Saturday, September 26, 2015

More artifacts through PowerShell - Part 6


MsiInstaller events.

Applications that use Windows Installer logs both installation and removal events; these are available on the 'application' event log. These are extremely useful in identifying malicious application installs.


Get-WinEvent -ea 0 -FilterHashtable @{Logname='application';ID=11707} | select TimeCreated,ID,Message |ft -auto -wrap

Get-WinEvent -ea 0 -FilterHashtable @{Logname='application';ID=11724} | select TimeCreated,ID,Message |ft -auto -wrap

There are many other events related to MsiInstaller; if you need to see all, filter the application log for event source of MsiInstaller.

Get-EventLog -LogName application -Source MsiInstaller


Service start and state change events.

If you want track the services when they started, here is a one liner:


Get-WinEvent -ea 0 -FilterHashtable @{Logname='system';ID=7045} | select TimeCreated,ID,Message |ft -auto -wrap

Note that configuration changes and state changes for a service is tracked by event ID 7036; this is already part of the LRUP code.

Get-WinEvent -ea 0 -FilterHashtable @{Logname='system';ID=7036} | select TimeCreated,ID,Message |ft -auto -wrap


Symantec Risk log.

Symantec logs the risks identified in application event log; to get the specific log, issue this one liner:

Get-WinEvent -ea 0 -FilterHashtable @{Logname='application';ID=51} | select TimeCreated,ID,Message |ft -auto -wrap


Volume Shadow Copy shutdown events.

Some of the malware may shutdown the VSS; the below one liner will give you more information on this log.

Get-WinEvent -ea 0 -FilterHashtable @{Logname='application';ID=8224} | select TimeCreated,ID,Message |ft -auto -wrap

LRUP code has a one liner to show the shadow copies created in a system; it's given below as well.

Gwmi -ea 0 Win32_ShadowCopy | select DeviceObject,@{NAME='CreationDate';EXPRESSION={$_.ConvertToDateTime($_.InstallDate)}} 




No comments: