Why should you monitor PowerShell?…. PowerShell is a powerful automation tool, however its capabilities also make it a prime target for exploitation by cyber attackers. Implementing a robust, automated PowerShell monitoring solution is now essential to detect and prevent exploitation attacks before they compromise your systems. PowerShell is a powerful scripting tool that can automate tasks and manage systems, but its flexibility also makes it a target for abuse.

Monitoring PowerShell Executions – An Overview

  • PowerShell is often exploited to execute malicious scripts. Hence, observability on which PowerShell scripts are run, and tracking when they are run, is an important part of a Digital Operational Resilience Strategy (in the EU this could include meeting regulatory standards such as DORA).
  • PowerShell execution policies are a safety feature that controls the conditions under which PowerShell loads configuration files and runs scripts.
  • The ability to monitor PowerShell execution policy settings is important because it helps ensure that only authorized scripts are run.
  • The execution policy of a PowerShell script can be: AllSigned, ByPass, RemoteSigned, Restricted, Unrestricted.

I covered the basics of PowerShell Exploitation recently in another article, see: Detecting PowerShell Exploitation | eG Innovations. This article covers specific advance, proactive monitoring capabilities for enterprise use cases. The earlier article covers a broader range of techniques you can use to safeguard your organization from PowerShell vulnerabilities.

An Explanation of PowerShell Execution Policies

Restricted No scripts are allowed to run (default in most Windows systems).
AllSigned Only scripts signed by a trusted publisher can be run.
RemoteSigned Scripts downloaded from the internet must be signed by a trusted publisher, but locally created scripts can run without a signature.
Unrestricted All scripts can run, but a warning is given for downloaded scripts.
Bypass No restrictions; all scripts run without warnings.

Analyzing PowerShell executions can highlight potential vulnerabilities with applications executing on a system.

How eG Enterpise Monitors and Alerts on PowerShell Vulnerabilities

eG Enterprise will track:

  • The systems PowerShell execution policy e.g. RemoteSigned
  • How many PowerShell scripts were executed during the last measurement period that were unsigned (detailed diagnostics are collected that will report what these scripts are)
  • Whether any PowerShell scripts were executed with an unrestricted execution policy and detailed diagnostics of which ones these were (if any)
  • Whether any PowerShell scripts were executed with a bypass execution policy and detailed diagnostics of which these were
  • Whether any PowerShell scripts were executed with a remote signed execution policy and detailed diagnostics identifying them

PowerShell scripts that are executed as listed within the Security Checks test - allowing admins to proactively monitor for potential PowerShell Exploitation vulnerabilities

Figure 1: Note how the magnifying glass icon (detailed diagnostics) appears when diagnostic drill down information is available – clicking on this icon will access the information needed to monitor PowerShell proactively
Detailed diagnostics shown in eG Enterprise console, these allow admins to monitor PowerShell with the granularity needed to identify vulnerabilities that could be exploited
Figure 2: Detailed diagnostics contain filter and search criteria to help operators understand the usage of the PowerShell scripts

Security and Compliance Reports on PowerShell Vulnerabilities

eG Enterprise includes out-of-the-box reports on PowerShell executions, no query languages required. As with all eG Enterprise reports these can be scheduled and automatically archived or distributed to those with the appropriate permissions for audit and stakeholder visibility purposes.

Reports can be generated on both live and historical data as needed too.

Screenshot of eG Enterprise console and the Reporter tab - the list of reports by function under the tab is shown. These reports include out-of-the-box compliance reports on PowerShell Executions

Figure 3: The pre-built PowerShell Report is found under “Security and Compliance” family under the eG Enterprise Reporter tab.

PowerShell Execution reports can be combined with other reports via “booklet” functionality to provide comprehensive regular reports covering multiple domains/functionality areas. This prevents stakeholders receiving multiple disparate documents or reports.

Details of the PowerShell reports are shown. Graphs and metrics regarding PowerShell scripts executed are shown within eG Enterprise.

Figure 4: Ready-to-go-reports can provide the whole organization with a clear overview and understanding of their PowerShell usage and can be used to audit PowerShell execution policies

A Comprehensive PowerShell Security Strategy

Of course, monitoring and auditing PowerShell execution and execution policies is only one part of a robust PowerShell risk management strategy. I’ve written before about other steps you can take to ensure you are protected from vulnerabilities associated with PowerShell. Please see: Detecting PowerShell Exploitation | eG Innovations for more detailed information.

eG Enterprise is an Observability solution for Modern IT. Monitor digital workspaces,
web applications, SaaS services, cloud and containers from a single pane of glass.

Free Trial  See the platform

Learn More About a Few Other Ways to Proactively Secure and Protect Your IT Systems:

About the Author

Babu is Head of Product Engineering at eG Innovations, having joined the company back in 2001 as one of our first software developers following undergraduate and masters degrees in Computer Science, he knows the product inside and out. Based within our Singapore R&D Management team, Babu has undertaken various roles in engineering and product management becoming a certified PMP along the way.