3.11.54.2 (L1) Ensure 'Turn on PowerShell Transcription' is set to 'Enabled'

Information

This Policy setting lets you capture the input and output of Windows PowerShell commands into text-based transcripts.

The recommended state for this setting is: Enabled

PowerShell transcript input can be very valuable when performing forensic investigations of PowerShell attack incidents to determine what occurred.

Solution

To establish the recommended configuration via configuration profiles, set the following Settings Catalog path to Enabled

Administrative Templates\Windows Components\Windows PowerShell\Turn on PowerShell Transcription

Impact:

PowerShell transcript input will be logged to the PowerShell_transcript output file, which is saved to the My Documents folder of each users' profile by default.

Warning: There are potential risks of capturing credentials and sensitive information in the PowerShell_transcript output file, which could be exposed to users who have read-access to the file.

Warning #2: PowerShell Transcription is not compatible with the natively installed PowerShell v4 on Microsoft Windows 10 Release 1511 and Server 2012 R2 and below. If this recommendation is set as prescribed, PowerShell will need to be updated to at least v5.1 or newer. For more information on updating PowerShell, please see

Windows PowerShell System Requirements - PowerShell | Microsoft Learn

.

See Also

https://workbench.cisecurity.org/benchmarks/16852

Item Details

Category: AUDIT AND ACCOUNTABILITY

References: 800-53|AU-2, CSCv7|8.8

Plugin: Windows

Control ID: 66d2ee7893a6553103a7b23678536736efc2ef41e90a63dce1856d8dc723f69a