I’e covered PowerShell auditing before but hopefully this shows why you need to start controlling and auditing PowerShell within your environment. If you don’t, malicious parties may be able to mask their tracks.
The reason why is that malicious parties, may chose to encode their commands or scripts before executing/deploying them. The reason why is that if your auditing isn’t up to scratch, it may go unseen. In some cases it can also help bypass the AV.
Imagine you don’t have auditing enabled and you go looking at the history. You use the search filter and try and identify Invoke-Mimikatz. It returns nothing….. It may be that it’s because it’s running as encoded and the initial command would be:
Powershell -encodedCommand SQBuAHYAbwBrAGUALQBtAGkAbQBpAGsAYQB0AHo
This is because they have encoded the command first and PowerShell has the ability to run as encoded. To do this, run the command: Powershell -encodedCommand *encoded value*
View original post 485 more words