How to centralize PowerShell transcript logs

One of the logs that can trace an attacker’s activity is a transcript log. Transcript logs are basically an “over-the-shoulder” method of seeing what’s occurring in any given PowerShell session. It shows which commands the user is running and any output printed to the console. In this article, I will show how to centralize these logs for machines in Active Directory (AD) for further investigation if needed.

PowerShell has proven to be an efficient tool attackers can use for compromising machines. While legitimate system admins use PowerShell, it provides many benefits to attackers as well due to its ease of use. Thus, it is important keep an eye on all transcript logs in your network.

The problem

Using Group Policy, it is very simple to turn on transcript logs for any machine. You simply enable it and provide the path you want to send the logs to.

Group Policy for PowerShell transcripts

Group Policy for PowerShell transcripts

My initial thought was just to use a network share as the directory to centralize the logs easily. The issue with this setup is that PowerShell remoting sessions will not work by default due to the double-hop issue. (By default in PowerShell remoting, you cannot delegate credentials to access a network share.) This is something solvable with a workaround, but I didn’t feel it would be worthwhile just for capturing logs.

In addition, local user accounts would not have access to the share without providing permissions I did not feel comfortable applying. Moreover, any network disruption would cause a problem sending logs to a share.

What I ended up doing was creating a local folder on each machine and setting strict permissions so that any user (local or domain) only has write access and cannot read the contents. More importantly, an attacker would not have access to remove them. Then I copy the logs daily to a central folder only an admin can access.

Group Policy configuration

Outside of the PowerShell transcript setting I mentioned earlier, I configured a file system setting for sending local transcripts in Computer Configuration > Windows Settings > Security Settings > File System. I chose the folder C:\Windows\PSLogging and set the “Users” group to have just write permissions. I then added a domain security group—in my case “Security Admin”—to have read access for copying the transcripts.


Comments are closed.