Day 8 : Santa's Special Bag of Toys (John Hammond Special)
Working with Powershell Transcription Logs (Windows Forensics)
Last updated
Working with Powershell Transcription Logs (Windows Forensics)
Last updated
PowerShell Transcription Logs capture the input and output of Windows PowerShell commands, allowing an analyst to review what happened when. Typically, PowerShell Transcription can be enabled by Group Policy, but another method to turn on this logging is by configuring the Windows Registry.
these will turn on PowerShell Transcription Logging for a local host if entered in an Administrator command prompt:
The Windows Registry is a large database of operating system settings and configurations. It is organized by "hives", with each hive containing "keys" and their corresponding "values."
PowerShell Transcription Logging can be enabled in this way "per-user" via the HKEY_CURRENT_USER registry hive, or across the entire host via the HKEY_LOCAL_MACHINE registry hive.
The actor uses a Living Off The Land binary (LOLbin) to encode this file - windows binary used for handling certificates, and then verifies it succeeded by viewing the output file.
the UsrClass.dat file was encoded with Base64, which we decoded.
now open this file in the GUI Windows registry explorer > load offline hive > download.dat file from decoded
contains shellbags, or artifacts contained within Windows registry that store user preferences while viewing folders within the Windows Explorer GUI
analyze this to see what user activity was performed on the laptop before it was compromised
To extract the Shellbags information within this UsrClass.dat file, we will use the "Shellbags Explorer" graphical utility put together by Eric Zimmerman.
Unfortunately, from just Shellbags alone, we only have insight into folder names (sometimes files, if we are lucky) and column data within Windows Explorer, but not files
Go to code tab > look for upper right corner below the clone button > notice the 5 commits
Total of 228 files in the extracted zip.
