detections
- ID: DT055
- Created: 09th June 2024
- Updated: 10th February 2025
- Platform: Windows
- Contributors: The ITM Team, James Weston,
PowerShell Logging
Detailed PowerShell logging is not enabled by default and must be configured.
PowerShell is able to record the processing of commands, script blocks, functions, and scripts whether invoked interactively, or through automation.
PowerShell logging can be enabled through Group Policy with the following: Administrative Templates → Windows Components → Windows PowerShell
There are 3 available logging types, they are: Module Logging, Script Block Logging and Transcription.
Module Logging: Records pipeline execution details, such as variable initialisation and command invocations, capturing portions of scripts and some de-obfuscated code. This logging is available since PowerShell 3.0 and generates a large volume of events, providing valuable output not captured elsewhere. Events are written to Event ID 4103.
Module logging can be enabled by setting the following registry values:
HKLM\SOFTWARE\Wow6432Node\Policies\Microsoft\Windows\PowerShell\ModuleLogging → EnableModuleLogging = 1
HKLM\SOFTWARE\Wow6432Node\Policies\Microsoft\Windows\PowerShell\ModuleLogging \ModuleNames → * = *
Script Block Logging: Captures blocks of code as they are executed, including de-obfuscated code, allowing visibility into the full contents of executed scripts and commands. This feature is available in PowerShell 5.0 and records events under Event ID 4104.
Script block logging can be enabled by setting the following registry values:
HKLM\SOFTWARE\Wow6432Node\Policies\Microsoft\Windows\PowerShell\ScriptBlockLogging → EnableScriptBlockLogging = 1
Transcription: Records the input and output of entire PowerShell sessions, providing a comprehensive record of all commands executed and their results.
Transcription logging can be enabled by setting the following registry values:
HKLM\SOFTWARE\Wow6432Node\Policies\Microsoft\Windows\PowerShell\Transcription → EnableTranscripting = 1
HKLM\SOFTWARE\Wow6432Node\Policies\Microsoft\Windows\PowerShell\Transcription → EnableInvocationHeader = 1
HKLM\SOFTWARE\Wow6432Node\Policies\Microsoft\Windows\PowerShell\Transcription → OutputDirectory = “” (Enter path. Empty = default)
Sections
| ID | Name | Description |
|---|---|---|
| AF002 | Log Deletion | The subject deliberately deletes logs to eliminate records of their activity and hinder subsequent investigation. This may include host-based logs (e.g., Windows Event Logs, Linux audit logs), application logs (e.g., authentication or access records), or network-level logs (e.g., firewall or proxy logs).
Deletion may be selective by targeting specific time ranges, event types, or identifiers, or more broad by wiping entire log files or directories to prevent attribution or timeline reconstruction. |
| AF035 | Native Application Misuse | Native application misuse occurs when a subject uses applications, services, binaries, scripts, or administrative utilities already present on a corporate endpoint or server to support, conceal, or facilitate an infringement without introducing new software. This may include exploring built-in operating system/command line tools, approved productivity applications, scripting environments, messaging clients, compression utilities, remote access components, cloud storage integrations, or endpoint management features to identify capabilities that can be repurposed for unauthorized outcomes.
The anti-forensics significance of this behavior is that the subject’s activity may appear consistent with legitimate operational use. Unlike the installation of unauthorized tools or overt malware, native application misuse relies on capabilities that are already trusted, allowed, or commonly present in the environment. This can make it difficult for investigators to distinguish legitimate activity from illegitimate activity without strong context, baseline comparison, command-line visibility, file access history, and correlation with the subject’s role, timing, intent, and surrounding investigative indicators.
A subject may deliberately elect to use a more complicated or convoluted method to achieve an illegitimate outcome when that method relies on native applications or approved services. In these cases, the subject may avoid introducing external software even where doing so would make the task faster, simpler, or more technically effective. The investigative significance is that the inefficient method may itself be purposeful: by operating through trusted tools already present on the endpoint, the subject reduces the number of distinct control violations, avoids software-installation indicators, and makes the activity harder to separate from legitimate business use.
This behavior may contribute to or facilitate an infringement by allowing a subject to stage, compress, transfer, hide, rename, encode, delete, alter, or access data using tools that do not independently appear suspicious. It may also support behavioral drift where repeated minor misuse of approved tools becomes normalized within a team or population, reducing the organization’s ability to identify meaningful deviations from acceptable use.
Investigative RelevanceNative application misuse should be assessed in relation to the subject’s role, normal working patterns, endpoint baseline, approved business processes, and the sensitivity of the data involved. Investigators should avoid treating native tool execution as inherently suspicious. The investigative concern arises when the subject uses ordinary capabilities in unusual combinations, at unusual times, against unusual data, or in ways that produce outcomes inconsistent with their duties.
Investigators should consider whether the subject’s chosen method appears unnecessarily complex when compared with easier external tooling options. Where a subject uses native applications in a slower, more manual, or more indirect manner, that choice may indicate an intent to preserve plausible legitimacy, avoid detection associated with unauthorized software, or obscure the behavioral sequence required to prove intent.
Relevant case logic may include:
Example Behaviors
|
| AF001.001 | Clear PowerShell History | A subject clears PowerShell command history to prevent executed commands from being reviewed, disclosing information about the subject’s activities. PowerShell stores command history in the context of a user account. This file is located at A subject can delete their own A subject may attempt to use the |
| AF002.001 | Clear Windows Event Logs | A subject clears Windows Event logs to conceal evidence of their activities. Windows Event Logs store various types of information, such as system errors, application events, security auditing messages, and other operational events. The logs are stored in Windows Event Logs can be cleared using the Event Viewer utility, provided the user account has administrative privileges. |
| AF018.001 | Endpoint Tripwires | A subject installs custom software or malware on an endpoint, potentially disguising it as a legitimate process. This software includes tripwire logic to monitor the system for signs of security activity.
The tripwire software monitors various aspects of the endpoint to detect potential investigations:
Upon detecting security activity, the tripwire can initiate various evasive responses:
|
| IF027.004 | Remote Access Tool (RAT) Deployment | The subject deploys a Remote Access Tool (RAT): a software implant that provides covert, persistent remote control of an endpoint or server—enabling continued unauthorized access, monitoring, or post-employment re-entry. Unlike sanctioned remote administration platforms, RATs are deployed without organizational oversight and are often configured to obfuscate their presence, evade detection, or blend into legitimate activity.
RATs deployed by insiders may be off-the-shelf tools (e.g. njRAT, Quasar, Remcos), lightly modified open-source frameworks (e.g. Havoc, Pupy), or commercial-grade products repurposed for unsanctioned use (e.g. AnyDesk, TeamViewer in stealth mode).
Functionality typically includes:
Deployment methods include manual installation, script-wrapped droppers, DLL side-loading, or execution via LOLBins ( |
| IF027.005 | Destructive Malware Deployment | The subject deploys destructive malware; software designed to irreversibly damage systems, erase data, or disrupt operational availability. Unlike ransomware, which encrypts files to extort payment, destructive malware is deployed with the explicit intent to delete, corrupt, or disable systems and assets without recovery. Its objective is disruption or sabotage, not necessarily for direct financial gain.
This behavior may include:
Insiders may deploy destructive malware as an act of retaliation (e.g. prior to departure), sabotage (e.g. to disrupt an investigation or competitor), or under coercion. Detonation may be manual or scheduled, and in some cases the malware is disguised as routine tooling to delay detection.
Destructive deployment is high-severity and often coincides with forensic tampering or precursor access based infringements (e.g. file enumeration or backup deletion). |
| IF004.007 | Exfiltration via Windows BITS | A subject may leverage the Windows Background Intelligent Transfer Service (BITS) to exfiltrate organizational data in a covert and resilient manner. BITS is a native Windows component designed to transfer files asynchronously over HTTP or SMB, typically used by system processes such as updates and patch delivery. Its trusted status, ability to throttle bandwidth, and support for job persistence make it an attractive mechanism for stealthy data exfiltration.
In this infringement method, the subject creates or modifies a BITS job, either via native utilities (e.g., bitsadmin, PowerShell cmdlets) or custom tooling, to upload sensitive files to an external endpoint under their control. Transfers may be disguised as legitimate background activity, leveraging standard ports and protocols to blend with normal system traffic.
BITS jobs can persist across reboots, retry on failure, and operate with minimal user interaction, allowing the subject to stage and gradually exfiltrate data over extended periods. In some cases, the subject may combine BITS with obfuscation techniques, such as renaming payloads, encrypting data prior to transfer, or using subject-controlled infrastructure that mimics legitimate services. This technique is particularly effective in environments where outbound traffic is loosely controlled and where native Windows services are implicitly trusted, reducing the likelihood of immediate detection.
|
| PR025.003 | File Download via Command-Line Utilities | The subject uses command-line tools such as
Command-line downloads often indicate a higher level of intent or technical capability and may bypass browser-based controls. They are commonly used to retrieve payloads, stage tooling, or integrate downloads into scripted workflows. |
| PR025.007 | File Download via Remote Access or Transfer Tools | The subject downloads files through remote session tools or file transfer mechanisms such as RDP drive mapping, SCP, SFTP, or remote desktop clipboard/file transfer features. |