Hello,

I have activate the Powershell logging to track the PoshC2 command, if i run a simple dir, i can see it, but in case i run invoke-edrchecker i can't find this command, why?
This is run in memory without the system powershell so i can't find it.
I there is a way to get this information? Sysmon?

Thank you :)

Ok i found some information here : https://labs.nettitude.com/blog/detecting-poshc2-indicators-of-compromise/

So if i understand well there is nothing to see all the command run by Invoke-EDRchecker ?

Within the Powershell implant you're trying to monitor can you run $PSVersionTable please and report the output back here.

Also ensure that you have PowerShell module, script block and transaction logging enabled. Fireeye have done a really nice article on enabling the right stuff. https://www.fireeye.com/blog/threat-research/2016/02/greater_visibilityt.html

If you're running a default PowerShell implant in a v5.0 environment, and you have those logging methods enabled properly, I don't see why you're seeing output from some commands and not others, that doesn't tally.

Ok my AD is on 2012R2, so i just install the Powershell 5.1 but don't get the GPO addon for this, i only have the Module Logging.
I'm searching how to add it now.

Closing issue, re-open if any further problems.