{"id":135,"date":"2020-07-08T10:56:25","date_gmt":"2020-07-08T10:56:25","guid":{"rendered":"https:\/\/cybersecthreat.com\/?p=135"},"modified":"2024-04-01T13:51:40","modified_gmt":"2024-04-01T05:51:40","slug":"powershell-core-logging","status":"publish","type":"post","link":"https:\/\/cybersecthreat.com\/zh\/2020\/07\/08\/powershell-core-logging\/","title":{"rendered":"PowerShell Core Logging"},"content":{"rendered":"<p>Many security professionals know the importance of PowerShell logging. It gives us great visibility for the Incident Response and Threat-Hunting process. FireEye wrote a great article about PowerShell logging&nbsp;<a href=\"https:\/\/www.mandiant.com\/resources\/blog\/greater-visibility\">\u7db2\u5740<\/a>. As Microsoft already launched Power Shell Core, we also need to consider PowerShell Core (PowerShell 6\/7) logging. As a side note, the executable name of PowerShell Core is <strong>pwsh.exe<\/strong> and therefore usually co-exists with the original powershell.exe executable. In reality, organizations are shifting more and more workloads to the cloud such as Azure. Both the developer and operation team tend to use more and more PowerShell to manage their cloud instance. I saw some developer and operation teams install PowerShell Core on their own. This may be risky! So, I suggest we turn on the log before they install the tools. <\/p>\n\n\n<style>.kadence-column135_2addaf-39 > .kt-inside-inner-col{display:flex;}.kadence-column135_2addaf-39 > .kt-inside-inner-col,.kadence-column135_2addaf-39 > .kt-inside-inner-col:before{border-top-left-radius:0px;border-top-right-radius:0px;border-bottom-right-radius:0px;border-bottom-left-radius:0px;}.kadence-column135_2addaf-39 > .kt-inside-inner-col{column-gap:var(--global-kb-gap-sm, 1rem);}.kadence-column135_2addaf-39 > .kt-inside-inner-col{flex-direction:column;align-items:center;}.kadence-column135_2addaf-39 > .kt-inside-inner-col > .kb-image-is-ratio-size{align-self:stretch;}.kadence-column135_2addaf-39 > .kt-inside-inner-col > .wp-block-kadence-advancedgallery{align-self:stretch;}.kadence-column135_2addaf-39 > .kt-inside-inner-col > .aligncenter{width:100%;}.kadence-column135_2addaf-39 > .kt-inside-inner-col:before{opacity:0.3;}.kadence-column135_2addaf-39{position:relative;}@media all and (max-width: 1024px){.kadence-column135_2addaf-39 > .kt-inside-inner-col{flex-direction:column;justify-content:center;align-items:center;}}@media all and (max-width: 767px){.kadence-column135_2addaf-39 > .kt-inside-inner-col{flex-direction:column;justify-content:center;align-items:center;}}<\/style>\n<div class=\"wp-block-kadence-column kadence-column135_2addaf-39\"><div class=\"kt-inside-inner-col\"><style>.kb-table-of-content-nav.kb-table-of-content-id135_de11b6-51 .kb-table-of-content-wrap{padding-top:var(--global-kb-spacing-sm, 1.5rem);padding-right:var(--global-kb-spacing-sm, 1.5rem);padding-bottom:var(--global-kb-spacing-sm, 1.5rem);padding-left:0px;background-color:rgba(255,255,255,0.99);border-top:3px solid #313131;border-right:3px solid #313131;border-bottom:3px solid #313131;border-left:3px solid #313131;box-shadow:0px 0px 14px 0px #abb8c3;}.kb-table-of-content-nav.kb-table-of-content-id135_de11b6-51 .kb-table-of-contents-title-wrap{padding-top:0px;padding-right:0px;padding-bottom:0px;padding-left:0px;}.kb-table-of-content-nav.kb-table-of-content-id135_de11b6-51 .kb-table-of-contents-title{font-size:var(--global-kb-font-size-lg, 2rem);font-weight:bold;font-style:normal;}.kb-table-of-content-nav.kb-table-of-content-id135_de11b6-51 .kb-table-of-content-wrap .kb-table-of-content-list{color:#d65a02;font-size:var(--global-kb-font-size-md, 1.25rem);font-weight:regular;font-style:normal;margin-top:var(--global-kb-spacing-sm, 1.5rem);margin-right:0px;margin-bottom:0px;margin-left:0px;}.kb-table-of-content-nav.kb-table-of-content-id135_de11b6-51 .kb-toggle-icon-style-basiccircle .kb-table-of-contents-icon-trigger:after, .kb-table-of-content-nav.kb-table-of-content-id135_de11b6-51 .kb-toggle-icon-style-basiccircle .kb-table-of-contents-icon-trigger:before, .kb-table-of-content-nav.kb-table-of-content-id135_de11b6-51 .kb-toggle-icon-style-arrowcircle .kb-table-of-contents-icon-trigger:after, .kb-table-of-content-nav.kb-table-of-content-id135_de11b6-51 .kb-toggle-icon-style-arrowcircle .kb-table-of-contents-icon-trigger:before, .kb-table-of-content-nav.kb-table-of-content-id135_de11b6-51 .kb-toggle-icon-style-xclosecircle .kb-table-of-contents-icon-trigger:after, .kb-table-of-content-nav.kb-table-of-content-id135_de11b6-51 .kb-toggle-icon-style-xclosecircle .kb-table-of-contents-icon-trigger:before{background-color:rgba(255,255,255,0.99);}@media all and (max-width: 1024px){.kb-table-of-content-nav.kb-table-of-content-id135_de11b6-51 .kb-table-of-content-wrap{margin-left:var(--global-kb-spacing-auto, auto);border-top:3px solid #313131;border-right:3px solid #313131;border-bottom:3px solid #313131;border-left:3px solid #313131;}}@media all and (max-width: 767px){.kb-table-of-content-nav.kb-table-of-content-id135_de11b6-51 .kb-table-of-content-wrap{margin-left:var(--global-kb-spacing-auto, auto);border-top:3px solid #313131;border-right:3px solid #313131;border-bottom:3px solid #313131;border-left:3px solid #313131;}}<\/style><\/div><\/div>\n\n\n\n<h2 class=\"wp-block-heading\" id=\"h-how-to-enable-powershell-core-logging\">How to enable PowerShell Core Logging?<\/h2>\n\n\n\n<p>To enable PowerShell Core logging by using GPO, we can copy two additional files from any machine with PowerShell Core installed.&nbsp;The default path of two administrative template files are:<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li><code>C:\\Program Files\\PowerShell\\7\\PowerShellCoreExecutionPolicy.admx<\/code><\/li>\n\n\n\n<li><code>C:\\Program Files\\PowerShell\\7\\PowerShellCoreExecutionPolicy.adml<\/code><\/li>\n<\/ul>\n\n\n\n<p>On the domain controller, you will need to copy two administrative template files to the following locations:<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li><code>Copy PowerShellCoreExecutionPolicy.admx to C:\\Windows\\PolicyDefinitions<\/code><\/li>\n\n\n\n<li><code>Copy PowerShellCoreExecutionPolicy.adml to C:\\Windows\\PolicyDefinitions\\en-US<\/code><\/li>\n<\/ul>\n\n\n\n<p>Once completed, you will find the new GPO settings. For PowerShell Core logging, the most important settings are:<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li><code>Computer Configuration -&gt; Administrative Templates -&gt; PowerShellCore -&gt; module logging.<\/code><\/li>\n\n\n\n<li><code>Computer Configuration -&gt; Administrative Templates -&gt; PowerShellCore -&gt; Turn on PowerShell Script Block Logging&nbsp;<\/code><\/li>\n\n\n\n<li><code>Computer Configuration -&gt; Administrative Templates -&gt; PowerShellCore -&gt; transcription logging<\/code><\/li>\n<\/ul>\n\n\n\n<figure class=\"wp-block-image size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"384\" src=\"https:\/\/cybersecthreat.com\/wp-content\/uploads\/2020\/07\/PowerShellCore_GPO_administrative_template.png\" alt=\"PowerShell Core GPO screen\" class=\"wp-image-216\" srcset=\"https:\/\/cybersecthreat.com\/wp-content\/uploads\/2020\/07\/PowerShellCore_GPO_administrative_template.png 1024w, https:\/\/cybersecthreat.com\/wp-content\/uploads\/2020\/07\/PowerShellCore_GPO_administrative_template-300x113.png 300w, https:\/\/cybersecthreat.com\/wp-content\/uploads\/2020\/07\/PowerShellCore_GPO_administrative_template-768x288.png 768w, https:\/\/cybersecthreat.com\/wp-content\/uploads\/2020\/07\/PowerShellCore_GPO_administrative_template-600x225.png 600w\" sizes=\"auto, (max-width: 1024px) 100vw, 1024px\" \/><\/figure>\n\n\n\n<p>The new logging location is <code>PowerShellCore -&gt; Operational<\/code>. The event code and format are the same as regular PowerShell logging. The most important Event IDs for PowerShell Core are still <strong>Event ID 4103<\/strong> \u53ca <strong>Event ID 4014<\/strong>.<\/p>\n\n\n\n<figure class=\"wp-block-image size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"492\" src=\"https:\/\/cybersecthreat.com\/wp-content\/uploads\/2020\/07\/PowerShellCore-EventLog-Screen.png\" alt=\"PowerShellCore EventLog screen\" class=\"wp-image-217\" srcset=\"https:\/\/cybersecthreat.com\/wp-content\/uploads\/2020\/07\/PowerShellCore-EventLog-Screen.png 1024w, https:\/\/cybersecthreat.com\/wp-content\/uploads\/2020\/07\/PowerShellCore-EventLog-Screen-300x144.png 300w, https:\/\/cybersecthreat.com\/wp-content\/uploads\/2020\/07\/PowerShellCore-EventLog-Screen-768x369.png 768w, https:\/\/cybersecthreat.com\/wp-content\/uploads\/2020\/07\/PowerShellCore-EventLog-Screen-600x288.png 600w\" sizes=\"auto, (max-width: 1024px) 100vw, 1024px\" \/><\/figure>\n\n\n\n<p>Now, you can start hunting the evil using the PowerShell Core Log!<\/p>\n\n\n\n<h2 class=\"wp-block-heading\" id=\"h-conclusion\">\u7d50\u8ad6<\/h2>\n\n\n\n<p>As a security professional, you need to consider both the old and new stuff.  The old software may be exploited by known vulnerabilities. On the other hand,  there may be a lack of protection or detection mechanism for the new software. We encourage you to test and confirm the desired controls are in place.<\/p>\n\n\n\n<p>If you are interested in cybersecurity topics, feel free to learn more: <a href=\"https:\/\/cybersecthreat.com\/zh\/blogs\/\">https:\/\/cybersecthreat.com\/blogs\/<\/a><\/p>","protected":false},"excerpt":{"rendered":"<p>Many security professionals know the importance of PowerShell logging. It give us great visibility for Incident Response and Threat Hunting process. FireEye wrote a great article about PowerShell logging here. As Microsoft already launch Power Shell Core, we also need to consider PowerShell Core (PowerShell 6\/7) logging. As a side note, the executable name of PowerShell Core is pwsh.exe and therefore usually co-exists with the original powershell.exe executable. In reality, organizations are shifting more and more workload to cloud such as Azure. Both the developer and operation team trends to use more and more PowerShell to manage their cloud instance. I saw some developer and operation team install PowerShell Core on their own. This may be risky! So, I suggest we turn on the log before they install the tools. <\/p>","protected":false},"author":2,"featured_media":368,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"om_disable_all_campaigns":false,"_kad_blocks_custom_css":"","_kad_blocks_head_custom_js":"","_kad_blocks_body_custom_js":"","_kad_blocks_footer_custom_js":"","_uf_show_specific_survey":0,"_uf_disable_surveys":false,"_kad_post_transparent":"","_kad_post_title":"","_kad_post_layout":"","_kad_post_sidebar_id":"","_kad_post_content_style":"","_kad_post_vertical_padding":"","_kad_post_feature":"","_kad_post_feature_position":"","_kad_post_header":false,"_kad_post_footer":false,"_kad_post_classname":"","footnotes":""},"categories":[42,43,28,45],"tags":[21,19,29,30],"class_list":["post-135","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-blue-team","category-incident-response","category-powershell","category-threat-hunting","tag-blue-team","tag-incident-response","tag-powershell","tag-threat-hunting"],"yoast_head":"<!-- This site is optimized with the Yoast SEO Premium plugin v27.3 (Yoast SEO v27.3) - https:\/\/yoast.com\/product\/yoast-seo-premium-wordpress\/ -->\n<title>PowerShell Core Logging - CyberSecThreat<\/title>\n<meta name=\"description\" content=\"As Microsoft already launched Power Shell Core, we also need to consider PowerShell Core (PowerShell Core 6\/7) logging.\" \/>\n<meta name=\"robots\" content=\"index, follow, max-snippet:-1, max-image-preview:large, max-video-preview:-1\" \/>\n<link rel=\"canonical\" href=\"https:\/\/cybersecthreat.com\/zh\/2020\/07\/08\/powershell-core-logging\/\" \/>\n<meta property=\"og:locale\" content=\"zh_TW\" \/>\n<meta property=\"og:type\" content=\"article\" \/>\n<meta property=\"og:title\" content=\"PowerShell Core Logging\" \/>\n<meta property=\"og:description\" content=\"Many security professionals know the importance of PowerShell logging. It give us great visibility for Incident Response and Threat Hunting process. FireEye wrote a great article about PowerShell logging here. As Microsoft already launch Power Shell Core, we also need to consider PowerShell Core (PowerShell 6\/7) logging. As a side note, the executable name of PowerShell Core is pwsh.exe and therefore usually co-exists with the original powershell.exe executable. In reality, organizations are shifting more and more workload to cloud such as Azure. Both the developer and operation team trends to use more and more PowerShell to manage their cloud instance. I saw some developer and operation team install PowerShell Core on their own. This may be risky! So, I suggest we turn on the log before they install the tools.\" \/>\n<meta property=\"og:url\" content=\"https:\/\/cybersecthreat.com\/zh\/2020\/07\/08\/powershell-core-logging\/\" \/>\n<meta property=\"og:site_name\" content=\"CyberSecThreat\" \/>\n<meta property=\"article:publisher\" content=\"https:\/\/www.facebook.com\/cybersecthreat\" \/>\n<meta property=\"article:published_time\" content=\"2020-07-08T10:56:25+00:00\" \/>\n<meta property=\"article:modified_time\" content=\"2024-04-01T05:51:40+00:00\" \/>\n<meta property=\"og:image\" content=\"https:\/\/cybersecthreat.com\/wp-content\/uploads\/2020\/07\/pwsh_encode.png\" \/>\n\t<meta property=\"og:image:width\" content=\"979\" \/>\n\t<meta property=\"og:image:height\" content=\"512\" \/>\n\t<meta property=\"og:image:type\" content=\"image\/png\" \/>\n<meta name=\"author\" content=\"Kelvin Yip\" \/>\n<meta name=\"twitter:card\" content=\"summary_large_image\" \/>\n<meta name=\"twitter:creator\" content=\"@cybersecthreat\" \/>\n<meta name=\"twitter:site\" content=\"@cybersecthreat\" \/>\n<meta name=\"twitter:label1\" content=\"\u4f5c\u8005:\" \/>\n\t<meta name=\"twitter:data1\" content=\"Kelvin Yip\" \/>\n\t<meta name=\"twitter:label2\" content=\"\u9810\u4f30\u95b1\u8b80\u6642\u9593\" \/>\n\t<meta name=\"twitter:data2\" content=\"2 \u5206\u9418\" \/>\n<script type=\"application\/ld+json\" class=\"yoast-schema-graph\">{\"@context\":\"https:\\\/\\\/schema.org\",\"@graph\":[{\"@type\":\"Article\",\"@id\":\"https:\\\/\\\/cybersecthreat.com\\\/2020\\\/07\\\/08\\\/powershell-core-logging\\\/#article\",\"isPartOf\":{\"@id\":\"https:\\\/\\\/cybersecthreat.com\\\/2020\\\/07\\\/08\\\/powershell-core-logging\\\/\"},\"author\":{\"name\":\"Kelvin Yip\",\"@id\":\"https:\\\/\\\/cybersecthreat.com\\\/#\\\/schema\\\/person\\\/4787dde06da74fa66cb5e92e481b0f98\"},\"headline\":\"PowerShell Core Logging\",\"datePublished\":\"2020-07-08T10:56:25+00:00\",\"dateModified\":\"2024-04-01T05:51:40+00:00\",\"mainEntityOfPage\":{\"@id\":\"https:\\\/\\\/cybersecthreat.com\\\/2020\\\/07\\\/08\\\/powershell-core-logging\\\/\"},\"wordCount\":323,\"commentCount\":0,\"publisher\":{\"@id\":\"https:\\\/\\\/cybersecthreat.com\\\/#organization\"},\"image\":{\"@id\":\"https:\\\/\\\/cybersecthreat.com\\\/2020\\\/07\\\/08\\\/powershell-core-logging\\\/#primaryimage\"},\"thumbnailUrl\":\"https:\\\/\\\/cybersecthreat.com\\\/wp-content\\\/uploads\\\/2020\\\/07\\\/pwsh_encode.png\",\"keywords\":[\"Blue Team\",\"Incident Response\",\"PowerShell\",\"Threat Hunting\"],\"articleSection\":[\"Blue Team\",\"Incident Response\",\"PowerShell\",\"Threat Hunting\"],\"inLanguage\":\"zh-TW\",\"potentialAction\":[{\"@type\":\"CommentAction\",\"name\":\"Comment\",\"target\":[\"https:\\\/\\\/cybersecthreat.com\\\/2020\\\/07\\\/08\\\/powershell-core-logging\\\/#respond\"]}]},{\"@type\":\"WebPage\",\"@id\":\"https:\\\/\\\/cybersecthreat.com\\\/2020\\\/07\\\/08\\\/powershell-core-logging\\\/\",\"url\":\"https:\\\/\\\/cybersecthreat.com\\\/2020\\\/07\\\/08\\\/powershell-core-logging\\\/\",\"name\":\"PowerShell Core Logging - CyberSecThreat\",\"isPartOf\":{\"@id\":\"https:\\\/\\\/cybersecthreat.com\\\/#website\"},\"primaryImageOfPage\":{\"@id\":\"https:\\\/\\\/cybersecthreat.com\\\/2020\\\/07\\\/08\\\/powershell-core-logging\\\/#primaryimage\"},\"image\":{\"@id\":\"https:\\\/\\\/cybersecthreat.com\\\/2020\\\/07\\\/08\\\/powershell-core-logging\\\/#primaryimage\"},\"thumbnailUrl\":\"https:\\\/\\\/cybersecthreat.com\\\/wp-content\\\/uploads\\\/2020\\\/07\\\/pwsh_encode.png\",\"datePublished\":\"2020-07-08T10:56:25+00:00\",\"dateModified\":\"2024-04-01T05:51:40+00:00\",\"description\":\"As Microsoft already launched Power Shell Core, we also need to consider PowerShell Core (PowerShell Core 6\\\/7) logging.\",\"breadcrumb\":{\"@id\":\"https:\\\/\\\/cybersecthreat.com\\\/2020\\\/07\\\/08\\\/powershell-core-logging\\\/#breadcrumb\"},\"inLanguage\":\"zh-TW\",\"potentialAction\":[{\"@type\":\"ReadAction\",\"target\":[\"https:\\\/\\\/cybersecthreat.com\\\/2020\\\/07\\\/08\\\/powershell-core-logging\\\/\"]}]},{\"@type\":\"ImageObject\",\"inLanguage\":\"zh-TW\",\"@id\":\"https:\\\/\\\/cybersecthreat.com\\\/2020\\\/07\\\/08\\\/powershell-core-logging\\\/#primaryimage\",\"url\":\"https:\\\/\\\/cybersecthreat.com\\\/wp-content\\\/uploads\\\/2020\\\/07\\\/pwsh_encode.png\",\"contentUrl\":\"https:\\\/\\\/cybersecthreat.com\\\/wp-content\\\/uploads\\\/2020\\\/07\\\/pwsh_encode.png\",\"width\":979,\"height\":512,\"caption\":\"PowerShell Core pwsh encoded command\"},{\"@type\":\"BreadcrumbList\",\"@id\":\"https:\\\/\\\/cybersecthreat.com\\\/2020\\\/07\\\/08\\\/powershell-core-logging\\\/#breadcrumb\",\"itemListElement\":[{\"@type\":\"ListItem\",\"position\":1,\"name\":\"PowerShell\",\"item\":\"https:\\\/\\\/cybersecthreat.com\\\/category\\\/powershell\\\/\"},{\"@type\":\"ListItem\",\"position\":2,\"name\":\"PowerShell Core Logging\"}]},{\"@type\":\"WebSite\",\"@id\":\"https:\\\/\\\/cybersecthreat.com\\\/#website\",\"url\":\"https:\\\/\\\/cybersecthreat.com\\\/\",\"name\":\"CyberSecThreat\",\"description\":\"CyberSecurity Solutions\",\"publisher\":{\"@id\":\"https:\\\/\\\/cybersecthreat.com\\\/#organization\"},\"potentialAction\":[{\"@type\":\"SearchAction\",\"target\":{\"@type\":\"EntryPoint\",\"urlTemplate\":\"https:\\\/\\\/cybersecthreat.com\\\/?s={search_term_string}\"},\"query-input\":{\"@type\":\"PropertyValueSpecification\",\"valueRequired\":true,\"valueName\":\"search_term_string\"}}],\"inLanguage\":\"zh-TW\"},{\"@type\":[\"Organization\",\"Place\"],\"@id\":\"https:\\\/\\\/cybersecthreat.com\\\/#organization\",\"name\":\"CyberSecThreat Corporation Limited.\",\"alternateName\":\"CyberSecThreat\",\"url\":\"https:\\\/\\\/cybersecthreat.com\\\/\",\"logo\":{\"@id\":\"https:\\\/\\\/cybersecthreat.com\\\/2020\\\/07\\\/08\\\/powershell-core-logging\\\/#local-main-organization-logo\"},\"image\":{\"@id\":\"https:\\\/\\\/cybersecthreat.com\\\/2020\\\/07\\\/08\\\/powershell-core-logging\\\/#local-main-organization-logo\"},\"sameAs\":[\"https:\\\/\\\/www.facebook.com\\\/cybersecthreat\",\"https:\\\/\\\/x.com\\\/cybersecthreat\",\"https:\\\/\\\/www.linkedin.com\\\/company\\\/cybersecthreat-corporation-limited\"],\"description\":\"CyberSecThreat, headquartered in Taiwan, is a Cybersecurity solutions provider that offers cutting-edge Cybersecurity solutions including Cyber Threat Intelligence (CTI), Security Orchestration, Automation, and Response (SOAR), UBA\\\/UEBA, DFIR, and CyberSecurity consulting. CyberSecThreat was awarded as Top 10 Cyber Security Companies of 2022 in APAC CIO Outlook\u2019s Cyber Security Edition. We position ourselves as one of the most comprehensive players in the most advanced high-end marketplace with our highly customizable cybersecurity solutions. CyberSecThreat has been committed to contributing to the CyberSecurity industry and assisting our global clients to improve their CyberSecurity posture. With our global partners and experts, we can deliver a wide range of world-class services to our global clients including vCISO, SOC consulting, Splunk consulting, red team, blue team, and AppSec consulting. CyberSecThreat Research Lab, which is led by our founder Kelvin Yip, is a subdivision that focuses on researching Cyber Warfare, Cyber Influence Operation\\\/Cognitive Domain Warfare (including Disinformation, Propaganda, and psychological manipulation), the latest Cybersecurity trends, and threats that organizations face today as well as technology innovation. With decades of Cybersecurity and technology experience, our teams of experts carry out research and experiment, bringing it to the real world. When things come to the real world and production environment, it is more complicated than our imagination. Let us worry about it because this is our mission! Our vision: NextGen safe digital life, and our mission is to Transform Security Into Real World.\",\"legalName\":\"CyberSecThreat Corporation Limited.\",\"foundingDate\":\"2021-01-23\",\"address\":{\"@id\":\"https:\\\/\\\/cybersecthreat.com\\\/2020\\\/07\\\/08\\\/powershell-core-logging\\\/#local-main-place-address\"},\"geo\":{\"@type\":\"GeoCoordinates\",\"latitude\":\"25.0600452\",\"longitude\":\"121.4594381\"},\"telephone\":[\"(+886) 02 - 77527628\"],\"openingHoursSpecification\":[{\"@type\":\"OpeningHoursSpecification\",\"dayOfWeek\":[\"Monday\",\"Tuesday\",\"Wednesday\",\"Thursday\",\"Friday\",\"Saturday\",\"Sunday\"],\"opens\":\"09:00\",\"closes\":\"18:00\"}],\"email\":\"info@cybersecthreat.com\",\"areaServed\":\"Taiwan\"},{\"@type\":\"Person\",\"@id\":\"https:\\\/\\\/cybersecthreat.com\\\/#\\\/schema\\\/person\\\/4787dde06da74fa66cb5e92e481b0f98\",\"name\":\"Kelvin Yip\",\"image\":{\"@type\":\"ImageObject\",\"inLanguage\":\"zh-TW\",\"@id\":\"https:\\\/\\\/secure.gravatar.com\\\/avatar\\\/91aef1abe820d485df4dc03c80c4bab5b129b723fea7002f20904634c1042d21?s=96&d=mm&r=g\",\"url\":\"https:\\\/\\\/secure.gravatar.com\\\/avatar\\\/91aef1abe820d485df4dc03c80c4bab5b129b723fea7002f20904634c1042d21?s=96&d=mm&r=g\",\"contentUrl\":\"https:\\\/\\\/secure.gravatar.com\\\/avatar\\\/91aef1abe820d485df4dc03c80c4bab5b129b723fea7002f20904634c1042d21?s=96&d=mm&r=g\",\"caption\":\"Kelvin Yip\"},\"sameAs\":[\"https:\\\/\\\/cybersecthreat.com\"],\"knowsAbout\":[\"CyberSecurity\"],\"knowsLanguage\":[\"English\",\"Chinese\"],\"jobTitle\":\"Founder, CEO\",\"url\":\"https:\\\/\\\/cybersecthreat.com\\\/zh\\\/author\\\/kelvinyip-m\\\/\"},{\"@type\":\"PostalAddress\",\"@id\":\"https:\\\/\\\/cybersecthreat.com\\\/2020\\\/07\\\/08\\\/powershell-core-logging\\\/#local-main-place-address\",\"streetAddress\":\"9 F.-A6, No. 601, Siyuan Rd., Xinzhuang Dist., New Taipei City 242032, Taiwan (R.O.C.)\",\"addressLocality\":\"New Taipei City\",\"postalCode\":\"242032\",\"addressRegion\":\"Taiwan\",\"addressCountry\":\"TW\"},{\"@type\":\"ImageObject\",\"inLanguage\":\"zh-TW\",\"@id\":\"https:\\\/\\\/cybersecthreat.com\\\/2020\\\/07\\\/08\\\/powershell-core-logging\\\/#local-main-organization-logo\",\"url\":\"https:\\\/\\\/cybersecthreat.com\\\/wp-content\\\/uploads\\\/2023\\\/12\\\/CyberSecThreat_website-site-logo-_164x164-min.png\",\"contentUrl\":\"https:\\\/\\\/cybersecthreat.com\\\/wp-content\\\/uploads\\\/2023\\\/12\\\/CyberSecThreat_website-site-logo-_164x164-min.png\",\"width\":164,\"height\":164,\"caption\":\"CyberSecThreat Corporation Limited.\"}]}<\/script>\n<meta name=\"geo.placename\" content=\"New Taipei City\" \/>\n<meta name=\"geo.position\" content=\"25.0600452;121.4594381\" \/>\n<meta name=\"geo.region\" content=\"Taiwan\" \/>\n<!-- \/ Yoast SEO Premium plugin. -->","yoast_head_json":{"title":"PowerShell Core Logging - CyberSecThreat","description":"As Microsoft already launched Power Shell Core, we also need to consider PowerShell Core (PowerShell Core 6\/7) logging.","robots":{"index":"index","follow":"follow","max-snippet":"max-snippet:-1","max-image-preview":"max-image-preview:large","max-video-preview":"max-video-preview:-1"},"canonical":"https:\/\/cybersecthreat.com\/zh\/2020\/07\/08\/powershell-core-logging\/","og_locale":"zh_TW","og_type":"article","og_title":"PowerShell Core Logging","og_description":"Many security professionals know the importance of PowerShell logging. It give us great visibility for Incident Response and Threat Hunting process. FireEye wrote a great article about PowerShell logging here. As Microsoft already launch Power Shell Core, we also need to consider PowerShell Core (PowerShell 6\/7) logging. As a side note, the executable name of PowerShell Core is pwsh.exe and therefore usually co-exists with the original powershell.exe executable. In reality, organizations are shifting more and more workload to cloud such as Azure. Both the developer and operation team trends to use more and more PowerShell to manage their cloud instance. I saw some developer and operation team install PowerShell Core on their own. This may be risky! So, I suggest we turn on the log before they install the tools.","og_url":"https:\/\/cybersecthreat.com\/zh\/2020\/07\/08\/powershell-core-logging\/","og_site_name":"CyberSecThreat","article_publisher":"https:\/\/www.facebook.com\/cybersecthreat","article_published_time":"2020-07-08T10:56:25+00:00","article_modified_time":"2024-04-01T05:51:40+00:00","og_image":[{"width":979,"height":512,"url":"https:\/\/cybersecthreat.com\/wp-content\/uploads\/2020\/07\/pwsh_encode.png","type":"image\/png"}],"author":"Kelvin Yip","twitter_card":"summary_large_image","twitter_creator":"@cybersecthreat","twitter_site":"@cybersecthreat","twitter_misc":{"\u4f5c\u8005:":"Kelvin Yip","\u9810\u4f30\u95b1\u8b80\u6642\u9593":"2 \u5206\u9418"},"schema":{"@context":"https:\/\/schema.org","@graph":[{"@type":"Article","@id":"https:\/\/cybersecthreat.com\/2020\/07\/08\/powershell-core-logging\/#article","isPartOf":{"@id":"https:\/\/cybersecthreat.com\/2020\/07\/08\/powershell-core-logging\/"},"author":{"name":"Kelvin Yip","@id":"https:\/\/cybersecthreat.com\/#\/schema\/person\/4787dde06da74fa66cb5e92e481b0f98"},"headline":"PowerShell Core Logging","datePublished":"2020-07-08T10:56:25+00:00","dateModified":"2024-04-01T05:51:40+00:00","mainEntityOfPage":{"@id":"https:\/\/cybersecthreat.com\/2020\/07\/08\/powershell-core-logging\/"},"wordCount":323,"commentCount":0,"publisher":{"@id":"https:\/\/cybersecthreat.com\/#organization"},"image":{"@id":"https:\/\/cybersecthreat.com\/2020\/07\/08\/powershell-core-logging\/#primaryimage"},"thumbnailUrl":"https:\/\/cybersecthreat.com\/wp-content\/uploads\/2020\/07\/pwsh_encode.png","keywords":["Blue Team","Incident Response","PowerShell","Threat Hunting"],"articleSection":["Blue Team","Incident Response","PowerShell","Threat Hunting"],"inLanguage":"zh-TW","potentialAction":[{"@type":"CommentAction","name":"Comment","target":["https:\/\/cybersecthreat.com\/2020\/07\/08\/powershell-core-logging\/#respond"]}]},{"@type":"WebPage","@id":"https:\/\/cybersecthreat.com\/2020\/07\/08\/powershell-core-logging\/","url":"https:\/\/cybersecthreat.com\/2020\/07\/08\/powershell-core-logging\/","name":"PowerShell Core Logging - CyberSecThreat","isPartOf":{"@id":"https:\/\/cybersecthreat.com\/#website"},"primaryImageOfPage":{"@id":"https:\/\/cybersecthreat.com\/2020\/07\/08\/powershell-core-logging\/#primaryimage"},"image":{"@id":"https:\/\/cybersecthreat.com\/2020\/07\/08\/powershell-core-logging\/#primaryimage"},"thumbnailUrl":"https:\/\/cybersecthreat.com\/wp-content\/uploads\/2020\/07\/pwsh_encode.png","datePublished":"2020-07-08T10:56:25+00:00","dateModified":"2024-04-01T05:51:40+00:00","description":"As Microsoft already launched Power Shell Core, we also need to consider PowerShell Core (PowerShell Core 6\/7) logging.","breadcrumb":{"@id":"https:\/\/cybersecthreat.com\/2020\/07\/08\/powershell-core-logging\/#breadcrumb"},"inLanguage":"zh-TW","potentialAction":[{"@type":"ReadAction","target":["https:\/\/cybersecthreat.com\/2020\/07\/08\/powershell-core-logging\/"]}]},{"@type":"ImageObject","inLanguage":"zh-TW","@id":"https:\/\/cybersecthreat.com\/2020\/07\/08\/powershell-core-logging\/#primaryimage","url":"https:\/\/cybersecthreat.com\/wp-content\/uploads\/2020\/07\/pwsh_encode.png","contentUrl":"https:\/\/cybersecthreat.com\/wp-content\/uploads\/2020\/07\/pwsh_encode.png","width":979,"height":512,"caption":"PowerShell Core pwsh encoded command"},{"@type":"BreadcrumbList","@id":"https:\/\/cybersecthreat.com\/2020\/07\/08\/powershell-core-logging\/#breadcrumb","itemListElement":[{"@type":"ListItem","position":1,"name":"PowerShell","item":"https:\/\/cybersecthreat.com\/category\/powershell\/"},{"@type":"ListItem","position":2,"name":"PowerShell Core Logging"}]},{"@type":"WebSite","@id":"https:\/\/cybersecthreat.com\/#website","url":"https:\/\/cybersecthreat.com\/","name":"\u5947\u8cc7\u5b89","description":"\u7db2\u8def\u5b89\u5168\u65b9\u6848","publisher":{"@id":"https:\/\/cybersecthreat.com\/#organization"},"potentialAction":[{"@type":"SearchAction","target":{"@type":"EntryPoint","urlTemplate":"https:\/\/cybersecthreat.com\/?s={search_term_string}"},"query-input":{"@type":"PropertyValueSpecification","valueRequired":true,"valueName":"search_term_string"}}],"inLanguage":"zh-TW"},{"@type":["Organization","Place"],"@id":"https:\/\/cybersecthreat.com\/#organization","name":"\u5947\u8cc7\u8a0a\u4fdd\u5b89\u53ca\u7db2\u7d61\u6709\u9650\u516c\u53f8","alternateName":"CyberSecThreat","url":"https:\/\/cybersecthreat.com\/","logo":{"@id":"https:\/\/cybersecthreat.com\/2020\/07\/08\/powershell-core-logging\/#local-main-organization-logo"},"image":{"@id":"https:\/\/cybersecthreat.com\/2020\/07\/08\/powershell-core-logging\/#local-main-organization-logo"},"sameAs":["https:\/\/www.facebook.com\/cybersecthreat","https:\/\/x.com\/cybersecthreat","https:\/\/www.linkedin.com\/company\/cybersecthreat-corporation-limited"],"description":"CyberSecThreat, headquartered in Taiwan, is a Cybersecurity solutions provider that offers cutting-edge Cybersecurity solutions including Cyber Threat Intelligence (CTI), Security Orchestration, Automation, and Response (SOAR), UBA\/UEBA, DFIR, and CyberSecurity consulting. CyberSecThreat was awarded as Top 10 Cyber Security Companies of 2022 in APAC CIO Outlook\u2019s Cyber Security Edition. We position ourselves as one of the most comprehensive players in the most advanced high-end marketplace with our highly customizable cybersecurity solutions. CyberSecThreat has been committed to contributing to the CyberSecurity industry and assisting our global clients to improve their CyberSecurity posture. With our global partners and experts, we can deliver a wide range of world-class services to our global clients including vCISO, SOC consulting, Splunk consulting, red team, blue team, and AppSec consulting. CyberSecThreat Research Lab, which is led by our founder Kelvin Yip, is a subdivision that focuses on researching Cyber Warfare, Cyber Influence Operation\/Cognitive Domain Warfare (including Disinformation, Propaganda, and psychological manipulation), the latest Cybersecurity trends, and threats that organizations face today as well as technology innovation. With decades of Cybersecurity and technology experience, our teams of experts carry out research and experiment, bringing it to the real world. When things come to the real world and production environment, it is more complicated than our imagination. Let us worry about it because this is our mission! Our vision: NextGen safe digital life, and our mission is to Transform Security Into Real World.","legalName":"CyberSecThreat Corporation Limited.","foundingDate":"2021-01-23","address":{"@id":"https:\/\/cybersecthreat.com\/2020\/07\/08\/powershell-core-logging\/#local-main-place-address"},"geo":{"@type":"GeoCoordinates","latitude":"25.0600452","longitude":"121.4594381"},"telephone":["(+886) 02 - 77527628"],"openingHoursSpecification":[{"@type":"OpeningHoursSpecification","dayOfWeek":["Monday","Tuesday","Wednesday","Thursday","Friday","Saturday","Sunday"],"opens":"09:00","closes":"18:00"}],"email":"info@cybersecthreat.com","areaServed":"Taiwan"},{"@type":"Person","@id":"https:\/\/cybersecthreat.com\/#\/schema\/person\/4787dde06da74fa66cb5e92e481b0f98","name":"Kelvin Yip","image":{"@type":"ImageObject","inLanguage":"zh-TW","@id":"https:\/\/secure.gravatar.com\/avatar\/91aef1abe820d485df4dc03c80c4bab5b129b723fea7002f20904634c1042d21?s=96&d=mm&r=g","url":"https:\/\/secure.gravatar.com\/avatar\/91aef1abe820d485df4dc03c80c4bab5b129b723fea7002f20904634c1042d21?s=96&d=mm&r=g","contentUrl":"https:\/\/secure.gravatar.com\/avatar\/91aef1abe820d485df4dc03c80c4bab5b129b723fea7002f20904634c1042d21?s=96&d=mm&r=g","caption":"Kelvin Yip"},"sameAs":["https:\/\/cybersecthreat.com"],"knowsAbout":["CyberSecurity"],"knowsLanguage":["English","Chinese"],"jobTitle":"Founder, CEO","url":"https:\/\/cybersecthreat.com\/zh\/author\/kelvinyip-m\/"},{"@type":"PostalAddress","@id":"https:\/\/cybersecthreat.com\/2020\/07\/08\/powershell-core-logging\/#local-main-place-address","streetAddress":"9 F.-A6, No. 601, Siyuan Rd., Xinzhuang Dist., New Taipei City 242032, Taiwan (R.O.C.)","addressLocality":"New Taipei City","postalCode":"242032","addressRegion":"Taiwan","addressCountry":"TW"},{"@type":"ImageObject","inLanguage":"zh-TW","@id":"https:\/\/cybersecthreat.com\/2020\/07\/08\/powershell-core-logging\/#local-main-organization-logo","url":"https:\/\/cybersecthreat.com\/wp-content\/uploads\/2023\/12\/CyberSecThreat_website-site-logo-_164x164-min.png","contentUrl":"https:\/\/cybersecthreat.com\/wp-content\/uploads\/2023\/12\/CyberSecThreat_website-site-logo-_164x164-min.png","width":164,"height":164,"caption":"CyberSecThreat Corporation Limited."}]},"geo.placename":"New Taipei City","geo.position":{"lat":"25.0600452","long":"121.4594381"},"geo.region":"Taiwan"},"taxonomy_info":{"category":[{"value":42,"label":"Blue Team"},{"value":43,"label":"Incident Response"},{"value":28,"label":"PowerShell"},{"value":45,"label":"Threat Hunting"}],"post_tag":[{"value":21,"label":"Blue Team"},{"value":19,"label":"Incident Response"},{"value":29,"label":"PowerShell"},{"value":30,"label":"Threat Hunting"}]},"featured_image_src_large":["https:\/\/cybersecthreat.com\/wp-content\/uploads\/2020\/07\/pwsh_encode.png",979,512,false],"author_info":{"display_name":"Kelvin Yip","author_link":"https:\/\/cybersecthreat.com\/zh\/author\/kelvinyip-m\/"},"comment_info":0,"category_info":[{"term_id":42,"name":"Blue Team","slug":"blue-team","term_group":0,"term_taxonomy_id":42,"taxonomy":"category","description":"","parent":0,"count":14,"filter":"raw","cat_ID":42,"category_count":14,"category_description":"","cat_name":"Blue Team","category_nicename":"blue-team","category_parent":0},{"term_id":43,"name":"Incident Response","slug":"incident-response","term_group":0,"term_taxonomy_id":43,"taxonomy":"category","description":"","parent":0,"count":5,"filter":"raw","cat_ID":43,"category_count":5,"category_description":"","cat_name":"Incident Response","category_nicename":"incident-response","category_parent":0},{"term_id":28,"name":"PowerShell","slug":"powershell","term_group":0,"term_taxonomy_id":28,"taxonomy":"category","description":"","parent":0,"count":3,"filter":"raw","cat_ID":28,"category_count":3,"category_description":"","cat_name":"PowerShell","category_nicename":"powershell","category_parent":0},{"term_id":45,"name":"Threat Hunting","slug":"threat-hunting","term_group":0,"term_taxonomy_id":45,"taxonomy":"category","description":"","parent":0,"count":3,"filter":"raw","cat_ID":45,"category_count":3,"category_description":"","cat_name":"Threat Hunting","category_nicename":"threat-hunting","category_parent":0}],"tag_info":[{"term_id":21,"name":"Blue Team","slug":"blue-team","term_group":0,"term_taxonomy_id":21,"taxonomy":"post_tag","description":"","parent":0,"count":13,"filter":"raw"},{"term_id":19,"name":"Incident Response","slug":"incident-response","term_group":0,"term_taxonomy_id":19,"taxonomy":"post_tag","description":"","parent":0,"count":6,"filter":"raw"},{"term_id":29,"name":"PowerShell","slug":"powershell","term_group":0,"term_taxonomy_id":29,"taxonomy":"post_tag","description":"","parent":0,"count":3,"filter":"raw"},{"term_id":30,"name":"Threat Hunting","slug":"threat-hunting","term_group":0,"term_taxonomy_id":30,"taxonomy":"post_tag","description":"","parent":0,"count":3,"filter":"raw"}],"_links":{"self":[{"href":"https:\/\/cybersecthreat.com\/zh\/wp-json\/wp\/v2\/posts\/135","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/cybersecthreat.com\/zh\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/cybersecthreat.com\/zh\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/cybersecthreat.com\/zh\/wp-json\/wp\/v2\/users\/2"}],"replies":[{"embeddable":true,"href":"https:\/\/cybersecthreat.com\/zh\/wp-json\/wp\/v2\/comments?post=135"}],"version-history":[{"count":0,"href":"https:\/\/cybersecthreat.com\/zh\/wp-json\/wp\/v2\/posts\/135\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/cybersecthreat.com\/zh\/wp-json\/wp\/v2\/media\/368"}],"wp:attachment":[{"href":"https:\/\/cybersecthreat.com\/zh\/wp-json\/wp\/v2\/media?parent=135"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/cybersecthreat.com\/zh\/wp-json\/wp\/v2\/categories?post=135"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/cybersecthreat.com\/zh\/wp-json\/wp\/v2\/tags?post=135"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}