Logging PowerShell KB ID 0001903
Problem
Monitoring PowerShell execution, (especially on critical servers like domain controllers), is essential for detecting potential malicious activity. PowerShell activities generate specific Event IDs in the Windows Event Log.
Solution : Logging Powershell
The following Event IDs are logged connected to PowerShell execution.
Command Line Auditing: Event ID 800 (Microsoft-Windows-Sysmon/Operational log) (if Sysmon is configured):
- Logs command-line activity, including PowerShell commands.
Event ID 4102: PowerShell Transcription (Microsoft-Windows-PowerShell/Operational log):
- Tracks transcription-related activities if PowerShell transcription is enabled.
Event ID 4103: PowerShell Execution Logging (Microsoft-Windows-PowerShell/Operational log):
- Provides detailed script block execution logs.
- Useful for tracking command-line arguments and script contents.
Event ID 4104: Script Block Logging (Microsoft-Windows-PowerShell/Operational log):
- Logs the actual script blocks being executed.
- Often used to detect obfuscated or suspicious commands.
Event ID 4105: Module Logging (Microsoft-Windows-PowerShell/Operational log):
- Tracks modules loaded by PowerShell scripts.
Event ID 4106: Pipeline Execution Details (Microsoft-Windows-PowerShell/Operational log):
- Captures pipeline execution details, providing insights into commands executed in the pipeline.
Event ID 4688: Windows PowerShell Logs (Security log):
- Logs when a new process is created, including PowerShell.
- Look for processes with powershell.exe or pwsh.exe.
Logging Powershell With Group Policy
Enable Script Block Logging:
For LOCAL POLICY: Open gpedit.msc. > Navigate to: Computer Configuration > Administrative Templates > Windows Components > Windows PowerShell > Turn on PowerShell Script Block Logging > Set it to Enabled. Additionally tick script block invocation start/stop events, to enable the logging of Event 4105 (start of a script block execution) and 4106 (end of a script block execution).
For DOMAIN GROP POLICY: On a domain controller or a machine that has the management tool attached > Administrative tools > Group Policy Management Console, then either edit an existing, or create a new one linked to the domain/OU that contains the COMPUTER object you want to apply this policy to, then Navigate to Navigate to: Computer Configuration > Policies > Administrative Templates > Windows Components > Windows PowerShell > Turn on PowerShell Script Block Logging > Set it to Enabled. Additionally tick script block invocation start/stop events, to enable the logging of Event 4105 (start of a script block execution) and 4106 (end of a script block execution).
Logging PowerShell (Other Options)
You may also want to enable the following policies (at either LOCAL or DOMAIN level)
Enable Module Logging
Location: Administrative Templates > Windows Components > Windows PowerShell.
Lets you log the usage of particular PowerShell Modules
Enable PowerShell Transcription
Location: Administrative Templates > Windows Components > Windows PowerShell.
This policy setting lets you capture the input and output of Windows PowerShell commands into text-based transcripts.
Audit Process Creation
Location: Computer Configuration > Windows Settings > Security Settings > Advanced Audit Policy Configuration > Audit Policies > Detailed Tracking > Audit Process Creation > Enable for success and failiure.
This is used to enable or disable the logging of process creation events in the Windows Security log. It provides valuable information about which processes are starting on a system, including details like the process name, command line arguments, and the user who initiated the process.
Don’t forget to either wait, or force a group policy update.
Related Articles, References, Credits, or External Links
NA