I'm looking for advice on how to monitor and log PowerShell scripts across all endpoints in my environment. I've already enabled module logging and script block logging, but I want to capture more detailed information like who ran the script and when. How do others manage their PowerShell logging effectively?
5 Answers
Your EDR platform can likely help with this issue. If you're not using one already, that should be your primary focus! There are numerous options available nowadays; we use CrowdStrike, and if you're in the Microsoft 365 ecosystem, Defender is a solid choice too. Huntress can also integrate with Defender and might cover what you need.
We’ve put a strict policy in place by not allowing non-admin users to execute PowerShell scripts, which is a solid start to minimize risks.
Can you explain how you enforce that policy?
We utilize ThreatLocker for our monitoring needs, which seems effective.
To enhance your logging setup, consider enabling Transcription, which captures the full console session, including timestamps and usernames. You can also integrate event and security logs. Using Group Policy, you can configure these settings to send all relevant information to a central location for easier browsing and auditing.
Just so you know, Transcription doesn’t log the PowerShell commands run through the terminal itself.
What are the best practices for ensuring that sensitive information like passwords doesn't end up in those logs? Just avoiding them isn't enough for junior admins!
Xcitium is pretty good for monitoring and logging purposes. I personally self-sign certificates, disallow remotely signed scripts, and only run scripts from a trusted network folder. Xcitium allows executing Python scripts through its EDR as well.
That sounds like security theater to me. What’s the reasoning behind it?