Skip to main content

Overview

The PowerShell command enumerates PowerShell installation details and security configurations. This includes PowerShell versions, execution policies, transcription settings, script block logging, and module logging - all critical for understanding PowerShell-based detection capabilities.

Syntax

Seatbelt.exe PowerShell

Remote Execution

Seatbelt.exe PowerShell -computername=TARGET.domain.com [-username=DOMAIN\user -password=pass]

Output

Returns PowerShell configuration:
  • PowerShell versions (v2.0, v5.x, v7.x)
  • Execution policy settings
  • Transcription configuration
  • Script block logging status
  • Module logging settings
  • CLR versions

Use Cases

  • Red Team
  • Blue Team
  • Determine PowerShell logging capabilities
  • Check if script block logging is enabled
  • Identify execution policy restrictions
  • Assess PowerShell v2 availability (downgrade attacks)
  • Plan obfuscation requirements

Example Output

====== PowerShell ======

Installed CLR Versions:
  2.0.50727
  4.0.30319

Installed PowerShell Versions:
  2.0
  5.1.19041.1

PowerShell v2 Support:
  Enabled: True [!]

PowerShell Security Settings:
  Transcription:
    EnableTranscripting          : 1
    OutputDirectory              : C:\PSTranscripts\
    EnableInvocationHeader       : 1

  Script Block Logging:
    EnableScriptBlockLogging     : 1
    EnableScriptBlockInvocationLogging : 1

  Module Logging:
    EnableModuleLogging          : 1
    ModuleNames                  : Microsoft.PowerShell.*, Microsoft.WSMan.Management

Execution Policy:
  LocalMachine                   : RemoteSigned
  CurrentUser                    : Undefined

Remote Execution

This command supports remote execution using the -computername parameter.

Detection Considerations

Low detection risk - reads PowerShell registry configuration.