How can you use LEM (nDepth?) to locate servers or desktops that have initiated a powershell instance/script?
We found a couple of ways to do this:
Using Sysmon events and setting a rule to look for powershell
Or enabling powershell script block logging and forwarding those events.With powershell you can look for the ToolAlias and those are all your PS events.
Hi mikosmall ! Sorry to be digging up an old thread, but I'm wondering if you are able to share a little bit more detail about how you're capturing this info.
Appreciate it!
Hey scott.driver you can use GPO to set up a policy to log PowerShell events (see Configure PowerShell logging to see PowerShell anomalies in Splunk UBA - Splunk Documentation ). And install sysmon on the hosts (Sysmon - Windows Sysinternals | Microsoft Docs ). For the sysmon install you could use GPO or PowerShell. I did it manually because I didn't have that many hosts. After those are running, install the LEM agent on each host and add a new connector in LEM. You should have everything working at that point. Did that answer your question Scott?
Awesome sauce! I am familiar with some of the other sysinternals, but haven't worked with sysmon.
Thanks mikosmall!!!
