What are some reasons why you’d want to monitor Powershell activity in an environment?

Following up on the discussion of SIEM and event logs in section 12, I want to introduce you to a free utility that has become a central component in the security program at my organization — Sysmon. For those of you who have never had the opportunity to use Sysmon, take a look at the official product page (with documentation) at https://docs.microsoft.com/en-us/sysinternals/downloads/sysmon (Links to an external site.). Among it’s many amazing capabilities, Sysmon provides the capability to capture and log Powershell activities on a monitored system (a great resource about this capability is the writeup at https://adamtheautomator.com/powershell-logging-2/ (Links to an external site.). Using Winlogbeat as discussed on TestOut, you could log this activity to an Elastic-based SIEM product very easily. (If you were able to implement the Elastic Cloud we created in the supplemental materials last week, you can practice ingesting Sysmon data into your tenant. I’ll post some instructions a bit later this week with notes on how to set this up for anyone who would like to follow along).
What are some reasons why you’d want to monitor Powershell activity in an environment?