Indexing PowerShell transcription files

adamsmith47 — Tue, 30 Oct 2018 20:58:03 GMT

Is there a resource for indexing powershell transcription files?

We're using PowerShell 5.1. I've reviewed the information provided in a 2016 Splunk .conf talk here: https://conf.splunk.com/files/2016/recordings/powershell-power-hell-hunting-for-malicious-use-of-powershell-with-splunk.mp4

But the info in the talk isn't truly complete. For instance, our transcription files don't always have the "End time" footer, and can contain multiple headers (Start time:, Username:, RunAs User:, etc) within a "Windows PowerShell transcript start" event.

Is there no TA for this?

Example problem file:

**********************
Windows PowerShell transcript start
Start time: 20181026141406
Username: foo/bar
RunAs User: foo/bar
Machine: foohostbar (Microsoft Windows NT 10.0.15063.0)
Host Application: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
Process ID: 10916
PSVersion: 5.1.15063.1387
PSEdition: Desktop
PSCompatibleVersions: 1.0, 2.0, 3.0, 4.0, 5.0, 5.1.15063.1387
BuildVersion: 10.0.15063.1387
CLRVersion: 4.0.30319.42000
WSManStackVersion: 3.0
PSRemotingProtocolVersion: 2.3
SerializationVersion: 1.1.0.1
**********************
**********************
Command start time: 20181026141425
**********************
PS R:\> get-adgroup compliance


DistinguishedName : stuff
GroupCategory     : more stuff
GroupScope        : yup, here's our stuff
Name              : and more stuff
ObjectClass       : and more stuff
ObjectGUID        : and more stuff
SamAccountName    : and more stuff
SID               : and more stuff



**********************
Command start time: 20181026141442
**********************
PS R:\> get-adgroup compliance |Get-ADGroupMember


distinguishedName : stuff
name              : and more stuff
objectClass       : and more stuff
objectGUID        : and more stuff
SamAccountName    : and more stuff
SID               : and more stuff

distinguishedName : and more stuff
name              : and more stuff
objectClass       : and more stuff
objectGUID        : and more stuff
SamAccountName    : and more stuff
SID               : and more stuff

... a few hundred lines later....

**********************
Command start time: 20181026143530
**********************
PS R:\> TerminatingError(Export-Csv): "The process cannot access the file 'stuff' because it is being used by another process."
**********************
Windows PowerShell transcript start
Start time: 20181026141406
Username: foo/bar
RunAs User: foo/bar
Machine: foohostbar (Microsoft Windows NT 10.0.15063.0)
Host Application: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
Process ID: 10916
PSVersion: 5.1.15063.1387
PSEdition: Desktop
PSCompatibleVersions: 1.0, 2.0, 3.0, 4.0, 5.0, 5.1.15063.1387
BuildVersion: 10.0.15063.1387
CLRVersion: 4.0.30319.42000
WSManStackVersion: 3.0
PSRemotingProtocolVersion: 2.3
SerializationVersion: 1.1.0.1
**********************
**********************
Command start time: 20181026143530
**********************
PS>CommandInvocation(Out-String): "Out-String"
>> ParameterBinding(Out-String): name="InputObject"; value="The process cannot access the file 'stuff' because it is being used by another process."
export-csv : The process cannot access the file 'stuff' because it is being used by another 
process.
At line:3 char:31
+ ... oupmember $groupnayme|export-csv $groupout -force -NoTypeInformation}
+                           ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo          : OpenError: (:) [Export-Csv], IOException
    + FullyQualifiedErrorId : FileOpenFailure,Microsoft.PowerShell.Commands.ExportCsvCommand
export-csv : The process cannot access the file 'stuff' because it is being used by another 
process.
At line:3 char:31
+ ... oupmember $groupnayme|export-csv $groupout -force -NoTypeInformation}
+                           ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo          : OpenError: (:) [Export-Csv], IOException
    + FullyQualifiedErrorId : FileOpenFailure,Microsoft.PowerShell.Commands.ExportCsvCommand
export-csv : The process cannot access the file 'stuff' because it is being used by another
process.
At line:3 char:31
+ ... oupmember $groupnayme|export-csv $groupout -force -NoTypeInformation}
+                           ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo          : OpenError: (:) [Export-Csv], IOException
    + FullyQualifiedErrorId : FileOpenFailure,Microsoft.PowerShell.Commands.ExportCsvCommand

Notice the lack of:

**********************
Windows PowerShell transcript end
End time: 20181026094046
**********************

Any help is greatly appreciated.

Re: Indexing PowerShell transcription files

centrafraserk — Tue, 08 Jan 2019 16:32:38 GMT

Did you ever have any luck with this? I am about to work with these logs and was planning to use the 2016 talk as a base as well. Did you need any more props/transforms than were indicated in the talk?

Re: Indexing PowerShell transcription files

hubekpeter — Fri, 15 Jan 2021 15:07:18 GMT

Hi,

enable the invocation headers via GPO or windows registers and the PS will add the timestamps as they show in your post. Google it, or use this article https://www.fireeye.com/blog/threat-research/2016/02/greater_visibilityt.html

topic Re: Indexing PowerShell transcription files in Getting Data In

Indexing PowerShell transcription files

Re: Indexing PowerShell transcription files

Re: Indexing PowerShell transcription files