Splunking Windows PowerShell Commands

This years user conference was another great conference and we got a ton of questions from you during the conference. Some of them I couldn’t answer at the time – I’m making up for that in between blog posts about new features. The first one was “Is there any way I can splunk what PowerShell commands are being executed on a server?”

There are two pieces of this puzzle: firstly – can I turn on an audit log that includes all the PowerShell commands that are executed within the system? We do that normally through group policy. Open up the group policy management console and take yourself to:

Computer Configuration\Administrative Templates\Windows Components\Windows PowerShell

In this group policy container there is a setting called “Turn On Module Logging”. It’s either enabled or disabled – enable it to turn on logging. You also need to set the list of modules that are logged. Wildcards are allowed, so feel free to set this to *. Apply your group policy change to the list of servers that you want to log and wait for the change to propagate (or run GPUPDATE /FORCE on the target systems).

Now that you have module logging turned on, the PowerShell commands appear in a Windows Event Log called “Microsoft-Windows-PowerShell/Operational” – you will most certainly want to install a Splunk 6 Universal Forwarder on each server that you are targeting to read this event log. You can do this by utilizing the following inputs.conf stanza:

[WinEventLog://Microsoft-Windows-PowerShell/Operational]
disabled = false

Push that out to your target servers and you will start getting events like the following back:

10/23/2013 10:20:43 AM
LogName=Microsoft-Windows-PowerShell/Operational
SourceName=Microsoft-Windows-PowerShell
EventCode=4103
EventType=4
Type=Information
ComputerName=EX-BES10.bd.splunk.com
User=a-ahall
Sid=S-1-5-21-2882450500-3417635276-1240590811-1179
SidType=1
TaskCategory=Executing Pipeline
OpCode=To be used when operation is just executing a method
RecordNumber=133
Keywords=None
Message=ParameterBinding(Get-Service): name="Name"; value="SplunkForwarder"


Context:
        Severity = Informational
        Host Name = ConsoleHost
        Host Version = 3.0
        Host ID = e6323c96-aa4d-48c3-87a1-b97e01c63afa
        Engine Version = 3.0
        Runspace ID = b2be7033-a9e5-43c1-b356-fedb9ccd34cf
        Pipeline ID = 20
        Command Name = Get-Service
        Command Type = Cmdlet
        Script Name = 
        Command Path = 
        Sequence Number = 42
        User = BD\a-ahall
        Shell ID = Microsoft.PowerShell

From this, you can see all the information that you need to determine what was run, who ran it, what machine it was run from and when it was run. You will need to do the normal extractions to get this information – remember that this is a multi-line event, so ensure you use the ?gms version of the extractions in props.conf to handle multi-line regular expressions.

As for the cmd prompt – sorry, there is no equivalent log for that.