gfoss/PowerShell Command Line Logging

## PowerShell Command Line Logging
# PowerShell Audit Logging for LogRhythm SIEM - 2015
# For detecting dangerous PowerShell Commands/Functions

Log Source Type:
  MS Event Log for Win7/Win8/2008/2012 - PowerShell

Add this file to your PowerShell directory to enable verbose command line audit logging
profile.ps1
	$LogCommandHealthEvent = $true
	$LogCommandLifeCycleEvent = $true

RegEx : Parse PowerShell Commands
	.*?eventid.*?>(?<vmid>\d+)<.*?<level>(?<severity>.*?)</level>.*?Computer>(?<dname>.*?)</computer>.*?Command\s(?<object>.*?)\s(.*?\n)+?\s+CommandLine=(?<command>.*?)</EventData>

List : Dangerous Commands
	Set-ExecutionPolicy
	Mimikatz
	EncodedCommand
	Payload
	Find-AVSignature
	DllInjection
	ReflectivePEInjection
	Invoke-Shellcode
	Invoke--Shellcode
	Invoke-ShellcodeMSIL
	Get-GPPPassword
	Get-Keystrokes
	Get-TimedScreenshot
	Get-VaultCredential
	Invoke-CredentialInjection
	Invoke-NinjaCopy
	Invoke-TokenManipulation
	Out-Minidump
	Set-MasterBootRecord
	New-ElevatedPersistenceOption
	Invoke-CallbackIEX
	Invoke-PSInject
	Invoke-DllEncode
	Get-ServiceUnquoted
	Get-ServiceEXEPerms
	Get-ServicePerms
	Invoke-ServiceUserAdd
	Invoke-ServiceCMD
	Write-UserAddServiceBinary
	Write-CMDServiceBinary
	Write-UserAddMSI
	Write-ServiceEXE
	Write-ServiceEXECMD
	Restore-ServiceEXE
	Invoke-ServiceStart
	Invoke-ServiceStop
	Invoke-ServiceEnable
	Invoke-ServiceDisable
	Invoke-FindDLLHijack
	Invoke-FindPathHijack
	Get-RegAlwaysInstallElevated
	Get-RegAutoLogon
	Get-UnattendedInstallFiles
	Get-Webconfig
	Get-ApplicationHost
	Invoke-AllChecks
	Invoke-MassCommand
	Invoke-MassMimikatz
	Invoke-MassSearch
	Invoke-MassTemplate
	Invoke-MassTokens
	HTTP-Backdoor
	Add-ScrnSaveBackdoor
	Gupt-Backdoor
	Invoke-ADSBackdoor
	Execute-OnTime
	DNS_TXT_Pwnage
	Out-Word
	Out-Excel
	Out-Java
	Out-Shortcut
	Out-CHM
	Out-HTA
	Enable-DuplicateToken
	Remove-Update
	Execute-DNSTXT-Code
	Download-Execute-PS
	Execute-Command-MSSQL
	Download_Execute
	Get-PassHashes
	Invoke-CredentialsPhish
	Get-LsaSecret
	Get-Information
	Invoke-MimikatzWDigestDowngrade
	Copy-VSS
	Check-VM
	Invoke-NetworkRelay
	Create-MultipleSessions
	Run-EXEonRemote
	Invoke-BruteForce
	Port-Scan
	Invoke-PowerShellIcmp
	Invoke-PowerShellUdp
	Invoke-PsGcatAgent
	Invoke-PoshRatHttps
	Invoke-PowerShellTcp
	Invoke-PoshRatHttp
	Invoke-PowerShellWmi
	Invoke-PSGcat
	Remove-PoshRat
	TexttoEXE
	Invoke-Encode
	Invoke-Decode
	Base64ToString
	StringtoBase64
	Do-Exfiltration
	Parse_Keys
	Add-Exfiltration
	Add-Persistence
	Remove-Persistence
	Invoke-CreateCertificate
	powercat
	Find-PSServiceAccounts
	Get-PSADForestKRBTGTInfo
	Discover-PSMSSQLServers
	Discover-PSMSExchangeServers
	Get-PSADForestInfo
	Get-KerberosPolicy
	Discover-PSInterestingServices
	# PowerShell Audit Logging for LogRhythm SIEM - 2015
	# For detecting dangerous PowerShell Commands/Functions

	Log Source Type:
	MS Event Log for Win7/Win8/2008/2012 - PowerShell

	Add this file to your PowerShell directory to enable verbose command line audit logging
	profile.ps1
	$LogCommandHealthEvent = $true
	$LogCommandLifeCycleEvent = $true

	RegEx : Parse PowerShell Commands
	.?eventid.?>(?<vmid>\d+)<.?<level>(?<severity>.?)</level>.?Computer>(?<dname>.?)</computer>.?Command\s(?<object>.?)\s(.?\n)+?\s+CommandLine=(?<command>.?)</EventData>

	List : Dangerous Commands
	Set-ExecutionPolicy
	Mimikatz
	EncodedCommand
	Payload
	Find-AVSignature
	DllInjection
	ReflectivePEInjection
	Invoke-Shellcode
	Invoke--Shellcode
	Invoke-ShellcodeMSIL
	Get-GPPPassword
	Get-Keystrokes
	Get-TimedScreenshot
	Get-VaultCredential
	Invoke-CredentialInjection
	Invoke-NinjaCopy
	Invoke-TokenManipulation
	Out-Minidump
	Set-MasterBootRecord
	New-ElevatedPersistenceOption
	Invoke-CallbackIEX
	Invoke-PSInject
	Invoke-DllEncode
	Get-ServiceUnquoted
	Get-ServiceEXEPerms
	Get-ServicePerms
	Invoke-ServiceUserAdd
	Invoke-ServiceCMD
	Write-UserAddServiceBinary
	Write-CMDServiceBinary
	Write-UserAddMSI
	Write-ServiceEXE
	Write-ServiceEXECMD
	Restore-ServiceEXE
	Invoke-ServiceStart
	Invoke-ServiceStop
	Invoke-ServiceEnable
	Invoke-ServiceDisable
	Invoke-FindDLLHijack
	Invoke-FindPathHijack
	Get-RegAlwaysInstallElevated
	Get-RegAutoLogon
	Get-UnattendedInstallFiles
	Get-Webconfig
	Get-ApplicationHost
	Invoke-AllChecks
	Invoke-MassCommand
	Invoke-MassMimikatz
	Invoke-MassSearch
	Invoke-MassTemplate
	Invoke-MassTokens
	HTTP-Backdoor
	Add-ScrnSaveBackdoor
	Gupt-Backdoor
	Invoke-ADSBackdoor
	Execute-OnTime
	DNS_TXT_Pwnage
	Out-Word
	Out-Excel
	Out-Java
	Out-Shortcut
	Out-CHM
	Out-HTA
	Enable-DuplicateToken
	Remove-Update
	Execute-DNSTXT-Code
	Download-Execute-PS
	Execute-Command-MSSQL
	Download_Execute
	Get-PassHashes
	Invoke-CredentialsPhish
	Get-LsaSecret
	Get-Information
	Invoke-MimikatzWDigestDowngrade
	Copy-VSS
	Check-VM
	Invoke-NetworkRelay
	Create-MultipleSessions
	Run-EXEonRemote
	Invoke-BruteForce
	Port-Scan
	Invoke-PowerShellIcmp
	Invoke-PowerShellUdp
	Invoke-PsGcatAgent
	Invoke-PoshRatHttps
	Invoke-PowerShellTcp
	Invoke-PoshRatHttp
	Invoke-PowerShellWmi
	Invoke-PSGcat
	Remove-PoshRat
	TexttoEXE
	Invoke-Encode
	Invoke-Decode
	Base64ToString
	StringtoBase64
	Do-Exfiltration
	Parse_Keys
	Add-Exfiltration
	Add-Persistence
	Remove-Persistence
	Invoke-CreateCertificate
	powercat
	Find-PSServiceAccounts
	Get-PSADForestKRBTGTInfo
	Discover-PSMSSQLServers
	Discover-PSMSExchangeServers
	Get-PSADForestInfo
	Get-KerberosPolicy
	Discover-PSInterestingServices