PowerShell Logging Features

Hello,

Nowadays, PowerShell is very popular among security oriented folks. In red teams, and blue teams too.Indeed, the Win32 API, WMI, registry, C# support is appreciated by red teams, especially since common anti-virus software suck at PowerShell.

As a blue team member, you have some security features built in PowerShell in recent releases, manageable with GPO in : Computer Configuration, Policy, Administrative Templates, Windows Components, Windows PowerShell.

In PowerShell 2 and older, you can only manage PowerShell Execution Policy:

PowerShell-Loggin-In-PS2

This isn’t really a security measure.

In PowerShell 3, or with KB2819745, you have a few more options :

PowerShell-Loggin-In-PS3

Now, you can log module, and specify a path for Update-Help if you have systems not connected to Internet.

In PowerShell 4 with KB3000850, you have even more options :

PowerShell-Loggin-In-PS4

To check if this KB is present on your system :

Get-HotFix -Id KB3000850

Thanks to that KB, you can now enable PowerShell logging (transcript) computer-wide, and log in the EventLog every cmdlet that run on your systems.

Note : This can be pretty verbose :

PowerShell-Loggin-In-PS4-EventLog

(Get-WinEvent -FilterXPath "*[System[EventID=800 and TimeCreated[timediff(@SystemTime) <= 3600000]]]" -LogName 'WindowsPowerShell').count

PowerShell-Loggin-In-PS4-Verbose2

And transcript (logging all PowerShell sessions) :

PowerShell-Loggin-In-PS4-Transcript

You may want to centralized events and transcripts on a secured computer for forensics analysis in case of a breach.

Leave a Reply