In some cases it’s important to monitor all the powershell commands executed in a windows server because it can help us to alert possible attacks and lateral movements. For that reason, in this post it will show how to active powershell commands in the event viewer of Windows and then using an agent to send those logs for visualization.
Enabling Powershell commands in event viewer
We can enable those settings by using an Active Directory environment or locally in the server. In this example it’s made by AD using the GPO editor: Administrative Templates → Windows Components → Windows PowerShell:
- Turn on Modle Logging
- Turn on Powershell Script Block Logging
Instaling agent for monitoring Windows event with Elastic Stack
In this case, elastic agent was installed in the windows server. For details about installation click here. Then in kibana you have to create a policy to monitor those Windows channels: Microsoft-Windows-Powershell/Operational channel y Windows Powershell channel
Testing that Powershell commands are sent to Elastic Stack
Use this filter to see Powershell commands in Kibana:
- event.provider: PowerShell
- Powershell.command.value: exist
Furthermore, we can use the dashboard created by Elastic called [Windows powershell] Overview with useful information:
