From 374c4fc736740b2c129055559c68e58ac9fa2a6d Mon Sep 17 00:00:00 2001
From: Matthew Iverson <matthew@noreply.localhost>
Date: Sat, 30 Nov 2024 00:53:52 -0500
Subject: [PATCH] Upload files to "Modules/Knowledge/Powershell"

---
 .../powershell_registry_artifacts.py          | 34 +++++++++++++++++++
 Modules/Knowledge/Powershell/ps1_analysis.py  | 27 +++++++++++++++
 2 files changed, 61 insertions(+)
 create mode 100644 Modules/Knowledge/Powershell/powershell_registry_artifacts.py
 create mode 100644 Modules/Knowledge/Powershell/ps1_analysis.py

diff --git a/Modules/Knowledge/Powershell/powershell_registry_artifacts.py b/Modules/Knowledge/Powershell/powershell_registry_artifacts.py
new file mode 100644
index 0000000..c0712f7
--- /dev/null
+++ b/Modules/Knowledge/Powershell/powershell_registry_artifacts.py
@@ -0,0 +1,34 @@
+def get_content():
+    """
+    Returns structured content for PowerShell, registry artifacts, and related forensics.
+    """
+    return [
+        {
+            "title": "PowerShell v5 Logging",
+            "content": """
+- Automatically logs suspicious scripts for analysis.
+- ConsoleHost_history.txt records the last 4096 PowerShell commands.
+            """
+        },
+        {
+            "title": "Registry Artifacts",
+            "content": """
+- MountPoints2: Lists all systems a user account connects to.
+- ShimCache: Backward compatibility artifact, shows whether an application has executed.
+- Windows Error Reporting: Provides SHA1 hashes of malware, especially for poorly written samples.
+            """
+        },
+        {
+            "title": "AppCompatCache Tracking",
+            "content": """
+- Tracks full path and last modification time of executables on Windows 10+ systems.
+            """
+        },
+        {
+            "title": "Amcache Analysis",
+            "content": """
+- Logs executable name/path, first execution time, and SHA1 hash (remove leading zeros for VirusTotal lookup).
+- Important Note: Entries do not always indicate execution.
+            """
+        }
+    ]
diff --git a/Modules/Knowledge/Powershell/ps1_analysis.py b/Modules/Knowledge/Powershell/ps1_analysis.py
new file mode 100644
index 0000000..6615fde
--- /dev/null
+++ b/Modules/Knowledge/Powershell/ps1_analysis.py
@@ -0,0 +1,27 @@
+def get_content():
+    """
+    Returns structured content for analyzing PowerShell activity.
+    """
+    return [
+        {
+            "title": "PowerShell Logging",
+            "content": """
+- Command logs: ConsoleHost_history.txt (last 4096 commands).
+- Operational logs: Script block logging (4104).
+            """
+        },
+        {
+            "title": "Remote Execution",
+            "content": """
+- Enter-PSSession: Interactive remote shell.
+- Invoke-Command: Executes parallel tasks remotely.
+            """
+        },
+        {
+            "title": "Key Features of PowerShell",
+            "content": """
+- Automation of complex tasks.
+- Logs suspicious script activities automatically (v5 and later).
+            """
+        }
+    ]