What gets audited for remote PowerShell commands and scripts

For cases where someone runs individual PowerShell cmdlets, the audit trail event captures the following details:

  • Specific cmdlets that were run

  • Arguments

  • Return codes

  • User who ran the cmdlets

  • The timestamp when the user ran the cmdlets

For cases where someone runs a PowerShell script, the audit trail event captures the name of the script as well, and if the script was run remotely the audit trail event captures the contents of the script. If the script is very long, the audit trail will truncate it and add an ellipsis (...).

Note:   If the user runs a PowerShell script on the target system from that same system, the audit trail event does NOT capture the contents of the script. This is due to a limitation in Windows Remote Management. Basically, the thing to remember is that if you send over script text to a remote system, the audit trail captures the script text; if you send over just a script filename, that's what the audit trail captures.

Examples of remote PowerShell commands

For example, if a user runs individual PowerShell commands on a remote system, they would start the session with a command similar to the following:

Enter-PSSession -ComputerName targetcomputername

The audit trail event captures details about any commands that the user enters during the above PowerShell session.

As another example, if a user runs a script without first creating the remote session and runs the script against a remote, target system from another system, the user might run a command similar to the following:

Invoke-Command -ComputerName targetcomputername -FilePath {c:\script.ps1}

In this second example, you'll know that the user ran a script because there'll be a isscript=true parameter in the audit trail.

As a final example, if a user runs a script without first creating the remote session and runs the script from the target system, the user might run a command similar to the following:

Invoke-Command -ComputerName targetcomputername -Command{c:\script.ps1}

Hiding the remote PowerShell script text

There may be situations where your users have scripts to run on remote systems but you don't want or need the script text to appear in the audit log. To hide the script text from the audit log, change the following registry to 1 (the default value is 0):

SOFTWARE\Policies\Centrify\DirectAuthorize\Agent\HideRemotePsScript (REG_DWORD)

You can set the HideRemotePsScript option by group policy.