As PowerShell becomes the go-to utility for administrators, it is important to maintain an audit record of previously executed commands. Preserving these logs is also key when it comes to security. As an ever increasing number of network compromises are employed to use native programs to support an exploit in what is referred to as “Living off the Land” (PowerShell falls into this group), it is necessary to cache historical logs which will be indispensable during an investigation. This post will discuss the important steps to enable PowerShell logging across all your systems using Group Policy.
Group Policy Configuration
For testing, you may prefer to apply this policy to a specific OU or Organizational Unit rather than the Default Domain.
Open Group Policy Management and navigate to your test Servers OU. Right-click and select ‘Create a GPO in this domain and Link it here‘. Add name field ‘Powershell Audit‘
Right-click and Edit Powershell Audit policy
Expand Computer Configuration -> Policies -> Administrative Templates -> Windows Components, click Windows PowerShell
Double-click and Edit ‘Turn on Module Logging‘. Enable and click Show and add ‘*’ for all modules. Module Logging will record the specified Windows PowerShell modules in Event Viewer.
Click OK twice. Double-click and Edit ‘Turn on PowerShell Script Block Logging‘. Enable and click Log script block invocation start/stop events. Script Block Logging will log script input in Microsoft-Windows-PowerShell/Operational event log and will record commands or scripts whether called interactively or during automation.
Click OK twice. Double-click and Edit ‘Turn on PowerShell Transcription‘. Enable and click Include invocation headers and set Transcript output directory C:\Windows\Logs\Powershell. PowerShell Transcription allows a text based recording of the commands input/output into a specified Transcript directory.
Click OK twice and Close Group Policy Management.
Login to your test Server and run gpupdate to update group policy. Test running a few PowerShell commands,
Verify from Event Viewer
- Applications and Services -> Microsoft -> Windows -> PowerShell -> Operational
Navigate to the audit folder in C:\Windows\Logs\Powershell. Open the latest text file and verify the commands,
Completing these steps will help to give you greater visibility into what is happening on your machines when it comes to PowerShell as well as give insight and guidance during an audit review. Remember to keep in mind the importance of centralizing your Transcript logs and limit who has access to these files. Ideally, your Event Viewer logs are also being offloaded to a SIEM or Syslog solution. Please reach out for more information if you need additional clarification on this post.
The Network Logician