You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
This brief tutorial demonstrates how attackers misuse PowerShell for reconnaissance and how SOC teams can detect and track such activities. By default, PowerShell logging is disabled, so the first step is to enable key logging features like Script Block Logging, Module Logging, and Transcription via Group Policy. These logs provide visibility into PowerShell commands and scripts executed on a system. The tutorial simulates an attacker using a PowerShell command (Get-LocalUser) to enumerate local user accounts, a common reconnaissance technique. By enabling and analyzing PowerShell logs, SOC teams can effectively detect malicious activities, integrate logs into SIEM tools for centralized monitoring, and respond to threats proactively.
Requirements
System: Windows 10/11 or Windows Server 2019/2022
PowerShell (Pre-installed)
Windows Event Viewer
Notepad or Excel (for documentation)
1. Environment
- create VM on Azure or using a virual machine on your desktop
I'm using Azure and have connected via RDP
Enable Logging for PowerShell Execution
Press Win + R to open the Run dialog. Type gpedit.msc and press Enter to open the Group Policy Editor.
or search for group policy and select 'edit group policy'
Navigate to the following path: Computer Configuration > Administrative Templates > Windows Components > Windows PowerShell and turn on the following: Module Logging, Powershell Script Block Logging, Script Execution, Powershell Transcription. hit apply
Attack Simulation & Detection Using Powershell
Run the following command in an elevated PowerShell session: Get-LocalUser | Select-Object Name, Enabled
This command lists all local user accounts on the system along with their status (enabled/disabled). Attackers use similar commands post-exploitation to enumerate users before escalating privileges.
Detect the Attack using Windows Event Viewer
Open Event Viewer (Win + R, type eventvwr.msc, press Enter) or search for event and select 'event viewer'
in event viewer, Applications and Services Logs → Microsoft → Windows → PowerShell → Operational
Click Filter Current Log and enter Event ID 4104 (Execute a Remote Command)
Retrieve Logs using PowerShell (Alternative Detection Method)
Instead of using Event Viewer, use PowerShell to directly extract the event:
Get-WinEvent -LogName "Microsoft-Windows-PowerShell/Operational" | Where-Object {$_.Id -eq 4104} | Select-Object TimeCreated, Message
This command fetches all script block executions from PowerShell logs and filters them by Event ID 4104. Look for the command Get-LocalUser in the output
Conclusion
✅ Successfully simulated an attacker’s reconnaissance technique using PowerShell
✅ Detected the suspicious command execution via Windows Event Viewer and PowerShell log extraction.
✅ Understood how SOC analysts can detect and investigate PowerShell-based attacks in real-world scenarios.
