18.10.86.2 (L1) Ensure 'Turn on PowerShell Transcription' is set to 'Enabled'

Information

This Policy setting lets you capture the input and output of Windows PowerShell commands into text-based transcripts.

The recommended state for this setting is: Enabled

PowerShell transcript input can be very valuable when performing forensic investigations of PowerShell attack incidents to determine what occurred.

Solution

To establish the recommended configuration via GP, set the following UI path to Enabled :

Computer Configuration\Policies\Administrative Templates\Windows Components\Windows PowerShell\Turn on PowerShell Transcription

Note: This Group Policy path is provided by the Group Policy template PowerShellExecutionPolicy.admx/adml that is included with the Microsoft Windows 10 RTM (Release 1507) Administrative Templates (or newer).

Impact:

PowerShell transcript input will be logged to PowerShell_transcript output files, which are saved to the My Documents folder (within a separate subfolder for each day) of each users' profile by default. Optionally, a specific output directory name can be specified, which will contain all PowerShell transcript logs in a subfolder of My Documents. If specifying a full path outside the users My Documents folder, other users on the system could have access to view these logs, which may contain sensitive information such as passwords.

Warning: There are potential risks of capturing credentials and sensitive information in PowerShell_transcript output files, which could be exposed to users who have read access to the files.

Warning #2: PowerShell Transcription is not compatible with the natively installed PowerShell v4 on Microsoft Windows 10 Release 1511 and Server 2012 R2 and below. If this recommendation is set as prescribed, PowerShell will need to be updated to at least v5.1 or newer. For more information on updating PowerShell, please see

Windows PowerShell System Requirements - PowerShell | Microsoft Learn

.

See Also

https://workbench.cisecurity.org/benchmarks/17610

Item Details

Category: AUDIT AND ACCOUNTABILITY

References: 800-53|AU-2, CSCv7|8.8

Plugin: Windows

Control ID: efc30b800ae3ff36c4caf51a033b6bd42f47ae29b1dad9dcb65a4780a5b12f53