Jonhnathan
a2bf7f088d
* [Security Content] Windows Setup Guides * Move it to the right folder * Fix link * test * ++ * ++ * ++ * ++ * ++ * ++ * ++ * ++ * Fix links * ++ * ++ * Update pyproject.toml * Update docs/audit_policies/windows/sysmon_eventid1_process_creation.md Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com> * Update docs/audit_policies/windows/audit_powershell_scriptblock.md Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com> * Update pyproject.toml --------- Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com>
1.6 KiB
Audit Powershell Scriptblock
Setup
Some detection rules require enabling PowerShell Script Block Logging to record the content of processed script blocks in the Windows Event Log.
To collect these logs, use the Windows Integration and select the Powershell Operational channel on the integration setup page.
Enable Audit Policy via Group Policy
To enable PowerShell Script Block logging across a group of servers using Active Directory Group Policies, administrators must enable the Turn on PowerShell Script Block Logging policy. Follow these steps to implement the logging policy:
Computer Configuration >
Administrative Templates >
Windows PowerShell >
Turn on PowerShell Script Block Logging (Enable)
Enable Audit Policy via Registry
To configure the audit on servers that aren't domain joined, the EnableScriptBlockLogging registry key must be set to 1. Here is an example modification command:
reg add "hklm\SOFTWARE\Policies\Microsoft\Windows\PowerShell\ScriptBlockLogging" /v EnableScriptBlockLogging /t REG_DWORD /d 1
Event IDs
When this audit policy is enabled, the following event IDs may be generated in the Microsoft-Windows-PowerShell/Operational log:
- 4104: Script block execution.
Related Rules
Use the following GitHub search to identify rules that use the events listed: