Author Posts

March 24, 2016 at 10:36 am

We are looking to add all powershell command line events to the Windows Event Logs. I.E a bad guy tries to run powershell empire etc. We found and article that talks about adding this –
Add the below lines to %windir%\system32\Windows­PowerShell\v1.0\profile.ps1; this is for all users of the computer and for all shells.
$LogCommandHealthEvent = $true
$LogCommandLifeCycleEvent = $true

from
http://angrypackets.blogspot.com/2016/01/powershell-command-line-to-elsa.html

But someone was telling me newer versions of powershell automatically log commands to the event logs?

March 25, 2016 at 10:58 am

Enhanced logging is available in powershell 5 via a patch for powershell 4. There is a nice overview here https://www.fireeye.com/blog/threat-research/2016/02/greater_visibilityt.html

April 13, 2016 at 6:16 am

To access event logs, Windows PowerShell comes with Get-EventLog cmdlet:
Adding all powershell command line events to the Windows Event Logs, this tutorial might help. I read this . http://eventlogxp.com/blog/exporting-event-logs-with-windows-powershell/ . .
Thanks