Dénes Olivér Óvári, Detection and Response Architect
CSIS Security Group A/S
A three-part blog series focusing on the Digital Forensics and Incident Response aspect of the compilers shipped with the Windows operating system and their usage from PowerShell.
This post describes some of the typical artifacts left behind if the built-in C#, Visual Basic or JScript compilers are used in Windows through PowerShell.
All the artifacts listed below are collected and analysed by CSIS' proprietary Chronos platform.
A file name consisting of 8 random characters is used to name the temporary files created by TempFileCollection, such as mxsuwxha.
These files get deleted almost immediately and will not leave any artifacts due to caching. The only exception is when PowerShell runs as an elevated process. Then the files are dropped to a directory with the same name, such as %TEMP%\mxsuwxha and this folder might remain on the disk.
The Prefetch files associated with the used external executables might contain entries referring to the used temporary files located either in %TEMP% or in %TEMP%\mxsuwxha, and to the "Resource File To COFF Object Conversion Utility" as well.
Below we'll show examples for each of these filenames. Remember - all of them contain random characters except for cvtres.exe.
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
The expected PowerShell-related Event Log entries (see [1]) could be observed.
Thanks to my colleague, Conor Kelly for his review.
"Jscript, Microsoft, PowerShell, Windows are trademarks of the Microsoft group of companies."
| [1] | Vikas, PowerShell Command History Forensics, 2020. |