This Windows Incident Response lab simulates and investigates a suspicious PowerShell command using Invoke-Expression, a technique commonly used for obfuscation. You'll detect and respond to this activity using built-in PowerShell logs and Event Viewer.
- 🔀 Obfuscation via
Invoke-Expression - 🌐 Fake network string:
http://test.com - 📁 File creation in the
%TEMP%directory
Filtered view in Event Viewer revealed:
| Detail | Result |
|---|---|
| Command Used | Invoke-Expression |
| Output File | %TEMP%\testlog.txt |
| User | Detected in Event Log |
| Event Source | Microsoft-Windows-PowerShell/Operational |
| Log Type | Script Block Logging (Event ID 4104) |
| Action | Result |
|---|---|
File deleted (testlog.txt) |
✅ Successful |
Checked for additional .ps1 files |
✅ None found |
| PowerShell session closed | ✅ Done |
| Description | Image |
|---|---|
| Logging Enabled in GPEdit |  |
| PowerShell Suspicious Command |  |
| Event Viewer Log – ID 4104 |  |
Deleted testlog.txt File |
 |
Day14-PowerShell-IR/
├── images/
│ ├── logging-enabled.png
│ ├── powershell-command.png
│ ├── event-4104-invoke-expression.png
│ └── remove-testlog.png ├── logs/
│ └── powershell-4104.evtx (optional)
├── README.md
└── findings.md | Task | Status |
|---|---|
| Enable PowerShell Logging | ✅ |
| Simulate Suspicious Command | ✅ |
| Analyze Logs (Event ID 4104) | ✅ |
| Delete Generated File | ✅ |
| Document Findings | ✅ |
- PowerShell Script Block Logging (Event ID 4104) is critical for detecting obfuscated or hidden command execution.
- Attackers frequently use
Invoke-Expressionto bypass basic detections. - Event Viewer offers full forensic insight if PowerShell logging is enabled.
- Proactive prevention: Restrict PowerShell for unprivileged users using Constrained Language Mode or AppLocker.
This project is licensed under the MIT License. See the LICENSE file for full details.
Maintained by Mozella McCoy-Flowers
🎓 Part of the 30-Day SOC Challenge – Cybersecurity Labs for Aspiring SOC Analysts 💻🔍