAMING] - Windows PowerShell logs to investigate an attack and perform corrective action
<aside> π‘ PowerShell Logging - commands can be audited in the Windows Event Log
<aside> π‘ There is a concept known as Living off the Land, which means attackers use the legitimate programs and processes to perform malicious actions and not install anything other than whatβs already present. So its never a bad idea to look through the most common directories.
</aside>
<aside> π‘ PowerShell is a cross-platform task automation tool, runs on every OS.
</aside>
<aside> π‘ PowerShell Logging, auditing commands in PowerShell console could be done from anywhere.
</aside>
<aside> π‘ Each command /script when run in PowerShell is logged in Windows Event Log System.
</aside>
Questions β
1 - view the github file too
2, 3, 4, 5 - Use Full Event Log Viewer capabilities
6 - Change the filter
7 - Modify the decryptor file, place the key and ciphertext and run the file