PowerShell Core pwsh encoded command
| | |

PowerShell Core Logging

Many security professionals know the importance of PowerShell logging. It give us great visibility for Incident Response and Threat Hunting process. FireEye wrote a great article about PowerShell logging here. As Microsoft already launch Power Shell Core, we also need to consider PowerShell Core (PowerShell 6/7) logging. As a side note, the executable name of PowerShell Core is pwsh.exe and therefore usually co-exists with the original powershell.exe executable. In reality, organizations are shifting more and more workload to cloud such as Azure. Both the developer and operation team trends to use more and more PowerShell to manage their cloud instance. I saw some developer and operation team install PowerShell Core on their own. This may be risky! So, I suggest we turn on the log before they install the tools.

Splunk garbled characters after import eventlog evtx using incorrect sourcetype
| | |

Import EventLog into Splunk

As Splunk also use native Windows API to process the exported evtx file, you must use a Windows machine with Splunk installed (either Universal Forwarder or any full Splunk instance including All-in-one Splunk instance or Heavy forwarder instance) to process the evtx file. In other word, the inputs.conf should be deployed or defined on a windows machine in order to successfully import EventLog/Sysmon Event Log into Splunk. You will need to use the sourcetype preprocess-winevt. If you do not explicit define it, Splunk will display garbled characters after import EventLog evtx file. You can find the working version of inputs.conf below