Skip to content

1๏ธโƒฃ Environment Setup (Defense Side)

A. Checking Winlogbeat

  • I made sure the Winlogbeat service is running so logs are recorded:
PS C:\Windows\system32> Get-Service winlogbeat

Status   Name               DisplayName
------   ----               -----------
Running  winlogbeat         winlogbeat

This step is important so that any PowerShell or Sysmon operations are logged and reach Kibana.

B. Enabling PowerShell Logging

  • I enabled logging for all PowerShell commands, even obfuscated ones, by:

  • Opening gpedit.msc โ†’ Computer Configuration โ†’ Administrative Templates โ†’ Windows Components โ†’ Windows PowerShell

  • Enabled:

  • Turn on PowerShell Script Block Logging

  • Turn on Module Logging (Modules: Microsoft.PowerShell.*)

This way, any PowerShell commands, whether clear or obfuscated, will be logged at the system level.

  1. Ran gpupdate /force to apply policies immediately:
C:\Users\AAS-LOGS>gpupdate /force
Updating policy...
Computer Policy update has completed successfully.
User Policy update has completed successfully.

  • Sysmon was installed, and I modified a few things and configured a simplified config focusing on:

  • Monitoring PowerShell execution

  • Monitoring Run/RunOnce key changes

  • Example of config :

<EventFiltering>
  <RuleGroup name="PowerShell and Run Keys" groupRelation="or">
    <ProcessCreate onmatch="include">
      <Image condition="is">C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe</Image>
      <CommandLine condition="contains">-enc</CommandLine>
    </ProcessCreate>
  </RuleGroup>
</EventFiltering>
  • Then executed:
.\Sysmon64.exe -i sysmonconfig.xml -accepteula

.\Sysmon64.exe -c sysmonconfig.xml

  • Ensured logging of any obfuscated PowerShell or persistence key modification.

  • This completes almost the Defensive Setup (Winlogbeat + PowerShell Logging + Sysmon).

  • The next step is to enter the Attack + Monitoring phase to see everything recorded.

2๏ธโƒฃ Attack Execution (Attack Simulation)

A. Direct Command to Disable Firewall

  • Ran PowerShell as Administrator and executed:
PS C:\Windows\system32> Set-NetFirewallProfile -Profile Domain,Public,Private -Enabled False

PS C:\Windows\system32> Get-NetFirewallProfile | Format-Table Name, Enabled

Name    Enabled
----    -------
Domain    False
Private   False
Public    False
  • Verified that the Firewall was disabled on all profiles.

B. Converting Command to Obfuscated (Encoded)

  1. Open PowerShell as Admin.

  2. Ran "converted the command to Base64 to avoid direct detection" :

$Command = 'Set-NetFirewallProfile -Profile Domain,Public,Private -Enabled False'
$Bytes = [System.Text.Encoding]::Unicode.GetBytes($Command)
$EncodedCommand = [Convert]::ToBase64String($Bytes)
Write-Output $EncodedCommand

  1. This will output a Base64 string, for example:

  2. output:

PS C:\Windows\system32> $Command = 'Set-NetFirewallProfile -Profile Domain,Public,Private -Enabled False'
PS C:\Windows\system32> $Bytes = [System.Text.Encoding]::Unicode.GetBytes($Command)
PS C:\Windows\system32> $EncodedCommand = [Convert]::ToBase64String($Bytes)
PS C:\Windows\system32> Write-Output $EncodedCommand
UwBlAHQALQBOAGUAdABGAGkAcgBlAHcAYQBsAGwAUAByAG8AZgBpAGwAZQAgAC0AUAByAG8AZgBpAGwAZQAgAEQAbwBtAGEAaQBuACwAUAB1AGIAbABpAGMALABQAHIAaQB2AGEAdABlACAALQBFAG4AYQBiAGwAZQBkACAARgBhAGwAcwBlAA==
Final obfuscated command for execution:
powershell.exe -NoP -NonI -W Hidden -Enc UwBlAHQALQBOAGUAdABGAGkAcgBlAHcAYQBsAGwAUAByAG8AZgBpAGwAZQAgAC0AUAByAG8AZgBpAGwAZQAgAEQAbwBtAGEAaQBuACwAUAB1AGIAbABpAGMALABQAHIAaQB2AGEAdABlACAALQBFAG4AYQBiAGwAZQBkACAARgBhAGwAcwBlAA==

Afterwards, PowerShell will execute, and the Firewall will be disabled.

๐Ÿ’ก Option Explanation:

  • -NoP โ†’ No Profile (prevents loading user profile).

  • -NonI โ†’ Non-Interactive (execute without interaction).

  • -W Hidden โ†’ Hidden window.

  • -Enc โ†’ Base64 Encoded Command.

  • The Event ID logged by PowerShell in the Operational Log is 4104 (Script Block Logging), where ScriptBlockText can be viewed.

  • This allows simulating a real attack on the system.

1๏ธโƒฃ Verifying Logs are Recorded Locally

A. Windows Event Viewer

  • Open Event Viewer โ†’ Applications and Services Logs โ†’ Microsoft โ†’ Windows โ†’ PowerShell โ†’ Operational

  • Noticed all commands are logged, even obfuscated ones.

  • This means they are PowerShell Script Block Logging events โ†’ any PowerShell command (even obfuscated) is logged here.

Second: The Difference Between Both

Event ScriptBlockText Notes
First prompt This is a direct PowerShell command, not obfuscated. Just a simple command executed without Base64 or encryption.
Second { @('ByName', 'GetAll', 'InputObject (cdxml)') -contains $_ } This is a complex/obfuscated PowerShell command or internal Module/Script code, sometimes from executing an Encoded command.

  • Simply:

  • First = Normal โ†’ Clear command, understandable directly.

  • Second = Obfuscated or Script/Module โ†’ Indirect or complex content, sometimes appears with -Enc or obfuscated commands.

B. Sysmon Logs

  • Open Event Viewer โ†’ Applications and Services Logs โ†’ Microsoft โ†’ Windows โ†’ Sysmon โ†’ Operational

  • Looked for Event ID 1 (ProcessCreate) for any PowerShell.

CommandLine shows the encoded command, and ParentProcess, User, IntegrityLevel show the context.

4๏ธโƒฃ Modifying Winlogbeat to Simplify Kibana Search

  • Initially, I had issues; no matter how I searched, I couldnโ€™t find logs, so I decided to modify the winlogbeat.yml settings.
A. Old Setup
  • Initially, Winlogbeat was configured as follows:
winlogbeat.event_logs:
  - name: Application
    ignore_older: 72h

  - name: System

  - name: Security

  - name: Microsoft-Windows-Sysmon/Operational

  - name: Windows PowerShell
    event_id: 400, 403, 600, 800

  - name: Microsoft-Windows-PowerShell/Operational
    event_id: 4103, 4104, 4105, 4106

  - name: ForwardedEvents
    tags: [forwarded]

โŒ Issue: Some obfuscated commands were not showing.

2๏ธโƒฃ New Modification
  • After modification, configuration became :
winlogbeat.event_logs:
  - name: Application
    ignore_older: 72h

  - name: System

  - name: Security

  - name: Microsoft-Windows-Sysmon/Operational
    ignore_older: 168h

  - name: Windows PowerShell
    event_id: 400, 403, 600, 800, 4103, 4104, 4105, 4106

  - name: Microsoft-Windows-PowerShell/Operational
    event_id: 4103, 4104, 4105, 4106
    include_xml: true

  - name: ForwardedEvents
    tags: [forwarded]

Added include_xml: true and events 4103-4106 to ensure all ScriptBlocks, obfuscated or encoded, appear.

  • Why did we modify?

  • Ensure all PowerShell commands, even obfuscated and Base64 encoded, appear in Kibana.

  • Facilitate searching and analysis without losing important events.

  • Reduce noise from old Sysmon or PowerShell data.

  • Avoid KQL errors when searching for obfuscated commands.

After editing the file:

PS C:\Program Files\Winlogbeat> .\winlogbeat.exe test config
Config OK
PS C:\Program Files\Winlogbeat> .\winlogbeat.exe setup
Overwriting lifecycle policy is disabled. Set `setup.ilm.overwrite: true` to overwrite.
Index setup finished.
Loading dashboards (Kibana must be running and reachable)
Loaded dashboards
Loaded Ingest pipelines
PS C:\Program Files\Winlogbeat> Restart-Service winlogbeat
PS C:\Program Files\Winlogbeat> Get-Service winlogbeat

Status   Name               DisplayName
------   ----               -----------
Running  winlogbeat         winlogbeat

As an update and confirmation for modifications in case of any issues, but everything was fine.

5๏ธโƒฃ Searching in Kibana After Attack

B. Re-running the Attack to Generate Logs

  • Now I will try to see logs in Kibana.

  • Open Kibana โ†’ Discover.

  • Select the index pattern linked to Winlogbeat (usually winlogbeat-*).

  • To filter sensitive commands (like disabling Firewall), add a filter on ScriptBlockText or CommandLine.

process.command_line:*Enc*
  • output :

Now the logs are available and everything works fine.

  • What we see in the log:
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe -NoP -NonI -W Hidden -Enc UwBlAHQALQBOAGUAdABGAGkAcgBlAHcAYQBsAGwAUAByAG8AZgBpAGwAZQAgAC0AUAByAG8AZgBpAGwAZQAgAEQAbwBtAGEAaQBuACwAUAB1AGIAbABpAGMALABQAHIAaQB2AGEAdABlACAALQBFAG4AYQBiAGwAZQBkACAARgBhAGwAcwBlAA==

  • -NoP โ†’ Do not load user profile.

  • -NonI โ†’ Non-interactive execution.

  • -W Hidden โ†’ Hidden window.

  • -Enc โ†’ Base64 encoded command.

6๏ธโƒฃ Creating KQL Rule in Kibana Security

Now we want to create a rule to generate an alert in SIEM.

1๏ธโƒฃ KQL Detection Rule :

winlog.event_data.ScriptBlockText:*Set-NetFirewallProfile* OR process.command_line:*-Enc*

Explanation:

  • winlog.event_data.ScriptBlockText:*Set-NetFirewallProfile*\ โ†’ Catches any direct or obfuscated PowerShell command targeting Set-NetFirewallProfile.

  • process.command_line:*"-Enc*"\ โ†’ Catches any Base64 encoded PowerShell command, any obfuscation attempt.

Settings:

Field Value
Name Detect PowerShell Encoded Commands for Firewall Modification
Description Detects PowerShell commands (clear or encoded) that disable Windows Firewall
Severity Critical
Risk Score 99
Tags powershell, firewall, persistence, obfuscated, defense-evasion
Index Pattern winlogbeat-*
Custom Query (KQL) winlog.event_data.ScriptBlockText:*Set-NetFirewallProfile* OR process.command_line:*-Enc*
Rule Type Query
Timeline Template None
Schedule Every 1 minute

This way, any attempt to disable Firewall will generate an alert automatically.

  • Went to the Windows machine, and executed the Attacks again:

Executed :

$Command = 'Set-NetFirewallProfile -Profile Domain,Public,Private -Enabled False'
$Bytes = [System.Text.Encoding]::Unicode.GetBytes($Command)
$EncodedCommand = [Convert]::ToBase64String($Bytes)
Write-Output $EncodedCommand

Then:

powershell.exe -NoP -NonI -W Hidden -Enc UwBlAHQALQBOAGUAdABGAGkAcgBlAHcAYQBsAGwAUAByAG8AZgBpAGwAZQAgAC0AUAByAG8AZgBpAGwAZQAgAEQAbwBtAGEAaQBuACwAUAB1AGIAbABpAGMALABQAHIAaQB2AGEAdABlACAALQBFAG4AYQBiAGwAZQBkACAARgBhAGwAcwBlAA==
  • Firewall was successfully disabled after this. I repeated the commands multiple times to see alerts in SIEM:

  • Alerts appeared as follows :

7๏ธโƒฃ Mapping the Rule to MITRE ATT\&CK

Field Value
Tactic Defense Evasion
Technique Impair Defenses
Sub-technique T1562.004 โ€“ Disable or Modify System Firewall

Goal: Map the attack to a specific MITRE tactic to facilitate documentation and security analysis:

โœ… Summary

  • Set up a strong defensive environment (Winlogbeat + PowerShell Logging + Sysmon).

  • Conducted a test attack to disable Firewall, including obfuscated (Base64) commands.

  • Verified all events are logged locally and in Kibana.

  • Created a precise KQL rule detecting clear and encoded commands, linked to MITRE framework.

20-09-2025