PowerShell Core Logging
Many security professionals know the importance of PowerShell logging. It gives us great visibility for the Incident Response and Threat-Hunting process. FireEye wrote a great article about PowerShell logging here. As Microsoft already launched Power Shell Core, we also need to consider PowerShell Core (PowerShell 6/7) logging. As a side note, the executable name of PowerShell Core is pwsh.exe and therefore usually co-exists with the original powershell.exe executable. In reality, organizations are shifting more and more workloads to the cloud such as Azure. Both the developer and operation team tend to use more and more PowerShell to manage their cloud instance. I saw some developer and operation teams install PowerShell Core on their own. This may be risky! So, I suggest we turn on the log before they install the tools.
How to enable PowerShell Core Logging?
To enable PowerShell Core logging by using GPO, we can copy two additional files from any machine with PowerShell Core installed. The default path of two administrative template files are:
C:\Program Files\PowerShell\7\PowerShellCoreExecutionPolicy.admx
C:\Program Files\PowerShell\7\PowerShellCoreExecutionPolicy.adml
On the domain controller, you will need to copy two administrative template files to the following locations:
Copy PowerShellCoreExecutionPolicy.admx to C:\Windows\PolicyDefinitions
Copy PowerShellCoreExecutionPolicy.adml to C:\Windows\PolicyDefinitions\en-US
Once completed, you will find the new GPO settings. For PowerShell Core logging, the most important settings are:
Computer Configuration -> Administrative Templates -> PowerShellCore -> module logging.
Computer Configuration -> Administrative Templates -> PowerShellCore -> Turn on PowerShell Script Block Logging
Computer Configuration -> Administrative Templates -> PowerShellCore -> transcription logging
The new logging location is PowerShellCore -> Operational
. The event code and format are the same as regular PowerShell logging. The most important Event IDs for PowerShell Core are still Event ID 4103 and Event ID 4014.
Now, you can start hunting the evil using the PowerShell Core Log!
Conclusion
As a security professional, you need to consider both the old and new stuff. The old software may be exploited by known vulnerabilities. On the other hand, there may be a lack of protection or detection mechanism for the new software. We encourage you to test and confirm the desired controls are in place.
If you are interested in cybersecurity topics, feel free to learn more: https://cybersecthreat.com/blogs/