I’ve seen in this interview that group policy templates (ADMX files) should be shipped soon and allow corporate admins to control PowerShell Core ScriptBlockLogging, Transcripts,.. all the security stuff the blue team ❤ .
Procmon reveals what registry path pwsh.exe is looking for:
It appears that the policy path for PowerShell Core 6.0 is different from Windows PowerShell 5.x:
Microsoft\Windows\PowerShell is replaced by Microsoft\PowerShellCore.
Using some google fu, I came across this pull request where there’s an interesting discussion, a sample powershell.config.json file. We also learn that:
On Windows, we first query GPO from registry, if the required policy is not defined, then we query policies from the configuration file.
Another very useful link is the help file about_Logging.md where you can read that:
Windows requires the event provider to be registered before logged events can appear in the event log. For PowerShell, this is accomplished by running the RegisterManifest.ps1 from an elevated PowerShell prompt.
When you’ve ScriptBlockLogging enabled by GPO and registered the ETW provider, you get the related events in this location
Get-WinEvent -ListProvider "PowerShellCore" Get-WinEvent -LogName 'PowerShellCore/Operational' -MaxEvents 1
Last thing, let’s look how different is the transcript header:
PowerShell Core has its own learning curve 🙂