Attackers live in PowerShell. Your incident response team will be blind without proper logging. This is how you catch them before they pivot from initial access to full compromise.
Every major attack I’ve investigated involved PowerShell. Empire, Cobalt Strike, PowerSploit – these tools abuse PowerShell for execution, data exfiltration, and lateral movement. Without script block logging, these actions often vanish into thin air.
The critical piece here is capturing the decoded content. Obfuscation is a standard attacker tactic. Script Block Logging strips that away, giving you the actual commands executed. It’s a basic control, yet shockingly, many organizations still miss it.
Here’s how to enable it:
New-Item -Path “HKLM:\SOFTWARE\Policies\Microsoft\Windows\PowerShell\ScriptBlockLogging” -Force Set-ItemProperty -Path “HKLM:\SOFTWARE\Policies\Microsoft\Windows\PowerShell\ScriptBlockLogging” -Name “EnableScriptBlockLogging” -Value 1
If you’re not doing this, you’re giving attackers a free pass. Implement this today.
The fix
# GPO: Computer Configuration → Administrative Templates →
# Windows Components → Windows PowerShell
# → "Turn on PowerShell Script Block Logging" = Enabled
# Registry:
New-Item -Path "HKLM:\SOFTWARE\Policies\Microsoft\Windows\PowerShell\ScriptBlockLogging" -Force
Set-ItemProperty -Path "HKLM:\SOFTWARE\Policies\Microsoft\Windows\PowerShell\ScriptBlockLogging" -Name "EnableScriptBlockLogging" -Value 1
Reference: CIS Windows Server Benchmark 18.9.100