Dan :dumpster_fire:<p>Got <a href="https://infosec.exchange/tags/PowerShell" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>PowerShell</span></a> 7 and not seeing event logs in your triage? N.B. for PowerShell 7: Windows PowerShell logs events to "Microsoft-Windows-PowerShell/Operational"), but PowerShell 7 now logs events to "PowerShellCore/Operational." Detailed (e.g., Script Block) logging is NOT enabled by default.</p><p>PowerShell 7 includes Group Policy templates and an installation script in $PSHOME. Specifically, you can use the "RegisterManifest.ps1" and "InstallPSCorePolicyDefinitions.ps1" scripts in the PS7 installation directory to enable logging.</p><p>Also, ISE doesn't support PS7 :( --> but there is an official Visual Studio Code extension that does, and it even has an "ISE Mode."</p><p>H/T Nasreddine Bencherchali ( @nas_bench@twitter.com ): <a href="https://twitter.com/nas_bench/status/1616211194934882304" rel="nofollow noopener noreferrer" target="_blank"><span class="invisible">https://</span><span class="ellipsis">twitter.com/nas_bench/status/1</span><span class="invisible">616211194934882304</span></a></p><p>I also consulted <a href="https://learn.microsoft.com/en-us/powershell/scripting/whats-new/migrating-from-windows-powershell-51-to-powershell-7?view=powershell-7.3" rel="nofollow noopener noreferrer" target="_blank"><span class="invisible">https://</span><span class="ellipsis">learn.microsoft.com/en-us/powe</span><span class="invisible">rshell/scripting/whats-new/migrating-from-windows-powershell-51-to-powershell-7?view=powershell-7.3</span></a></p><p><a href="https://infosec.exchange/tags/PowerShell7" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>PowerShell7</span></a> <a href="https://infosec.exchange/tags/DFIR" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>DFIR</span></a> <a href="https://infosec.exchange/tags/eventlogs" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>eventlogs</span></a> <a href="https://infosec.exchange/tags/logging" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>logging</span></a> <a href="https://infosec.exchange/tags/artifacts" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>artifacts</span></a></p>