Detections
- ID: DT055
- Created: 09th June 2024
- Updated: 10th February 2025
- Platform: Windows
- Contributors: The ITM Team, James Weston,
PowerShell Logging
Detailed PowerShell logging is not enabled by default and must be configured.
PowerShell is able to record the processing of commands, script blocks, functions, and scripts whether invoked interactively, or through automation.
PowerShell logging can be enabled through Group Policy with the following: Administrative Templates → Windows Components → Windows PowerShell
There are 3 available logging types, they are: Module Logging, Script Block Logging and Transcription.
Module Logging: Records pipeline execution details, such as variable initialisation and command invocations, capturing portions of scripts and some de-obfuscated code. This logging is available since PowerShell 3.0 and generates a large volume of events, providing valuable output not captured elsewhere. Events are written to Event ID 4103.
Module logging can be enabled by setting the following registry values:
HKLM\SOFTWARE\Wow6432Node\Policies\Microsoft\Windows\PowerShell\ModuleLogging → EnableModuleLogging = 1
HKLM\SOFTWARE\Wow6432Node\Policies\Microsoft\Windows\PowerShell\ModuleLogging \ModuleNames → * = *
Script Block Logging: Captures blocks of code as they are executed, including de-obfuscated code, allowing visibility into the full contents of executed scripts and commands. This feature is available in PowerShell 5.0 and records events under Event ID 4104.
Script block logging can be enabled by setting the following registry values:
HKLM\SOFTWARE\Wow6432Node\Policies\Microsoft\Windows\PowerShell\ScriptBlockLogging → EnableScriptBlockLogging = 1
Transcription: Records the input and output of entire PowerShell sessions, providing a comprehensive record of all commands executed and their results.
Transcription logging can be enabled by setting the following registry values:
HKLM\SOFTWARE\Wow6432Node\Policies\Microsoft\Windows\PowerShell\Transcription → EnableTranscripting = 1
HKLM\SOFTWARE\Wow6432Node\Policies\Microsoft\Windows\PowerShell\Transcription → EnableInvocationHeader = 1
HKLM\SOFTWARE\Wow6432Node\Policies\Microsoft\Windows\PowerShell\Transcription → OutputDirectory = “” (Enter path. Empty = default)
Sections
| ID | Name | Description |
|---|---|---|
| AF002 | Clear Operating System Logs | A subject clears operating system logs to hide evidence of their activities. |
| AF001.001 | Clear PowerShell History | A subject clears PowerShell command history to prevent executed commands from being reviewed, disclosing information about the subject’s activities. PowerShell stores command history in the context of a user account. This file is located at A subject can delete their own A subject may attempt to use the |
| AF002.001 | Clear Windows Event Logs | A subject clears Windows Event logs to conceal evidence of their activities. Windows Event Logs store various types of information, such as system errors, application events, security auditing messages, and other operational events. The logs are stored in Windows Event Logs can be cleared using the Event Viewer utility, provided the user account has administrative privileges. |
| AF018.001 | Endpoint Tripwires | A subject installs custom software or malware on an endpoint, potentially disguising it as a legitimate process. This software includes tripwire logic to monitor the system for signs of security activity.
The tripwire software monitors various aspects of the endpoint to detect potential investigations:
Upon detecting security activity, the tripwire can initiate various evasive responses:
|