PowerShell¶
About¶
PowerShell is a task automation and configuration management program from Microsoft, consisting of a command-line shell and the associated scripting language. Initially a Windows component only, known as Windows PowerShell, it was made open-source and cross-platform on 18 August 2016 with the introduction of PowerShell Core. The former is built on the .NET Framework, the latter on .NET Core.
In PowerShell, administrative tasks are generally performed by cmdlets (pronounced command-lets), which are specialized .NET classes implementing a particular operation. These work by accessing data in different data stores, like the file system or registry, which are made available to PowerShell via providers. Third-party developers can add cmdlets and providers to PowerShell. Cmdlets may be used by scripts, which may in turn be packaged into modules.
Product Details¶
Vendor URL: PowerShell Documentation
Product Type: Console
Product Tier: n/a
Integration Method: Syslog
Integration URL: n/a
Log Guide: n/a
Parser Details¶
Log Format: Syslog/JSON (depending on NXLog output configuration)
Expected Normalization Rate: near 100%
Data Label: POWERSHELL
UDM Fields (list of all UDM fields leveraged in the Parser):
| Log File Field | UDM Field | UDM Event Type |
|---|---|---|
| description | metadata.description | metadata |
| event_type | metadata.event_type | metadata |
| product_event_type | metadata.product_event_type | metadata |
| product_log_id | metadata.product_log_id | metadata |
| product_name | metadata.product_name | metadata |
| product_version | metadata.product_version | metadata |
| vendor_name | metadata.vendor_name | metadata |
| Domain | principal.administrative_domain | principal |
| Hostname | principal.hostname | principal |
| AccountName | principal.user.userid | principal |
| UserID | principal.user.windows_sid | principal |
| AccountType | principal.user.role_description | principal |
| HostId | principal.asset.product_object_id | principal |
| security_result | security_result | security_result |
| powershell.Host_Application | target.process.command_line | target |
| powershell.Script_Name, File | target.process.file.full_path | target |
| powershell.HostId | target.asset.asset_id | target |
| powershell.HostName | target.hostname | target |
| ErrorMessage | additional.fields.key = Error Message | additional |
| Script_BlockId | security_result.detection_fields.key = ScriptBlockId | security_result |
| MessageTotal | security_result.detection_fields.key = Message Total | security_result |
| MessageNumber | security_result.detection_fields.key = Message Number | security_result |
| Data,Data_1,Data_2 | security_result.detection_fields.key = Data | security_result |
| ExecutionThreadID | security_result.detection_fields.key = ExecutionThreadID | security_result |
| ActivityID | security_result.detection_fields.key = Activity ID | security_result |
| powershell.SequenceNumber | security_result.detection_fields.key = Sequence Number | security_result |
| ScriptBlockText | security_result.detection_fields.key = script_block_text | security_result |
Product Event Types¶
| Description | metadata.event_type |
|---|---|
| Defaults | GENERIC_EVENT |
| if [EventID] == "4103" | PROCESS_LAUNCH |
| if [EventID] == "4104" | PROCESS_LAUNCH |
| if [EventID] == "403" | PROCESS_TERMINATION |
| if user missing | USER_UNCATEGORIZED |
| if source address missing | STATUS_UNCATEGORIZED |
| if host application missing | PROCESS_UNCATEGORIZED |
Log Sample¶
{"EventTime":1633032153,"Hostname":"host","Keywords":"0","EventType":"INFO","SeverityValue":2,"Severity":"INFO","EventID":4103,"SourceName":"Microsoft-Windows-PowerShell","ProviderGuid":"{guid}","Version":1,"TaskValue":106,"OpcodeValue":20,"RecordNumber":logid,"ActivityID":"{actid}","ExecutionProcessID":11012,"ExecutionThreadID":14124,"Channel":"Microsoft-Windows-PowerShell/Operational","Domain":"NT AUTHORITY","AccountName":"NETWORK SERVICE","UserID":"sid","AccountType":"Group","Category":"Executing Pipeline","Opcode":"To be used when operation is just executing a method","Payload":"CommandInvocation(Add-Type): \"Add-Type\"\nParameterBinding(Add-Type): name=\"AssemblyName\"; value=\"System.IO.Compression.FileSystem\"\n","EventReceivedTime":1633032155,"SourceModuleName":"powershell_modules_logs","SourceModuleType":"im_msvistalog","ContextInfo_Severity":"Informational","ContextInfo_Host Name":"Default Host","ContextInfo_Host Version":"5.1.14393.4583","ContextInfo_Host ID":"hostid","ContextInfo_Host Application":"ConfigSyncRun.exe","ContextInfo_Engine Version":"5.1.14393.4583","ContextInfo_Runspace ID":"runid","ContextInfo_Pipeline ID":1,"ContextInfo_Command Name":"Add-Type","ContextInfo_Command Type":"Cmdlet","ContextInfo_Script Name":"C:\\Program Files\\Citrix\\ConfigSync.ps1","ContextInfo_Command Path":null,"ContextInfo_Sequence Number":20,"ContextInfo_User":"ORG\\HOST$","ContextInfo_Connected User":null,"ContextInfo_Shell ID":"Microsoft.PowerShell"}
Sample Parsing¶
metadata.event_timestamp "2021-09-30T08:02:33"
metadata.event_type "PROCESS_LAUNCH"
metadata.vendor_name "Microsoft"
metadata.product_name "PowerShell"
metadata.product_event_type "Executing Pipeline"
metadata.product_log_id "logid"
metadata.description "To be used when operation is just executing a method"
metadata.ingested_timestamp "2021-09-30T08:02:33"
principal.hostname "host"
principal.user.userid "NETWORK SERVICE"
principal.user.windows_sid "sid"
principal.administrative_domain "NT AUTHORITY"
target.process.file.full_path "C:\\Program Files\\Citrix\\ConfigSync.ps1"
target.process.command_line "ConfigSyncRun.exe"
security_result.rule_name "EventID: 4103"
security_result.action "ALLOW"
security_result.severity "LOW"
security_result.severity_details "INFO"
Parser Alerting¶
This product currently does not have any Parser-based Alerting