Making Powershell Forensics Hard for Fun and Profit

I don’t know about you but when I am doing something related to pen-testing, I like to make it hard for the defenders to figure out what I had done. Everyone just gets a better overall and more realistic experience. You need challenges to grow! So, here is just another little trick to make it harder on forensic analysts when it comes to discovering what commands were run from a powershell process.

First thing here, I’d like to cover a few concepts of how powershell works and how we can exploit these nuances of the powershell scripting language. When you load up a powershell console, a “profile” will be loaded in the background. These files can do all sorts of things, from customizing your prompt to preloading variables and aliases for commands you frequently use. Also, there are something called “proxy functions”, which essentially allow you to overload built in cmdlets and the like. If you stick the two together, there are all sorts of things you can do to make forensics harder — I mean seriously, how many people really know a lot about the profile.ps1 file in the defenders realm? Hopefully this will aid in raising awareness of it.

Read More