Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Powershell map to build for later #23

Closed
randomaccess3 opened this issue Jun 3, 2020 · 2 comments
Closed

Powershell map to build for later #23

randomaccess3 opened this issue Jun 3, 2020 · 2 comments
Assignees
@randomaccess3

Comments

@randomaccess3
Copy link
Contributor

40961 - Microsoft-Windows-PowerShell%4Operational.evtx

Powershell console is starting - This is a sign of a user starting a powershell console for input

https://www.blackhat.com/docs/us-14/materials/us-14-Kazanciyan-Investigating-Powershell-Attacks-WP.pdf

(Assign to me if possible and I'll get to it when i have a spare 5!)
@EricZimmerman
Copy link
Owner

assigned! =)

@randomaccess3
Copy link
Contributor Author

I played with this a bit more; the two that I was going to build aren't as atomic as I thought they would be.
Thought they would indicate that the user had direct access to the terminal, but seems to also apply if they run a script without opening the terminal.

AndrewRathbun added a commit that referenced this issue Mar 6, 2021
@AndrewRathbun
Merge pull request #23 from EricZimmerman/master
b0dd750 
upd8
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@randomaccess3 randomaccess3

Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@randomaccess3 @EricZimmerman