Mark Minasi's Tech Forum
Sign up Calendar Latest Topics
 
 
 


Reply
  Author   Comment  
meloao

New Friend (or an Old Friend who Built a New Account)
Registered:
Posts: 95
Reply with quote  #1 
Is there a way to track who runs a script?  I see that there is an option to "run as different user" when you right click on powershell.exe.   However, when I look at the Powershell log in Event Viewer I do not see an entry that the script was run, let alone identifying who ran the script. 
0
cj_berlin

Avatar / Picture

Senior Member
Registered:
Posts: 376
Reply with quote  #2 
Depends on what OS / PoweShell version you're on.

You could leverage ScriptBlock logging for this if you're on version 5 or 5.1: https://community.idera.com/database-tools/powershell/powertips/b/tips/posts/understanding-script-block-logging-part-6

Or you could look into AppLocker policies and/or WDAC policies.

Or you could enable sysmon logging and, when you're through with tuning that, find a new rewarding engagement in infosec ;-)

__________________
Evgenij Smirnov

My personal blog (German): http://www.it-pro-berlin.de/
My stuff on PSGallery: https://www.powershellgallery.com/profiles/it-pro-berlin.de/
0
Previous Topic | Next Topic
Print
Reply

Quick Navigation:

Easily create a Forum Website with Website Toolbox.