Forum Change auditor does not register events when running powershell scripts on servers

State Not Answered
Locked Locked
Replies 3 replies
Subscribers 21 subscribers
Views 3547 views
Users 0 members are here

Options

Related

This discussion has been locked.

You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Change auditor does not register events when running powershell scripts on servers

gsoto over 5 years ago

When executing powershell or invoke-command scripts the Change Auditor does not record anything

0 gsoto over 5 years ago

today is very easy write powershell scripts that can do unauthorized changes and exists tools development to exploit vulnerabilities and execute then a computer was exposed.
I consider very important that Change Auditor agent can capture any event that can help to prevent any attack.
Cancel
Up 0 Down

Cancel
0 Aidar.Karabalaev over 5 years ago

I would look at it this way. The story is complex and we need to consider the whole picture with following points of control:

#1. Right to execute the script/ACL/permissions layer: Local Admin, OS rights (Logon as Batch Job, As Service) - controlled by GPO

#2. Log the execution actions on Server: Events (Logon as Batch Job, As Service), TS Logon, Interactive Logon.

#2.1 Log access on Resources: File Access on Share by the script, other servers$ shares etc...
Cancel
Up 0 Down

Cancel
0 sundarp over 5 years ago

is this still a valid issue? I'm trying to investigate changes to a group which doesnt seem to have create events in CA.
Cancel
Up 0 Down

Cancel