Powershell

Overview

Evidence: Powershell Logs Description: Collect Powershell Logs Category: System Platform: windows Short Name: pwrs Is Parsed: No Sent to Investigation Hub: Yes Collect File(s): Yes

Background

PowerShell transcription creates detailed logs of PowerShell sessions including all commands executed and their output. Transcription must be enabled via Group Policy or registry settings.

When enabled, transcripts are saved as text files and contain complete records of PowerShell activity, making them extremely valuable for detecting malicious PowerShell usage.

Data Collected

This collector gathers structured data about powershell logs.

Powershell Logs Data

Field

Description

Example

Name

Artifact name

Powershell Log

Type

File or Folder

Folder

SourcePath

Original path

C:\Transcripts\PowerShell_transcript.DESKTOP.abc123.20231015143000.txt

Path

Relative path in evidence

Other/PowerShell_transcript...

Collection Method

This collector:

Reads the transcript output directory from registry:
- HKLM\SOFTWARE\Policies\Microsoft\Windows\PowerShell\Transcription - OutputDirectory value
- HKCU\SOFTWARE\Policies\Microsoft\Windows\PowerShell\Transcription - OutputDirectory value
Collects all files from the configured transcript directories

Forensic Value

PowerShell transcripts provide complete visibility into PowerShell command execution. Investigators use this data to identify malicious PowerShell commands, track attacker reconnaissance activities, detect PowerShell-based lateral movement, analyze encoded or obfuscated commands, and establish complete PowerShell activity timelines.

PreviousPDB Information NextPowershell ConsoleHost History

Last updated 3 days ago

Was this helpful?