1

I wanto to track PowerShell commands which are executed by users in the intranet. How can I do this?

I need the user's information and their executed commands. Is it possible?

Edit 1: I guess I can use;

Set-PSDebug -Trace 1

How can I build a script which I then can deploy over whole intranet. I also use an orchestrator.

Edit 2: I tried;

$created = Get-WinEvent -FilterHashtable @{ ProviderName="Microsoft-Windows-PowerShell"; Id = 4104 } #| Where-Object { $_.<...> }
$sortedScripts = $created | sort { $_.Properties[0].Value }
$mergedScript = -join ($sortedScripts | % { $_.Properties[2].Value })

And got this output;

DEBUG:    1+  >>>> $created = Get-WinEvent -FilterHashtable @{ ProviderName="Microsoft-Windows-PowerShell"; Id = 4104 }# | Where-Object { $_.<...> }

DEBUG:    2+  >>>> $sortedScripts = $created | sort { $_.Properties[0].Value }

DEBUG:    2+ $sortedScripts = $created | sort  >>>> { $_.Properties[0].Value }

DEBUG:    2+ $sortedScripts = $created | sort {  >>>> $_.Properties[0].Value }

DEBUG:    2+ $sortedScripts = $created | sort { $_.Properties[0].Value  >>>> }

DEBUG:    2+ $sortedScripts = $created | sort  >>>> { $_.Properties[0].Value }

DEBUG:    2+ $sortedScripts = $created | sort {  >>>> $_.Properties[0].Value }

DEBUG:    2+ $sortedScripts = $created | sort { $_.Properties[0].Value  >>>> }

DEBUG:    2+ $sortedScripts = $created | sort  >>>> { $_.Properties[0].Value }

DEBUG:    2+ $sortedScripts = $created | sort {  >>>> $_.Properties[0].Value }

DEBUG:    2+ $sortedScripts = $created | sort { $_.Properties[0].Value  >>>> }

DEBUG:    2+ $sortedScripts = $created | sort  >>>> { $_.Properties[0].Value }

DEBUG:    2+ $sortedScripts = $created | sort {  >>>> $_.Properties[0].Value }...

I did comment pipeline codes because I couldn't get "$_.<...>" parameter.

Edit 3: This works perfectly; Firstly I wrote Microsoft's ScriptBlock Enable Code Block

function Enable-PSScriptBlockLogging {
    [CmdletBinding()]
    param ()
    $BasePath = "HKLM:\Software\Policies\Microsoft\Windows\PowerShell\ScriptBlockLogging"

    if (-not (Test-Path $BasePath)) {
        Write-Verbose "ScriptBlockLogging registry key doesn't exist. Creating now."
        $null = New-Item $BasePath –Force

        Write-Verbose "Setting registry key value to 1 of type DWORD."
        $null = New-ItemProperty $BasePath -Name EnableScriptBlockLogging -Value "1" -PropertyType DWORD
    } else {
        if ((Get-ItemProperty -Path $BasePath).EnableScriptBlockLogging.getType().Name -eq 'Int32') {
            Write-Verbose "Key exists, updating value to 1."
            Set-ItemProperty $BasePath -Name EnableScriptBlockLogging -Value "1"
        } else {
            Write-Verbose "Key exists of wrong data type, removing existing entry."
            Remove-ItemProperty $BasePath -Name EnableScriptBlockLogging

            Write-Verbose "Setting new registry key value to 1 of type DWORD."
            $null = New-ItemProperty $BasePath -Name EnableScriptBlockLogging -Value "1" -PropertyType DWORD
        }
    }
}

Then, when I open Event Viewer GOTCHA! Logs see perfectly. Now I need manage these logs with PowerShell.

Umut Gür
  • 111
  • 1
  • 1
  • 4

3 Answers3

5

PowerShell Script Block Logging might be useful.

I haven't tried it yet, so I don't know how you can track user information, but it surely tracks the executed commands.

Here's a link to Microsoft Docs about how to enable it: Script Tracing and Logging. And here is another with broader information about auditing and logging: Practical PowerShell Security: Enable Auditing and Logging with DSC.

You can also just search on Internet for Script Block Logging.

рüффп
  • 152
  • 2
  • 11
PatrikN
  • 163
  • 3
  • Thanks for your reply, I am reading that but I didn't get "<...>" in "| Where-Object { $_.<...> }" pipeline. – Umut Gür Feb 20 '18 at 13:01
  • Those three lines are a way to combine long scripts, if they can't fit in a single line. `<...>` is where you can put an expression, if you want to filter your output if you don't want to see all log entries, like entries containing specific words. Just a "normal" Where-Object expression/filter :-) Have you tried looking in **Event Viewer** (GUI) under **Microsoft-Windows-PowerShell/Operational**, if you can see the events there? – PatrikN Feb 20 '18 at 15:15
  • I tried use **Event Viewer** and I saw its logs don't have **Command Names** – Umut Gür Feb 21 '18 at 07:04
  • What do you mean with **Command Names**? Can you give an example of what (text) you can see? – PatrikN Feb 21 '18 at 15:15
  • For Example "Out-File" or "Get-Credential" – Umut Gür Feb 22 '18 at 06:21
  • So you see the output of these commands, but not the commands? Sorry if I'm confused. – PatrikN Feb 22 '18 at 13:32
3

Powershell transcript logging records every single thing from each powershell session. This feature is available since PS version 5 and above. Please refer: here

Now, you can also use Sysmon utility from Sysinternals. Please refer: here

schroeder
  • 123,438
  • 55
  • 284
  • 319
010 M
  • 41
  • 3
1

You can look for Windows Security EventID 4688: Process Created: https://www.siemaid.com/view-event.php?src=windows&eventid=4688

Combine this with "Include command line in process creation events" in the followin group policy: Administrative Templates\System\Audit Process Creation

For more detail: https://docs.microsoft.com/en-us/windows-server/identity/ad-ds/manage/component-updates/command-line-process-auditing

Lastly, you can look at using Sysmon, specificly EventID 1: Process creation. This event will also track subprocess created by other programs.

mihiriath
  • 11
  • 2