Closed b4b857f6ee closed 3 years ago
Ok i found some information here : https://labs.nettitude.com/blog/detecting-poshc2-indicators-of-compromise/
So if i understand well there is nothing to see all the command run by Invoke-EDRchecker ?
Within the Powershell implant you're trying to monitor can you run $PSVersionTable please and report the output back here.
Also ensure that you have PowerShell module, script block and transaction logging enabled. Fireeye have done a really nice article on enabling the right stuff. https://www.fireeye.com/blog/threat-research/2016/02/greater_visibilityt.html
If you're running a default PowerShell implant in a v5.0 environment, and you have those logging methods enabled properly, I don't see why you're seeing output from some commands and not others, that doesn't tally.
Ok my AD is on 2012R2, so i just install the Powershell 5.1 but don't get the GPO addon for this, i only have the Module Logging. I'm searching how to add it now.
Closing issue, re-open if any further problems.
Hello,
I have activate the Powershell logging to track the PoshC2 command, if i run a simple dir, i can see it, but in case i run invoke-edrchecker i can't find this command, why? This is run in memory without the system powershell so i can't find it. I there is a way to get this information? Sysmon?
Thank you :)