Splunk® User Behavior Analytics

Get Data into Splunk User Behavior Analytics

Acrobat logo Download manual as PDF


Acrobat logo Download topic as PDF

Configure PowerShell logging to see PowerShell anomalies in Splunk UBA

The Suspicious PowerShell Activity model produces anomalies based on suspicious activity identified in Microsoft PowerShell and Windows security event logs.

You must log PowerShell activity at a specific level and add those logs to Splunk UBA for the PowerShell Activity model to work.

By logging PowerShell activity and analyzing the commands with Splunk UBA, you can identify indicators of compromise corresponding to malicious activity by a user or malware. PowerShell provides access to Windows API calls that attackers can exploit to gain elevated access to the system, avoiding antivirus and other security controls in the process. PowerShell is also internally utilized by popular hacking tools.

PowerShell versions compatible with Splunk UBA

The PowerShell model works best with PowerShell 5.0 or the latest version of PowerShell 4.0.

PowerShell version PowerShell requirements
4.0 Powershell version 4.0 requires the following to enable enhanced logging for Windows 7/8.1/2008/2012:
  • .NET 4.5
  • Windows Management Framework (WMF) 4.0
  • The appropriate WMF 4.0 update:
    • 8.1/2012 R2 – KB3000850
    • 2012 – KB3119938
    • 7/2008 R2 SP1 – KB3109118
5.0 Powershell version 5.0 requires the following to enable enhanced logging for Windows 7/8.1/2008/2012:
  • .NET 4.5
  • Windows Management Framework (WMF) 4.0 (Windows 7/2008 only)
  • Windows Management Framework (WMF) 5.0

You must upgrade Windows 7 and 2008 R2 to Windows Management Framework (WMF) 4.0 prior to installing WMF 5.0.

Windows 10 does not require any software updates to support enhanced PowerShell logging.

PowerShell supports the following types of logging:

  • module logging
  • script block logging
  • transcription

PowerShell events are written to the PowerShell operational log Microsoft-Windows-PowerShell%4Operational.evtx.

Configure module logging for PowerShell

Complete these steps to enable module logging:

  1. In the Windows PowerShell GPO settings, select Computer Configuration > Administrative Templates > Windows Components > Windows PowerShell, and set Turn on Module Logging to enabled.
  2. In the Options pane, click the button to show Module Name.
  3. In the Module Names window, enter * to record all modules.
  4. Click OK in the Module Names window.
  5. Click OK in the Module Logging window.

Alternately you can set the following registry values:

HKLM\SOFTWARE\Wow6432Node\Policies\Microsoft\Windows\PowerShell\ModuleLogging → EnableModuleLogging = 1
HKLM\SOFTWARE\Wow6432Node\Policies\Microsoft\Windows\PowerShell\ModuleLogging \ModuleNames → * = *

Configure script block logging for PowerShell

To enable script block logging, go to the Windows PowerShell GPO settings and set Turn on PowerShell Script Block Logging to enabled.

Alternately, you can set the following registry value:

HKLM\SOFTWARE\Wow6432Node\Policies\Microsoft\Windows\PowerShell\ScriptBlockLogging → EnableScriptBlockLogging = 1

In addition, turn on command line process auditing. You can find instructions in the Microsoft documentation:

  1. Go to the Microsoft documentation website: https://docs.microsoft.com
  2. Search for command line process auditing.
  3. Configure command line process auditing so that the process creation audit event ID 4688 includes audit information for command line processes.

Configure transcription logging

To enable automatic transcription, or deep script block logging, enable the Turn on PowerShell Transcription feature in Group Policy through Windows Components > Administrative Templates > Windows PowerShell.

The configuration settings are stored under HKLM:\Software\Policies\Microsoft\Windows\PowerShell\Transcription.

You can find more information in the Microsoft documentation:

  1. Go to the Microsoft documentation website: https://docs.microsoft.com
  2. Search for script block logging.

Enable protected event logging

Splunk Enterprise does not support protected event logging. If your events are encrypted, decrypt them before ingesting to UBA. For details, see https://docs.microsoft.com/en-us/powershell/module/microsoft.powershell.core/about/about_logging_windows?view=powershell-7.2#enabling-script-block-logging

Verifying PowerShell logging

To verify that PowerShell logging is properly configured, look for the following PowerShell activity events in Splunk UBA:

  • EventCode = 4103
  • EventCode = 4104
  • EventCode = 4688 and Process_Name contains PowerShell
  • EventCode = 7045 and Process_Name contains PowerShell
Last modified on 20 December, 2023
PREVIOUS
Send notable events from Splunk Enterprise Security to Splunk UBA
  NEXT
Configure the VirusTotal script to see VirusTotal anomalies in Splunk UBA

This documentation applies to the following versions of Splunk® User Behavior Analytics: 5.0.0, 5.0.1, 5.0.2, 5.0.3, 5.0.4, 5.0.4.1, 5.0.5, 5.0.5.1, 5.1.0, 5.1.0.1, 5.2.0, 5.2.1, 5.3.0


Was this documentation topic helpful?


You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters