ironmansoftware:main ← herosi:main
opened 07:59AM - 14 Nov 23 UTC
1. Added MaxSize to avoid missing event log records if their message sizes too b…ig
Although powershell-protect can record events to Application event log on Windows, if the message size of an event is too big, the message will not be recorded due to a limitation or a bug while block and file actions work correctly.
I confirmed it when It detected some of powershell empire agent and modules such as Invoke-Empire and Invoke-Mimikatz.
To avoid this problem, I implemented maxSize for each event. Currently, I only limit the size of Script field.
3. Changed event log IDs
In the original code, all event IDs will be 0. I changed the behavior according to the event type.