Over the past few months, I’ve talked to a number of clients who were interested in bringing Windows PowerShell transcription logs into Splunk. One challenge associated with this log is it’s not the easiest to enable, especially since it isn’t enabled by default in Windows. They also aren’t the easiest to work with–a lot of the information I ran into when navigating through this project ended up being inaccurate or incomplete.
My goal in this tutorial is to simplify the process of enabling PowerShell transcription logging and demonstrate how to get this data into Splunk. I can’t say this process is perfect, and I know that there will be areas of improvement, but I hope it will be helpful.
Using PowerShell to make things easier
Last year when planning the National Collegiate Penetration Testing Competition (@NationalCPTC), I posed a challenge to our research and monitoring team–we needed a scripted mechanism for enabling several types of logging, including PowerShell transcription logs. Tim Ip took on this challenge and produced several of the scripts that we used in the final environment build. He has made these tools available on GitHub.
For this example, I’m using one of the Windows 10 OVAs in my demo, which you may want to download. We’ll also be using the powershell_logging.ps1 script.
This script is a standalone method for enabling this logging and writing the files to C:\pstrans\. If you need to write the output elsewhere, the script can be modified to accommodate. If you’re not comfortable with downloading random scripts from the Internet and running them on your computers and servers (as you probably should be), feel free to deconstruct this script and modify it to your specifications and needs.
Running the script
For our audio-visual learners, I’ve created a video demo walking you through how to get everything set up in Windows to write log files. You may view the demo below.
This PowerShell script makes registry changes and must be run as an administrator. Start by running PowerShell as an administrator and searching for PowerShell. Right click on the icon, and then choose “run as administrator” (feel free to use another method to accomplish this if you prefer).