mirror of
https://github.com/projectdiscovery/nuclei-templates.git
synced 2026-02-02 08:43:27 +08:00
39 lines
1.3 KiB
YAML
39 lines
1.3 KiB
YAML
id: powershell-script-block-logging-disabled
|
|
|
|
info:
|
|
name: PowerShell Script Block Logging Disabled
|
|
author: JeonSungHyun[nukunga]
|
|
severity: medium
|
|
description: |
|
|
Checks if PowerShell script block logging is disabled.
|
|
Without logging, detecting malicious PowerShell usage is difficult.
|
|
impact: |
|
|
Potential stealthy PowerShell attacks without detection in event logs.
|
|
remediation: |
|
|
Enable PowerShell script block logging in Group Policy or Registry.
|
|
tags: windows,powershell,logging,audit
|
|
|
|
self-contained: true
|
|
|
|
code:
|
|
- pre-condition: |
|
|
IsWindows();
|
|
engine:
|
|
- powershell
|
|
- powershell.exe
|
|
args:
|
|
- -ExecutionPolicy
|
|
- Bypass
|
|
pattern: "*.ps1"
|
|
source: |
|
|
$regPath = "HKLM:\Software\Policies\Microsoft\Windows\PowerShell\ScriptBlockLogging"
|
|
$logValue = (Get-ItemProperty -Path $regPath -Name "EnableScriptBlockLogging" -ErrorAction SilentlyContinue).EnableScriptBlockLogging
|
|
|
|
if ($logValue -ne 1) {
|
|
Write-Output "PowerShell Script Block Logging is disabled!"
|
|
}
|
|
matchers:
|
|
- type: word
|
|
words:
|
|
- "PowerShell Script Block Logging is disabled!"
|
|
# digest: 4a0a00473045022055382ca7afff9e722580973437588aad012d5f7da9cf97cd496391f5041ad5fb022100e95a52d0c7a66fa06363ce40d04423f371078fb03158c7f659c2ca12d7123a34:6107285756468496532c649643fc40fb |