Friday, May 4, 2018

Enabling Powershell 5 LOGGING for Windows 7

Powershell is a very common 'tool' used by attackers these days. Therefore, we need to monitor the use of it or be able to log it's activities during malware analysis. I found this blog from Fireeye that showed how to turn it on for Windows 7. However, its missing a few steps. After installing the necessary updates according to the blog, I wasn't able to see the logging configurations in the GP editor. 

Here I will document the steps needed to reveal the configurations in GP editor in Windows 7..

First you will need to download the necessary administrative templates here.

After installing the templates, you will need to locate the files “PowerShellExecutionPolicy.admx”, and the “PowerShellExecutionPolicy.adml”. They are copied to “\Program Files (x86)\Microsoft Group Policy” by the installer . 

Then copy them into %systemroot%\PolicyDefinitions.

After the above steps finally, you will see this in the GP editor in Windows 7.


Just to clarify here, I found the above steps from these blogs and forums.
https://www.fireeye.com/blog/threat-research/2016/02/greater_visibilityt.html
https://www.blackhillsinfosec.com/powershell-logging-blue-team/
https://social.technet.microsoft.com/Forums/ie/en-US/2f3c75ed-97e6-4b62-9157-2f7ef6766e19/powershell-gpo-settings-not-available-download-admx-file?forum=winserverGP


No comments:

Post a Comment