Threat hunting with command-line
process logging using PowerShell

What is threat hunting in cybersecurity

Command-line process logging entails recording the details of commands executed on a command-line user interface in the form of logs. This technique is mainly used for system administration and monitoring because it helps the security analysts or administrators track executed commands along with the details on when they were executed in a system. Command-line process logging is a vital security measure that helps an organization detect and respond to security incidents, monitor user activity, meet compliance requirements, and improve incident response.

While several methods exist for logging command lines, such as developing a custom script or utilizing the script command in a Unix-like system, this article focuses on PowerShell, a task automation and configuration management tool from Microsoft. The primary data captured in these logs includes the actual command, the date and time it was run, and its output. This makes it easier for organizations to employ command-line logging as a crucial security tool to keep track of user activity, comply with regulations, and identify and resolve security events.

PowerShell process logging

Command-line process logging is performed by capturing the output of the command-line interface (CLI) and saving it to a file or other storage location. To compile all the command-line activities in PowerShell, we can apply the Start-Transcript command, the Get-WinEvent command, Module Logging, or Script Block Logging.

The Start-Transcript command

This is one of the easiest ways to start logging PowerShell activities. Start-Transcript records all the commands that are executed during a PowerShell session and their outputs. With the help of this technique, you can retrieve the input and output commands, host session information, start time, username, PowerShell and OS versions, and machine name. The obtained information is then saved as a text file, which can later be used for auditing, troubleshooting, or documentation purposes. The logging process is terminated by using the Stop-Transcript command, which ends the transcripting session.

How to use the Start-Transcript command

• Start-Transcript

  This command starts a transcript file in the default file location.

• Start-Transcript -Path "C:\powershell_transcript.txt"

  This command starts a transcript file in a specific location.

• Stop-Transcript

  This ends the transcripting session.

The Get-WinEvent command

The Get-WinEvent command helps you retrieve event logs, like system or application logs, that are available on local or remote computers. After fetching the logs, security analysts can then analyze them to spot security incidents or suspicious activities, like an excessive number of failed login attempts (event ID 4625) or system errors.

How to use the Get-WinEvent command

• Get-WinEvent -listlog

  This reveals all the event log sources available in the system.

• Get-WinEvent -LogName Security

  This displays events from the security log.

• Get-WinEvent -FilterHashtable @{ LogName='Security'; Id=4625 }

  This returns the entries of failed login attempts.

PowerShell Module Logging

Module Logging is a security feature in PowerShell that lets you record when PowerShell modules are used. Threat hunters can obtain log information on the loading and unloading of PowerShell modules with the aid of Module Logging. Such information includes the name and version of the module, the path to the module, and the user account that loaded or unloaded the module. Module Logging helps the organization track the use of modules, detect any potential security issues (such as the use of unauthorized or malicious modules), and troubleshoot.

PowerShell Script Block Logging

Script Block Logging enables the recording of all activities done in PowerShell. It enables an organization to track the execution of scripts and any other codes running in its environment. The logs generated include information on all the commands, expressions, and statements executed in PowerShell; who executed them; and from where they were executed. This information is helpful for auditing, responding to incidents, and detecting any malicious activities.

How to enable Script Block Logging or Module Logging via Local Group Policy Editor

• Open Local Group Policy Editor.
• Navigate to Administrative Templates → Windows Components → Windows PowerShell.
• Enable the Turn on PowerShell Script Block Logging option or the Turn on Module Logging option.

It is recommended to use all the sources (Start-Transcript, Get-WinEvent, Module Logging, and Script Block Logging) to log the commands because each method records distinctive data, which will be helpful in monitoring PowerShell activity. If your environment is such that log sizes cannot be increased, then you should at least enable Script Block Logging to identify attacker commands and code execution.

How can command-line process logging be helpful?

By providing a record of the actions that take place in the CLI and enabling companies to detect, respond to, and avoid security issues, command-line process logging can play a crucial role in enhancing the security of systems and networks.

Here are some ways command-line logging can be utilized:

Security auditing

With the obtained logs, threat hunters can monitor user and system activities to make sure that the systems are operated in accordance with security guidelines and industry best practices. This data can be used to spot questionable behavior, like unauthorized access or the use of privileged commands, and to stop security incidents.

Log360 helps you detect internal and external threats as soon as possible with the help of its predefined threat alerts. Therefore, you can stop communication from malicious sources and trigger a workflow to add blocklisted IPs to the firewall and block them permanently.

Forensic analysis

With command-line logs, you can find the root cause of security incidents or any other malicious activities. For instance, if a system is compromised, threat hunters or defenders can go through the logs and determine how threat actors gained access and what actions were taken.

By using Log360, IT admins can keep an eye on all the security events that are happening from a single console. They can also focus on a specific security event or specific event log data and perform comprehensive forensic analysis to find the root cause of that security incident.

Incident response

Command-line logging can be a vital source of information during incident response because you can recreate the series of events leading up to the security incident. This helps you analyze the extent of the incident, find out what data may have been lost or stolen, and figure out what measures must be taken to rectify the situation.

Log360's Incident Overview dashboard offers security analysts the ability to monitor metrics such as the mean time to detect (MTTD) and the mean time to respond (MTTR). It also offers insights into ongoing, unresolved incidents; recent incidents; and critical incidents, aiding you in assessing the workload of security analysts. Security analysts can also respond to critical events by setting up incident response workflows. The workflows are executed automatically as a responsive action following the occurrence of a security incident.

Log360 is a unified SIEM solution with integrated DLP and CASB capabilities. It detects, prioritizes, investigates, and responds to security threats. It combines threat intelligence, ML-based anomaly detection, and rule-based attack detection techniques to detect sophisticated attacks. Log360 also offers an incident management console for effectively remediating detected threats.