PowerShell Logs

Overview

Evidence: Powershell Description: Collect Powershell Logs Category: Other Evidence Platform: Windows Short Name: pwrs Is Parsed: No - Raw transcript text files Sent to Investigation Hub: Yes Collect File(s): No

Background

PowerShell transcription creates detailed logs of PowerShell sessions including all commands executed and their output. Transcription must be enabled via Group Policy or registry settings.

When enabled, transcripts are saved as text files and contain complete records of PowerShell activity, making them extremely valuable for detecting malicious PowerShell usage.

Data Collected

Collection Method

This collector:

• Reads the transcript output directory from registry:

  • HKLM\SOFTWARE\Policies\Microsoft\Windows\PowerShell\Transcription - OutputDirectory value

  • HKCU\SOFTWARE\Policies\Microsoft\Windows\PowerShell\Transcription - OutputDirectory value

• Collects all files from the configured transcript directories

Usage

PowerShell transcripts provide complete visibility into PowerShell command execution. Investigators use this data to identify malicious PowerShell commands, track attacker reconnaissance activities, detect PowerShell-based lateral movement, analyze encoded or obfuscated commands, and establish complete PowerShell activity timelines.

Known Limitations

• Only available if transcription is enabled

• Many systems don't have transcription configured

• Transcripts can be disabled or deleted by attackers

• Output directory location varies

Notes

PowerShell transcription is a Group Policy setting. If transcription is not enabled, no logs will be present. This is one of the most valuable sources for detecting PowerShell-based attacks when available.