• Solutions
    • Managed Detection and Response (MDR)
      • Security Information and Event Management (SIEM)
      • Network Detection & Response (NDR)
      • Endpoint Detection & Response (EDR/XDR)
    • Advanced Threat Detection
    • Cyber Threat Intelligence (CTI)
    • Continuous Threat Monitoring
    • Security Orchestration, Automation, and Response (SOAR)
    • Professional Services
  • ShieldVision™
  • By Use Case
    • Security Compliance & Regulations
    • Security Architecture
    • Vulnerability Management
    • Network Monitoring
    • Email Security
    • Digital Risk
  • Industries
  • SOC
    • SOC Team
    • ShieldVision™
    • Compliance
  • Visibility Triad
  • Knowledge Center
    • Blog
    • Cybersecurity Fundamentals
    • Threat Briefs
    • Client Stories
    • Use Cases
    • Webinars
    • CISO Newsletter
  • Partners
    • Managed Service Provider (MSP)
    • Technology Partners
  • Company
    • About Lumifi
    • News & Press Releases
    • Meet the Team
    • Executive Briefing Center
    • Contact Us
    • Careers – we're hiring!
  • Talk to an Expert
  • Solutions
    Lumifi ShieldVision™
    ShieldVision is Lumifi’s proprietary technology. It is a singular, multi-tenant platform that increases interoperability between elements of the SOC visibility triad and enables clients to react to threats and breaches more effectively, resulting in fortified security environments and optimized business.
    Explore the Platform.

    Solutions

    Managed Detection & Response (MDR)
    Security Information & Event Management (SIEM)
    Network Detection & Response (NDR)
    Endpoint Detection & Response (EDR/XDR)
    Advanced Threat Detection
    Threat Hunting
    Cyber Threat Intelligence (CTI)
    Continuous Threat Monitoring
    Vulnerability ManagementSecurity Orchestration, Automation, and Response (SOAR)Professional Services

    Use Cases

    Network MonitoringEmail SecurityCloud SecurityDigital RiskSecurity & ComplianceSecurity Architecture

    Industries

    HealthcareLegalFinanceManufacturingEnergy & Utilities View All
  • SOC

    Security Operations Center

    People
    SOC TeamAnalystContentEngineeringResearch & Development
    Technology
    ShieldVision™
    Lumifi's proprietary technology
    Process
    Compliance Security Operations Center (SOC) 2 Type IINIST 800-171
  • Visibility Triad
  • Knowledge Center

    Knowledge Center

    Cybersecurity Fundamentals
    BlogThreat BriefsCase StudiesCISO NewsletterWebinars
    FEATURED RESOURCES
    Cloud Security Posture Management (CSPM) Explained: How to Address Cloud Infrastructure RisksRead More »
    Illuminating Blind Spots with the Visibility TriadRead More »
    What is SaaS Security Posture Management (SSPM) and Why is it Important?Read More »
    FEATURED THREAT CONTENT
    July 1, 2024
    MOVEit Authentication Bypass (CVE-2024-5806)
    May 7, 2024
    ToddyCat is Making Holes in your Infrastructure
    April 18, 2024
    Mitigating Risk: Understanding Vulnerabilities in the Ivanti Product Suite
    View all »
  • Partners

    Our Partners

    Managed Service Providers (MSP)Technology Partners
    SIEM
    EDR/XDR
    NDR
    Digital Risk
    Data Management
    Collect and analyze log data from every corner of your organization. Pinpoint security events and launch detailed investigations in response. Gather and correlate data from across your entire IT infrastructure to find and analyze threats with customized detection rules.
    Gain real-time insight into endpoint threats and block malicious activity before it leads to business disruption. Secure your organization’s laptops, desktops, and mobile devices with best-in-class solutions configured to counter the latest threats.
    Catch attackers after they gain entry to your network. Analyze network traffic to prevent lateral movement and leverage behavioral data to gain security insights. Eliminate blind spots in your network and catch malicious insiders before they have a chance to attack.
    Digital risk encompasses the potential harm or loss arising from cyber threats, data breaches, compliance and legal issues, and reputational risks, necessitating proactive management strategies, including the use of advanced cybersecurity tools and best practices, to safeguard organizations in the dynamic digital landscape.
    As data volumes surge, managing them within budget constraints can be challenging. Explore how our portfolio prioritizes your data in your management strategy. Gain the choice, control, and flexibility needed to navigate the tension between data growth, budgets, and resources effectively.

  • Company

    Company

    About LumifiPress Release & NewsMeet the Team
    Executive Briefing CenterContact UsCareers - We're Hiring!
    Certification

    SOC 2 Type 2

    SOC-2-Type-2 Logo
Talk to an expert
Home » Blog » Improving Visibility and Preventing a Miss - Part 2: Custom PowerShell Collection

Improving Visibility and Preventing a Miss - Part 2: Custom PowerShell Collection

By Lumifi Cyber  |  May 24, 2021

A worrisome risk for a SIEM or SOAR is not collecting key logs used or required for the advanced modeling in today's platforms.

In our experience, incorrect/empty logs or lack of logging required for advanced detection (as we discussed in the first post on this topic), is obviously bad, yet failing to pick them up and sticking to collecting in just System, Security, Application leaves machine learning and modeling missing key items to with which to model behavior.

How to Collect Key PowerShell Logs

Beyond the basic logging configured in the previous blog, we will also need to be collecting these Powershell logs from these locations:

WMI-Activity/Operational Logs

  • 5857 - Indicates time of wmiprvse execution and path to provider DLL
  • 5858 - Query errors, the data include the error code in the element ResultCode and the Query that caused it under the element Operation
  • 5859 - EventFilter class
  • 5860 - Registration of Temporary (5860) and Permanent (5861) Event Consumers
  • 5861 - Registration of Temporary (5860) and Permanent (5861) Event Consumers

Microsoft-Windows- WinRM/Operational

  • 6 – WSMan session initialized
  • 8 – WSMan session deinitialization
  • 15 – WSMan session deinitialization
  • 16 – WSMan session deinitialization
  • 33 – WSMan session deinitialization
  • 91 – Session creation
  • 168 – Records authenticating user

PowerShell/Operational Logs

  • 4103 – PowerShell Module Logging
  • 4104 – PowerShell Script Block Logging
  • 8193 – Session Created
  • 8194 – Session Created
  • 8197 – Session Closed
  • 40961 – Records the local initiation of PowerShell and associated user account
  • 40962 – Records the local initiation of PowerShell and associated user account
  • 53504 - Records the authenticating user

Windows PowerShell Logs

  • 400 – ServerRemoteHost session starting
  • 403 – ServerRemoteHost session ending
  • 800 – Includes partial script code

Many systems use NXlog to transmit logs back to a SIEM, though the examples below can be translated into OSquery as well. Further down we will use examples for Exabeam.

NXlog

A basic input section for an NXlog config might look simple like this:

##
## Inputs:
##

## Windows event log:
<Input in_windows_events>
Module im_msvistalog
SavePos FALSE
ReadFromLast TRUE

Query <QueryList>\
   <Query Id="0">\
     <Select Path="Security">*</Select>\
     <Select Path="System">*</Select>\
     <Select Path="Application">*</Select>\
     <Select Path="Windows Powershell>*</Select>\
   </Query>\
</QueryList>
</Input>

But with a quick edit we can grab the additional logs we need:

##
## Inputs:
##

## Windows event log:
## Additions
## WMI-Activity/Operational Logs
## Microsoft-Windows- WinRM/Operational
## PowerShell/Operational Logs
## Windows PowerShell Logs (focused option and all option below, choose one)

<Input in_windows_events>
Module im_msvistalog
SavePos FALSE
ReadFromLast TRUE

Query <QueryList>\
<Query Id="0">\
<Select Path="Security">*</Select>\
<Select Path="System">*</Select>\
<Select Path="Application">*</Select>\
<Select Path="Microsoft-Windows-WMI-Activity/Operational">*[System[(Level=1 or Level=2 or Level=3 or Level=4 or Level=0) and ( (EventID &gt;= 5857 and EventID &lt;= 5861) )]]</Select>\
<Select Path="Microsoft-Windows-WinRM/Operational">*[System[(Level=1 or Level=2 or Level=3 or Level=4 or Level=0) and (EventID=6 or EventID=8 or EventID=15 or EventID=16 or EventID=33 or EventID=91 or EventID=168)]]</Select>\
<Select Path="Microsoft-Windows-PowerShell/Operational">*[System[(Level=1 or Level=2 or Level=3 or Level=4 or Level=0) and (EventID=4103 or EventID=4104 or EventID=8193 or EventID=8194 or EventID=8197 or EventID=40961 or EventID=40962 or EventID=53504)]]</Select>\
<Select Path="Windows PowerShell">*[System[(Level=1 or Level=2 or Level=3 or Level=4 or Level=0) and (EventID=400 or EventID=403 or EventID=800)]]</Select>\
<Select Path="Windows Powershell>*</Select>\
</Query>\
</QueryList>

</Input>

For Exabeam

image-png-3

Here, I just added the 3 new channels for PowerShell:

## WMI-Activity/Operational Logs
## Microsoft-Windows- WinRM/Operational
## PowerShell/Operational Logs

image-png-4

This allows us to collect PowerShell logs that help show encrypted channeling, encrypted arguments in a command, hidden arguments in a command, hiding PowerShell history in a PSReadLine, and more! We will get into writing those rules in our next blog.

If you have any questions about these instructions, please reach out to Lumfi so that we can help walk you through these concepts, as well as ensure the logs are in your platform of choice.

 

By Lumifi Cyber
Improving Visibility and Preventing a Miss - Part 2: Custom PowerShell Collection

Topics Covered

Share This

Subscribe to Lumifi's Daily Cybersecurity News Curated by a CISO

Mike Hamilton, CISO of Lumifi, curates the top cybersecurity news every weekday, delivering the latest breaches, alerts, and industry developments in the Daily Blast, your go-to morning source for InfoSec updates.

Related Articles

Cloud Security Posture Management (CSPM) Explained: How to Address Cloud Infrastructure Risks

Cloud Security Posture Management (CSPM) Explained: How to Address Cloud Infrastructure Risks

Illuminating Blind Spots with the Visibility Triad

Illuminating Blind Spots with the Visibility Triad

What is SaaS Security Posture Management (SSPM) and Why is it Important?

What is SaaS Security Posture Management (SSPM) and Why is it Important?

1 2 3 4 5 6 7 8 9 10 … 132 133 134 135 136 137 138 139 140 141 Next »

📣  Announcing:

Lumifi Acquires Critical Insight

We’ve expanded our MDR capabilities with enhanced incident response and security services to better protect against evolving cyber threats.

Learn More
1475 N Scottsdale Rd STE 410 
Scottsdale, AZ 85257 
877.388.4984
©2024 Lumifi Cyber
All Rights Reserved
Visit our TwitterVisit our LinkedIn

Solutions

Managed Detection & Response
Security Information & Event Management (SIEM)
Network Detection & Response (NDR)
Endpoint Detection & Response (EDR/XDR)
Advanced Threat Detection
Threat Hunting
Vulnerability Management
Cyber Threat Intelligence (CTI)
Continuous Threat Monitoring
Security Orchestration, Automation, and Response (SOAR)
Professional Services

Use cases

Security & Compliance
Security Architecture
Network MonitoringEmail Security
Digital Risk
Cloud Security
Visibility Triad
ShieldVision™

PARTNERS

Technology Partners
Managed Service Providers

KNowledge Center

Cybersecurity Fundamentals
Blogs
Threat Briefs 
Client Stories
Webinars

COMPANY

About 
Meet the Team
Careers
Press Releases & News
Contact Us
Privacy PolicyTerms & ConditionsSitemapSafeHotlineLumifi Trust Center
closeprintfacebookenvelopelinkedinangle-downxingpaper-planepinterest-pwhatsappcommentingx-twittermagnifiercrossmenuchevron-down linkedin facebook pinterest youtube rss twitter instagram facebook-blank rss-blank linkedin-blank pinterest youtube twitter instagram