PowerShell Core pwsh encoded command

PowerShell Core Logging

| | |

Many security professionals know the importance of PowerShell logging. It gives us great visibility for the Incident Response and Threat-Hunting process. FireEye wrote a great article about PowerShell logging here. As Microsoft already launched Power Shell Core, we also need to consider PowerShell Core (PowerShell 6/7) logging. As a side note, the executable name of PowerShell Core is pwsh.exe and therefore usually co-exists with the original powershell.exe executable. In reality, organizations are shifting more and more workloads to the cloud such as Azure. Both the developer and operation team tend to use more and more PowerShell to manage their cloud instance. I saw some developer and operation teams install PowerShell Core on their own. This may be risky! So, I suggest we turn on the log before they install the tools.

How to enable PowerShell Core Logging?

To enable PowerShell Core logging by using GPO, we can copy two additional files from any machine with PowerShell Core installed. The default path of two administrative template files are:

  • C:\Program Files\PowerShell\7\PowerShellCoreExecutionPolicy.admx
  • C:\Program Files\PowerShell\7\PowerShellCoreExecutionPolicy.adml

On the domain controller, you will need to copy two administrative template files to the following locations:

  • Copy PowerShellCoreExecutionPolicy.admx to C:\Windows\PolicyDefinitions
  • Copy PowerShellCoreExecutionPolicy.adml to C:\Windows\PolicyDefinitions\en-US

Once completed, you will find the new GPO settings. For PowerShell Core logging, the most important settings are:

  • Computer Configuration -> Administrative Templates -> PowerShellCore -> module logging.
  • Computer Configuration -> Administrative Templates -> PowerShellCore -> Turn on PowerShell Script Block Logging 
  • Computer Configuration -> Administrative Templates -> PowerShellCore -> transcription logging
PowerShell Core GPO screen

The new logging location is PowerShellCore -> Operational. The event code and format are the same as regular PowerShell logging. The most important Event IDs for PowerShell Core are still Event ID 4103 and Event ID 4014.

PowerShellCore EventLog screen

Now, you can start hunting the evil using the PowerShell Core Log!

Conclusion

As a security professional, you need to consider both the old and new stuff. The old software may be exploited by known vulnerabilities. On the other hand, there may be a lack of protection or detection mechanism for the new software. We encourage you to test and confirm the desired controls are in place.

If you are interested in cybersecurity topics, feel free to learn more: https://cybersecthreat.com/blogs/

Similar Posts

發佈留言

Your email address will not be published. Required fields are marked *