PowerShell Script Block & Module Logging
PowerShell is used more and more by malicious actors. Microsoft Windows offers enhanced logging capabilities in PowerShell 5.0 and above. PowerShell 5.0 is the current release for Windows 7/2008 R2 and above. Though many of the enhanced logging features of PowerShell 5.0 were backported to version 4.0, Optiv recommends installing PowerShell 5.0 on all Windows platforms. PowerShell 5.0 includes features not available in 4.0, including suspicious script block logging.
You can determine what version of PowerShell is installed on a particular host by entering $PSVersionTable in the PowerShell window.
Installation: Windows 10 does not require any software updates to support enhanced PowerShell logging. For Windows 7/8.1/2008/2012, upgrading PowerShell to enable enhanced logging in PowerShell 5.0 (recommended) requires:
- .NET 4.5
- Windows Management Framework (WMF) 4.0 (Windows 7/2008 only)
- Windows Management Framework (WMF) 5.0
- Windows 7 and 2008 R2 must be upgraded to Windows Management Framework (WMF) 4.0 prior to installing WMF 5.0.
Enabling enhanced logging in PowerShell 4.0 for Windows 7/8.1/2008/2012 requires:
- .NET 4.5
- Windows Management Framework (WMF) 4.0
- The appropriate WMF 4.0 update
- 8.1/2012 R2 – KB3000850
- 2012 – KB3119938
- 7/2008 R2 SP1 – KB3109118
To turn on enhanced logging Open the Group Policy Editor and go to:
PowerShell Transcription
Computer Configuration > Administrative Templates > Windows Components > Windows PowerShell > Turn on PowerShell Transcription
PowerShell ScriptBlock
Computer Configuration > Administrative Templates > Windows Components > Windows PowerShell > Turn on Module Logging
PowerShell Module
Computer Configuration > Administrative Templates > Windows Components > Windows PowerShell > Turn on Module Logging
These settings will enhance PowerShell usage logging.