Florian Roth
2.7 KiB
2.7 KiB
category: ps_module
ID: 0ad03ef1-f21b-4a79-8ce8-e6900c54b65b
Content
Expand
Description
This logsource guide describes how to enable the necessary logging to make use of SIGMA rules that leverage the ps_module category.
Event Source(s)
PowerShell 5
Provider: Microsoft-Windows-PowerShell
GUID: {a0c1853b-5c40-4b15-8766-3cf1c58f985a}
Channel: Microsoft-Windows-PowerShell/Operational
EventID: 4103
PowerShell 7
Provider: PowerShellCore
GUID: {f90714a8-5509-434a-bf6d-b1624c8a19a2}
Channel: PowerShellCore/Operational
EventID: 4103
Logging Setup
Microsoft-Windows-PowerShell
- Event Volume: TBD
- EventID(s):
4103
If you're using gpedit.msc or similar you can enable logging for this category by following the structure below
- Computer Configuration
- Administrative Templates
- Windows Components
- Windows PowerShell
- Turn On Module Logging
- Select List Of Modules According To Your Audit Policy (or use '*' to select all modules)
Provider: PowerShellCore
- Event Volume: TBD
- EventID(s):
4103
If you're using gpedit.msc or similar you can enable logging for this category by following the structure below
- Computer Configuration
- Administrative Templates
- PowerShell Core
- Turn On Module Logging
- Select List Of Modules According To Your Audit Policy (or use '*' to select all modules)
Note
By default when you install PowerShell 7 the logging template isn't available. You can install it by using the PowerShell script available in the installation directory
InstallPSCorePolicyDefinitions.ps1
Event Fields
Provider: Microsoft-Windows-PowerShell / EventID: 4103 (PowerShell 5)
Expand
- ContextInfo
- UserData
- Payload
Provider: PowerShellCore / EventID: 4103 (PowerShell 7)
Expand
- ContextInfo
- UserData
- Payload