FACTS & FINDINGS #007: PowerShell Logging Not Enabled
PowerShell continues to be a great tool utilized by both systems administrators and attackers alike. Many times, on an engagement we can accomplish privilege escalation and/or lateral movement by living on the land and not using any external tooling, all thanks to PowerShell.
Why this matters.
Comprehensive logging is a critical component of the incident response process. In the event of a breach, the ability to reconstruct actions taken by an attacker is critical to understanding the extent of attacker activities and the scope of affected systems. Modern attackers are incorporating PowerShell into all aspects of their attacks. Enabling PowerShell event logging allows incident responders to identify the actions taken by attackers and allows responders to quickly identify the results of those actions.
What you should do.
Red Siege recommends all organizations should configure Windows systems to capture PowerShell events. Specifically, enable PowerShell Module Logging, Script Block Logging, and Transcription Logging. PowerShell logging configuration changes can be made using the Group Policy Editor management console as described by FireEye Using the Group Policy Editor, navigate to Administrative Templates > Windows Components > Windows PowerShell.
Test Yourself.
You can verify PowerShell is properly logging by reviewing the Windows PowerShell event logging configuration in the Group Policy Management console. PowerShell events should be visible in the event log.
领英推荐
Need Penetration Testing and Red Team services or Offensive Training?
Contact Red Siege Today:?[email protected]
If you would like to learn more about the services we offer, please visit our website:?https://redsiege.com
Red Siege is one of the most trusted information security consulting firms in the industry that concentrates on the latest threats to organizations today. We perform in-depth analysis, determine organization/business risk, and find the vulnerabilities before the bad guys do. The Red Siege team of trained, qualified and experienced information security experts is led by one of the most recognized names in the industry, our CEO Tim Medin.