Log PowerShell Commands

As PowerShell becomes the go-to utility for administrators, it is important to maintain an audit record of previously executed commands. Preserving these logs is also key when it comes to security. As an ever increasing number of network compromises are employed to use native programs to support an exploit in what is referred to as “Living off the Land” (PowerShell falls into this group), it is necessary to cache historical logs which will be indispensable during an investigation. This post will discuss the important steps to enable PowerShell logging across all your systems using Group Policy.

Group Policy Configuration

For testing, you may prefer to apply this policy to a specific OU or Organizational Unit rather than the Default Domain.

Open Group Policy Management and navigate to your test Servers OU. Right-click and select ‘Create a GPO in this domain and Link it here‘. Add name field ‘Powershell Audit

Right-click and Edit Powershell Audit policy

Expand Computer Configuration -> Policies -> Administrative Templates -> Windows Components, click Windows PowerShell

Double-click and Edit ‘Turn on Module Logging‘. Enable and click Show and add ‘*’ for all modules. Module Logging will record the specified Windows PowerShell modules in Event Viewer.

Click OK twice. Double-click and Edit ‘Turn on PowerShell Script Block Logging‘. Enable and click Log script block invocation start/stop events. Script Block Logging will log script input in Microsoft-Windows-PowerShell/Operational event log and will record commands or scripts whether called interactively or during automation.

Click OK twice. Double-click and Edit ‘Turn on PowerShell Transcription‘. Enable and click Include invocation headers and set Transcript output directory C:\Windows\Logs\Powershell. PowerShell Transcription allows a text based recording of the commands input/output into a specified Transcript directory.

Click OK twice and Close Group Policy Management.

Login to your test Server and run gpupdate to update group policy. Test running a few PowerShell commands,

Verify from Event Viewer

  • Applications and Services -> Microsoft -> Windows -> PowerShell -> Operational

Navigate to the audit folder in C:\Windows\Logs\Powershell. Open the latest text file and verify the commands,

Conclusion

Completing these steps will help to give you greater visibility into what is happening on your machines when it comes to PowerShell as well as give insight and guidance during an audit review. Remember to keep in mind the importance of centralizing your Transcript logs and limit who has access to these files. Ideally, your Event Viewer logs are also being offloaded to a SIEM or Syslog solution. Please reach out for more information if you need additional clarification on this post.

The Network Logician

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s