Under Computer Configuration > Policies > Administrative Settings > Windows Components > Windows PowerShell you will find the settings for enabling logging, as seen in Figure 2. Figure 1: Create new GPO within Active Directory, Name it as require and Open to Edit This will open the Group Policy Management Editor, allowing us to modify the settings. Open the Group Policy Management from Administrative Tools (this would either be on your Domain Controller, or on a system that you have installed the Remote Administration Tools (RAT) Feature within Windows) and choose the Organizational Unit (OU) to apply it to, right click and “Create a GPO in this domain, and Link it here…”, provide with a suitable name to match your internal naming conventions, then right click and Edit the policy. Step 1: Create the Group Policy Configurationįor the purposes of this guide, we will look at creating a new GPO, however, these settings can also be added to existing GPOs that you may have in your environment. This guide provides guidance on deploying logging via the via the Group Policy Objects (GPO), so it can be pushed out via your Active Directory. The first stage of getting PowerShell logs into your security information and event management (SIEM), is to ensure that they are generated first! By default, PowerShell does not log anything, and it must be enabled. Unfortunately, because PowerShell is available on most virtual machines, it is attackers go-to choice for distributing malware code and other malware activities.
A lot of system administrators use the highly versatile scripting language to automate and improve manual processes across their whole environment. PowerShell has been included by default since Windows 7 and Windows Server 2008 R2 and is now used widely the world. That’s why it’s important to assess PowerShell logging to understand what is happening once the shell launches. Windows Security logs can tell you that PowerShell.exe has been created, but most of the time will show you little else of what runs within it. With exploits, attacks, and hackers using PowerShell more and more, it’s critical to know when powershell.exe is running on a system and what commands run from within it.
0 kommentar(er)
