How to Use PowerShell Event Logs When Threat Hunting or Detecting Cybersecurity Threats

Windows' PowerShell event logs provide insight into script execution throughout the life of a malicious script. In this edition of #techtalktuesday we explore the lifecycle of PowerShell events and how you can enhance your threat hunting and cybersecurity program with the PowerShell event logs. Please like and subscribe to support our channel! Follow us on Twitter: https://twitter.com/insaneforensics Follow us on LinkedIn: https://www.linkedin.com/company/insane-forensics Hire us for your next threat hunt: https://insaneforensics.com/ Chapters: 00:00 - Intro 00:19 - Where the PowerShell Event Logs are Stored 01:06 - Lifecycle of PowerShell Event IDs 02:27 - Analyzing Windows Event ID 400 when Powershell Scripts Start 05:25 - Analyzing Windows Event ID 600 when Powershell Providers Load 07:28 - Analyzing Windows Event ID 403 when Powershell Scripts Stop 08:28 - Wrapping Up