How to log and monitor PowerShell activity for suspicious scripts and commands

Group policy

If you use traditional Active Directory tools, use group policy to enable PowerShell logging. Open the Group Policy Management Console. Create a new Group Policy Object (GPO) or edit an existing one. Navigate to Computer Configuration > Administrative Templates > Windows Components > Windows PowerShell. Locate the setting “Turn on PowerShell Script Block Logging” and set it to Enabled.

Susan Bradley / CSO

This logging allows you to capture the content of all executed scripts, including commands and functions.

Intune

Similarly in Intune perform the following steps: Go to Microsoft Intune Admin Center and find devices. Click on Windows devices and Configuration. Click Create, select New Policy. Select Windows 10 and later, select Settings Catalog under profile type, and click Create. Enter PowerShell Configuration as name, enter a Description if needed, and click Next. Click Add settings, enter PowerShell in the Search for a setting bar, and click Search. Select Administrative Templates\Windows Components\Windows PowerShell, and click Select all these settings, or go through each one and select those you want to monitor.

What's Hot

Lovable just backed a company that’s looking to bring vibe coding to hardware

Clio’s $500M milestone arrives just as Anthropic ups the ante

Anduril raises $5B, doubles valuation to $61B

Fitbit founders launch AI platform to help families monitor their health

AI is becoming introspective – and that ‘should be monitored carefully,’ warns Anthropic

Perplexity’s new AI tool lets you search patents with natural language – and it’s free

College social app Fizz expands into grocery delivery

A Former Apple Luminary Sets Out to Create the Ultimate GPU Software

The Reason Murderbot’s Tone Feels Off

Most Popular