Nowadays, PowerShell is very popular among security oriented folks. In red teams, and blue teams too.Indeed, the Win32 API, WMI, registry, C# support is appreciated by red teams, especially since common anti-virus software suck at PowerShell.
As a blue team member, you have some security features built in PowerShell in recent releases, manageable with GPO in : Computer Configuration, Policy, Administrative Templates, Windows Components, Windows PowerShell.
In PowerShell 2 and older, you can only manage PowerShell Execution Policy:
This isn’t really a security measure.
In PowerShell 3, or with KB2819745, you have a few more options :
Now, you can log module, and specify a path for Update-Help if you have systems not connected to Internet.
In PowerShell 4 with KB3000850, you have even more options :
To check if this KB is present on your system :
Get-HotFix -Id KB3000850
Thanks to that KB, you can now enable PowerShell logging (transcript) computer-wide, and log in the EventLog every cmdlet that run on your systems.
Note : This can be pretty verbose :
(Get-WinEvent -FilterXPath "*[System[EventID=800 and TimeCreated[timediff(@SystemTime) <= 3600000]]]" -LogName 'WindowsPowerShell').count
And transcript (logging all PowerShell sessions) :
You may want to centralized events and transcripts on a secured computer for forensics analysis in case of a breach.