PowerShell logging capablity > 5.0

4 June 2018

https://www.asd.gov.au/publications/protect/Securing_PowerShell.pdf

Actions Logged Group policy Values
Module/Pipeline
Logging
Computer
Configuration\Policies\Administra
tive Templates\Windows
Components\Windows
PowerShell\Turn on Module
Logging
Module Names: *
Script Block
Tracing
Computer
Configuration\Preferences\Windo
ws Settings\Registry
HKLM\SOFTWARE\Policies\Micros
oft\Windows\PowerShell\ScriptBlo
ckLogging\EnableScriptBlockLogg
ing = 1 (DWORD)
Transcripting6 Computer
Configuration\Preferences\Windo
ws Settings\Registry
HKLM\SOFTWARE\Policies\Micros
oft\Windows\PowerShell\Transcrip
tion\ EnableTranscripting = 1
(DWORD)
HKLM\SOFTWARE\Policies\Micros
oft\Windows\PowerShell\Transcrip
tion\ OutputDirectory =
<transcriptfolder> (SZ)
HKLM\SOFTWARE\Policies\Micros
oft\Windows\PowerShell\Transcrip
tion\ EnableInvocationHeader = 1
(DWORD)