Ingest PowerShell logs | Voters

Ingest PowerShell logs

in progress

Ethan Anderson

Ingest powershell data for auditing and detection purposes. Malicious PowerShell scripts are commonly used by threat actors to run silent actions in the background.

August 13, 2024

Travis

Neil Philbrook

For the Essential 8 Maturity Level 2, it appears we are required to centrally log the transcripts of powershell executions.
The language used in the Essential 8 Maturity Model is:
"PowerShell module logging, script block logging and transcription events
are centrally logged."
And in the Process Guide it's more specifically called out:
"Within the RSoP report, look for the ‘Turn on Module Logging’, ‘Turn on PowerShell Script Block Logging’ and ‘Turn on PowerShell Transcription’ settings at ‘Computer Configuration\Policies\Administrative Templates\Windows Components\Windows PowerShell’. They should all be enabled. In addition, module logging should ideally be configured to log all modules (i.e. ‘*’), although an organisation may tailor this setting.
Finally, determine if these event logs are being centrally stored."

Chris Bisnett

marked this post as

in progress

We're working to support ingest and parsing of PowerShell logs for module loading and script block logging. This should satisfy the Essential 8 and other compliance frameworks and will give us more telemetry to identify malicious activity.

Chris Bisnett

Merged in a post:

Macro Executions

Anthony Rankine

Australian ACSC Essential 8 wants us to centrally log macro executions and powershell scripts executions.  We are looking to replace Defender for endpoint P2 which gives us the device events table in the Advanced theat hunting schema.  If we replace that P2 with Defender for Business and/or hunterss we will lose that data to query.  
Anything we can do here to add this to SIEM or EDR?
Thanks.

January 8, 2025

Darren Djernes

would be huge to be able to detect these and audit them