Configuring Windows PowerShell auditing

Windows PowerShell is a scripting language that is used to automate system tasks. It can be used to gather data, steal system information, dump credentials, and do more. Hence, tracking PowerShell activity is imperative.

ADAudit Plus' PowerShell Auditing reports help track PowerShell processes that run in your environment along with the commands executed in them.

ADAudit Plus enables you to audit the following versions of PowerShell:

  1. PowerShell version 5.0
  2. PowerShell version 4.0

Configure PowerShell auditing in ADAudit Plus

To configure PowerShell auditing on a The following components have to be configured in ADAudit Plus
Domain controller Domain and domain controller
Windows server Windows server

Configure audit policies in your domain

Audit policies must be configured to ensure that events are logged whenever any activity occurs.

Automatic configuration

To learn how to enable audit policies automatically for PowerShell auditing on a  
Domain controller Click here
Windows server Click here

Manual configuration

For module logging

  1. Log in to any computer that has the Group Policy Management Console (GPMC) with Domain Admin credentials.
  2. Open the GPMC and, based on your setup, right-click Default Domain Controllers Policy or ADAuditPlusMSPolicy, and select Edit.
  3. Note:

    To enable module logging on Right-click
    Domain controller Default Domain Controllers Policy GPO
    Windows server ADAuditPlusMSPolicy GPO
  4. In the Group Policy Management Editor, go to Computer Configuration > Policies > Administrative Templates > Windows Components > Windows Powershell > Navigate to the right pane, right-click Turn on Module Logging > Enable.
  5. In the Options pane, click on Show > In the Module Names window, enter '*' to record all modules > OK.
  6. configuring-powershell-auditing-module-logging

For script block logging

  1. Log in to any computer that has the Group Policy Management Console (GPMC) with Domain Admin credentials.
  2. Open the GPMC and, based on your setup, right-click Default Domain Controllers Policy or ADAuditPlusMSPolicy, and select Edit.
  3. Note:

    To enable FIM on Right-click
    Domain controller Default Domain Controllers Policy GPO
    Windows server ADAuditPlusMSPolicy GPO
  4. In the Group Policy Management Editor, go to Computer Configuration > Policies > Administrative Templates > Windows Components > Windows Powershell > Navigate to the right pane, right-click Turn on PowerShell Script Block Logging > Enable.
  5. configuring-powershell-auditing-script-block-logging

Configure log size

To set the maximum log size of PowerShell logs to 150 MB, follow the steps outlined below-

  1. Log in to any computer that has the Group Policy Management Console (GPMC) with Domain Admin credentials.
  2. Open the GPMC and, based on your setup, right-click Default Domain Controllers Policy or ADAuditPlusMSPolicy, and select Edit.
  3. Note:

    To enable script blocking on Right-click
    Domain controller Default Domain Controllers Policy GPO
    Windows server ADAuditPlusMSPolicy GPO
  4. In the Group Policy Management Editor, go to Computer Configuration > Preferences > Windows Settings > Right-click Registry > New > Registry Item.
  5. In the New Registry Properties wizard > In the Action field, select Update from the drop-down > In the Hive field, select HKEY_LOCAL_MACHINE from the drop-down > In the Key Path field, enter- SOFTWARE\Microsoft\Windows\CurrentVersion\WINEVT\Channels\Microsoft-Windows-PowerShell\Operational > In the Value name field, untick Default check box and type in MaxSize > In the Value type field, select REG_DWORD from the drop-down > In the Value data field, type in 153616384 > In the Base field, select Decimal > Apply.
  6. configuring-powershell-auditing-log-size

Copyright © 2020, ZOHO Corp. All Rights Reserved.
ManageEngine
Get download link