Automatically generated based on tag:

ETW - PowerShell activity Page For local PowerShell activity.

Windows PowerShell version 2.0, and prior versions, provide few useful audit settings, thereby limiting the availability of evidence (such as a command history).

Starting with PowerShell v5, PowerShell logging was enhanced, with the notable addition of Script Block Logging, that record full contents of PowerShell code executed (both original and deobfuscated code). While Script Block Logging is not fully enabled by default, it will record events for code containing suspicious keywords (from a Microsoft pre-defined list).

Windows PowerShell.
Events: 400, 403, 500, 501, 600, 800.

Events: 4100, 4103, 4104, 40961, 40962, 53504.

Microsoft-Windows-AppLocker\MSI and Script.
Events: 8005, 8006.
ETW - PowerShell remoting - Destination host Page Destination host of a PowerShell remoting / WinRM access.

Main events:

Channel: Microsoft-Windows-Windows Remote Management/Operational.
Event ID 91: "Creating WSMan shell on server with ResourceUri: <X>".

Microsoft-Windows-Windows Remote Management/Operational.
Event: 91.

Windows PowerShell.
Events: 400, 403, 600.
With the HostName field set to "ServerRemoteHost".

View on GitHub