Security and Forensics: Enable PowerShell logging

Posted byjdalberaPosted inActive Directory, Powershell, SecurityTags:, ,

Introduction:

PowerShell is a great language but with the power and capabilities that PowerShell has to offer also come risks. PowerShell logging is turned off by default, but there are two easy ways to enable logging so that you can get some insight into what commands are being executed and collect information for security forensics.

Enable logging using GPO:

If you want to enable logging on more than one server, it may be more convenient to use Group Policy (or using locally GPEDIT.msc) to push out the necessary settings. In the Group Policy Management Editor, you can find the configuration settings for PowerShell under:

Computer Configuration, Policies, Administrative Templates, Windows Components, and Windows Powershell

AND

User Configuration, Policies, Administrative Templates, Windows Components, and Windows Powershell

The Group Policy Object (GPO) setting you need is called Turn on Module Logging:

Microsoft.PowerShell.*

Microsoft.WSMan.Management

ActiveDirectory

Note: specifically for the Active Directory module. Enabling logging for the core modules gives more detail in the event log when running the get-aduser cmdlet, such as to which AD objects the command binds. Once you’ve configured the policy setting and made sure the GPO is linked to an OU, you should reboot the affected server(s).

Also enable

The Group Policy Object (GPO) setting you need is called Turn on PowerShell Script Block Logging

and

The Group Policy Object (GPO) setting you need is called Turn on PowerShell Transcription:

and you must specify a target directory to store the result of the powershell scripts ie. d:\PS_Logs

(don’t forget to turn off PowerShell transcription because it will fill-in your disk space)

 

Finally how to use the results of the PS logging:

a) look the results on the PS_Logs directory

b) open Event Viewer from the Tools menu in Server Manager and expand the default Windows Powershell event log and the operational log located under: Applications and Services Log, Microsoft, Windows, and PowerShell, then select the Operational log.

Note: Modify the default Windows PowerShell log and the Operational log size to enter a greater value.

 

Published by jdalbera

IT Pro: 28 years experience for large companies - Technical manager and solution architect: Directory services and Identity Managemen expert, Azure AD, Office 365, Azure infrastructures, Microsoft AD Security (ADDS,ADFS,ADCS), PowerShell, Quest solutions architect. Operating systems (Win/Lin). Unix and Microsoft interoperability. Data center Operations. Company integrations. Network architectures. Virtualization and storage infrastructures. HP/Dell servers deployments. Multiple certifications: Azure, MCSE, MCPs, MCITS, ITIL, VCP, CCNA, CyberArk