One of the logs that can trace an attacker's activity is a transcript log. Transcript logs are basically an "over-the-shoulder" method of seeing what's occurring in any given PowerShell session. It shows which commands the user is running and any output printed to the console. In this article, I will show how to centralize these logs for machines in Active Directory (AD) for further investigation if needed.

Dan Franciscus

Dan Franciscus is a systems engineer and VMware Certified Professional (VCP) specializing in VMware, PowerShell, and other Microsoft-based technologies. You can reach Dan at his blog or his Twitter at @dan_franciscus.

PowerShell has proven to be an efficient tool attackers can use for compromising machines. While legitimate system admins use PowerShell, it provides many benefits to attackers as well due to its ease of use. Thus, it is important keep an eye on all transcript logs in your network.

The problem ^

Using Group Policy, it is very simple to turn on transcript logs for any machine. You simply enable it and provide the path you want to send the logs to.

Group Policy for PowerShell transcripts

Group Policy for PowerShell transcripts

My initial thought was just to use a network share as the directory to centralize the logs easily. The issue with this setup is that PowerShell remoting sessions will not work by default due to the double-hop issue. (By default in PowerShell remoting, you cannot delegate credentials to access a network share.) This is something solvable with a workaround, but I didn't feel it would be worthwhile just for capturing logs.

In addition, local user accounts would not have access to the share without providing permissions I did not feel comfortable applying. Moreover, any network disruption would cause a problem sending logs to a share.

What I ended up doing was creating a local folder on each machine and setting strict permissions so that any user (local or domain) only has write access and cannot read the contents. More importantly, an attacker would not have access to remove them. Then I copy the logs daily to a central folder only an admin can access.

Group Policy configuration ^

Outside of the PowerShell transcript setting I mentioned earlier, I configured a file system setting for sending local transcripts in Computer Configuration > Windows Settings > Security Settings > File System. I chose the folder C:\Windows\PSLogging and set the "Users" group to have just write permissions. I then added a domain security group—in my case "Security Admin"—to have read access for copying the transcripts.

Group Policy for local permissions

Group Policy for local permissions

 

At this point, any machine with this policy will have any user in the Users group log their PowerShell transcripts to the local C:\Windows\PSLogging folder.

Script to centralize transcript logs ^

One great feature that logging transcripts does by default is create a new folder daily such as "20180710" and a log for each session inside this folder. Each transcript log includes the hostname of the local machine, which makes copying much simpler since no renaming of files is necessary.

At this point we can run a PowerShell script daily to collect these local transcript logs and copy them to a central folder. This depends on enabling Server Message Block (SMB) by default and running the script with an account that has permissions to the C:\Windows\PSLogging folder on each machine.

The general flow of the script is as follows:

  1. Set the server share path for centralized logs to $ServerPath.
  2. Set yesterday's log folder name to $LogPath.
  3. Try to create a new folder for the centralized log location. If this already exists, exit the script.
  4. Get all AD computer names in a collection.
  5. Go through each machine in a foreach loop to copy the contents of yesterday's transcript folder if it exists and then remove it from the remote machine.

Here is an example of the script running:

Join the 4sysops PowerShell group!

2+
Share
4 Comments
  1. David 10 months ago

    Hi Dan,

    How did you accomplish this: "creating a local folder on each machine and setting strict permissions so that any user (local or domain) only has write access and cannot read the contents".

    Thanks,

    David

    1+

  2. Sanket Gupta 7 months ago

    During PowerShell Remoting transcript logging does not work, as it does not capture the logs during remote session.

    I suspect that it may be a limitation/bug in transcript logging. It is intended to capture console output, but in a non-interactive session there is no console, so the output gets discarded, and consequently there's nothing to capture.

    0

  3. Luc Fullenwarth 7 months ago

    @Sanket

    It just came to my mind: maybe you have forgotten to activate the preference variables in the script you want to transcribe...

    By default, these variables are set to SilentlyContinue, which means they don't write anything.

    Alternatively to the transcribing, you can also use an output file and redirect all streams to this file.

    For example:

    0

Leave a reply

Your email address will not be published. Required fields are marked *

*

© 4sysops 2006 - 2019

CONTACT US

Please ask IT administration questions in the forums. Any other messages are welcome.

Sending

Log in with your credentials

or    

Forgot your details?

Create Account