If you see this PowerShell Commands on your pc, sorry you probably got hacked
If you suspicious to hacked your computer and you do not have any experience about cybersecurity field, you are correct place. But since you are following my Medium account, there is no need to panic.
When attacked, the attacker will likely use the powershell application for privilege escalation or lateral movement. If you think hacked on your Windows machine, you have to check your powershell history. I will show you where to get the powershell history and even which powershell commands can prove you were hacked.
Directory:
C:\Users\User\AppData\Roaming\Microsoft\Windows\PowerShell\PSReadLine\ConsoleHost_history.txt
Under this location, there are commands that are executed by the user.
And if you see this commands on your powershell history you have to isolate your computer from network (disconnect from network) and you need to consult someone who is competent in this matter.
PowerShell accepts a list of command-line flags. In most cases, malicious scripts use the following arguments to evade detection and bypass local restrictions.
· -NoP/-NoProfile (ignore the commands in the profile file)
· -W Hidden/-WindowStyle Hidden (hide the command window)
· -Exec bypass/-ExecutionPolicy Bypass (ignore the execution policy restriction)
· -NonI/-NonInteractive (do not run an interactive shell)
· -C/-Command (run a single command)
· -F/-File (run commands from a specified file)
In malicious PowerShell scripts, the most frequently used commands and functions on the command line are
· (New-Object System.Net.Webclient).DownloadString()
· (New-Object System.Net.Webclient).DownloadFile()
· -IEX / -Invoke-Expression
· Start-Process
Conclusion and recommendations
1 - Upgrade to PowerShell v5
PowerShell v2 should be avoided as much as possible, since it offers zero logging. PowerShell v5.x or higher provides much better logging and includes enhanced security feature
2 - Constrained Language Mode
We discussed above why PowerShell is difficult to detect, since it executes commands from memory and does not write anything to disk. An easy way to defend against this would be to limit the types of commands that can be executed within PowerShell sessions.
With Constrained Language mode, running malicious scripts like Invoke-Mimikatz or downloading and running Invoke-Mimikatz from URL will be blocked.
For more information
Thank for reading
\
