This project demonstrates how PowerShell activity can be monitored and analyzed using native Windows logging. The lab focuses on reviewing PowerShell Operational logs in Event Viewer and correlating PowerShell command execution with recorded events. Special attention is given to encoded PowerShell commands, which are commonly associated with obfuscated or suspicious activity.
Hands-on SOC-style lab showing how Windows PowerShell activity is logged and analyzed using native telemetry.
- Host System: macOS
- Virtualization Platform: VMware Fusion
- Guest Operating System: Windows 11 x64
- Tools Used: Windows PowerShell (Administrator), Windows Event Viewer
This screenshot shows the Windows Event Viewer opened to the Microsoft-Windows-PowerShell/Operational log. The presence of numerous PowerShell events confirms that operational logging is enabled and actively capturing PowerShell activity on the system.
This screenshot captures the execution of a PowerShell command using the -EncodedCommand parameter. Encoded commands are commonly used to obscure command intent, making them a frequent indicator of suspicious PowerShell usage during security investigations.
This screenshot shows PowerShell activity recorded in the Operational log shortly after command execution. The logged events demonstrate that PowerShell actions are generating detectable artifacts within Windows Event Viewer.
This screenshot displays the output of the Get-Date command executed after rebooting the virtual machine. Establishing a baseline system time is critical for accurately correlating PowerShell execution with corresponding event log entries.
This screenshot confirms that the PowerShell Operational log remains active after the system reboot. New PowerShell events are visible, verifying that logging persisted across the restart and is functioning as expected.
This screenshot shows the execution of an encoded PowerShell command following the reboot. This step verifies that encoded PowerShell activity continues to generate logs under normal system operation.
This screenshot highlights multiple PowerShell events generated immediately after the encoded command was executed. The timestamps align with command execution, demonstrating successful correlation between activity and logged events.
This screenshot displays the detailed event record for a PowerShell Operational log entry. The event details provide structured forensic evidence, including execution context and metadata, which is essential for SOC-level analysis and documentation.
All screenshots referenced above are stored in the screenshots/ directory of this repository.
To view any screenshot, navigate to the screenshots folder and click the image you want to open.
- PowerShell execution generates observable telemetry in Windows Event Viewer
- Encoded PowerShell commands still produce detectable event artifacts
- Timestamp correlation is essential for validating suspicious activity
- Native Windows logging can support basic endpoint investigation workflows
This project reflects common SOC analyst responsibilities such as identifying suspicious PowerShell behavior, correlating system activity with logs, and documenting evidence for further investigation or escalation.
All screenshots are labeled and stored in the screenshots directory in execution order to support clear documentation and repeatable analysis.