Is there a resource for indexing powershell transcription files?
We're using PowerShell 5.1. I've reviewed the information provided in a 2016 Splunk .conf talk here: https://conf.splunk.com/files/2016/recordings/powershell-power-hell-hunting-for-malicious-use-of-pow...
But the info in the talk isn't truly complete. For instance, our transcription files don't always have the "End time" footer, and can contain multiple headers (Start time:, Username:, RunAs User:, etc) within a "Windows PowerShell transcript start" event.
Is there no TA for this?
Example problem file:
**********************
Windows PowerShell transcript start
Start time: 20181026141406
Username: foo/bar
RunAs User: foo/bar
Machine: foohostbar (Microsoft Windows NT 10.0.15063.0)
Host Application: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
Process ID: 10916
PSVersion: 5.1.15063.1387
PSEdition: Desktop
PSCompatibleVersions: 1.0, 2.0, 3.0, 4.0, 5.0, 5.1.15063.1387
BuildVersion: 10.0.15063.1387
CLRVersion: 4.0.30319.42000
WSManStackVersion: 3.0
PSRemotingProtocolVersion: 2.3
SerializationVersion: 1.1.0.1
**********************
**********************
Command start time: 20181026141425
**********************
PS R:\> get-adgroup compliance
DistinguishedName : stuff
GroupCategory : more stuff
GroupScope : yup, here's our stuff
Name : and more stuff
ObjectClass : and more stuff
ObjectGUID : and more stuff
SamAccountName : and more stuff
SID : and more stuff
**********************
Command start time: 20181026141442
**********************
PS R:\> get-adgroup compliance |Get-ADGroupMember
distinguishedName : stuff
name : and more stuff
objectClass : and more stuff
objectGUID : and more stuff
SamAccountName : and more stuff
SID : and more stuff
distinguishedName : and more stuff
name : and more stuff
objectClass : and more stuff
objectGUID : and more stuff
SamAccountName : and more stuff
SID : and more stuff
... a few hundred lines later....
**********************
Command start time: 20181026143530
**********************
PS R:\> TerminatingError(Export-Csv): "The process cannot access the file 'stuff' because it is being used by another process."
**********************
Windows PowerShell transcript start
Start time: 20181026141406
Username: foo/bar
RunAs User: foo/bar
Machine: foohostbar (Microsoft Windows NT 10.0.15063.0)
Host Application: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
Process ID: 10916
PSVersion: 5.1.15063.1387
PSEdition: Desktop
PSCompatibleVersions: 1.0, 2.0, 3.0, 4.0, 5.0, 5.1.15063.1387
BuildVersion: 10.0.15063.1387
CLRVersion: 4.0.30319.42000
WSManStackVersion: 3.0
PSRemotingProtocolVersion: 2.3
SerializationVersion: 1.1.0.1
**********************
**********************
Command start time: 20181026143530
**********************
PS>CommandInvocation(Out-String): "Out-String"
>> ParameterBinding(Out-String): name="InputObject"; value="The process cannot access the file 'stuff' because it is being used by another process."
export-csv : The process cannot access the file 'stuff' because it is being used by another
process.
At line:3 char:31
+ ... oupmember $groupnayme|export-csv $groupout -force -NoTypeInformation}
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ CategoryInfo : OpenError: (:) [Export-Csv], IOException
+ FullyQualifiedErrorId : FileOpenFailure,Microsoft.PowerShell.Commands.ExportCsvCommand
export-csv : The process cannot access the file 'stuff' because it is being used by another
process.
At line:3 char:31
+ ... oupmember $groupnayme|export-csv $groupout -force -NoTypeInformation}
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ CategoryInfo : OpenError: (:) [Export-Csv], IOException
+ FullyQualifiedErrorId : FileOpenFailure,Microsoft.PowerShell.Commands.ExportCsvCommand
export-csv : The process cannot access the file 'stuff' because it is being used by another
process.
At line:3 char:31
+ ... oupmember $groupnayme|export-csv $groupout -force -NoTypeInformation}
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ CategoryInfo : OpenError: (:) [Export-Csv], IOException
+ FullyQualifiedErrorId : FileOpenFailure,Microsoft.PowerShell.Commands.ExportCsvCommand
Notice the lack of:
**********************
Windows PowerShell transcript end
End time: 20181026094046
**********************
Any help is greatly appreciated.
Did you ever have any luck with this? I am about to work with these logs and was planning to use the 2016 talk as a base as well. Did you need any more props/transforms than were indicated in the talk?
Hi,
enable the invocation headers via GPO or windows registers and the PS will add the timestamps as they show in your post. Google it, or use this article https://www.fireeye.com/blog/threat-research/2016/02/greater_visibilityt.html