-
Notifications
You must be signed in to change notification settings - Fork 10
/
Copy pathLab_02_On_Linux.ps1
134 lines (78 loc) · 2.11 KB
/
Lab_02_On_Linux.ps1
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
break
# Lab 02 - PowerShell Policies in Core
## Objective
## Background
## Overview
## Exercise 2.1 - Implement logging settings
### 2.1.1 Get connected
pwsh
$PSVersionTable
### 2.1.2 PSReadLine
Get-Module
Get-Command -Module PSReadLine
Get-PSReadLineOption
### 2.1.3 PowerShell policies JSON
cd $pshome
dir *.json
cat powershell.config.lab.json
#region
{
"Microsoft.PowerShell:ExecutionPolicy": "RemoteSigned",
"PowerShellPolicies": {
"ScriptBlockLogging": {
"EnableScriptBlockInvocationLogging": false,
"EnableScriptBlockLogging": true
},
"ModuleLogging": {
"EnableModuleLogging": false,
"ModuleNames": [
"*"
]
},
"Transcription": {
"EnableTranscripting": true,
"EnableInvocationHeader": true,
"OutputDirectory": "/var/tmp/pstranscripts/"
}
},
"LogLevel": "verbose"
}
#endregion
sudo cp ./powershell.config.lab.json ./powershell.config.json
dir *.json
## Exercise 2.2 - Generate PowerShell activity
### 2.2.1 Generate PowerShell activity
exit
pwsh
"Hello, world."
$env:PSModulePath
Get-Process | Sort-Object CPU -Descending | Select-Object -First 5
Test-Connection ts1
exit
## Exercise 2.3 - Find PowerShell activity in the logs
### 2.3.1 PSReadLine
pwsh
(Get-PSReadLineOption).HistorySavePath
cat (Get-PSReadLineOption).HistorySavePath
/home/user/.local/share/powershell/PSReadLine/ConsoleHost_history.txt
exit
cat /home/user/.local/share/powershell/PSReadLine/ConsoleHost_history.txt
### 2.3.2 Script block logging
cd /var/log
sudo grep powershell messages
TIMESTAMP MACHINENAME powershell[PID]: (COMMITID:TID:CID)
sudo tail -f messages
pwsh
Get-Process
dir
### 2.3.3 Transcripts
ls -lR /var/tmp/pstranscripts
cd /var/tmp/pstranscripts
ls
cd USE_DATE_DIRECTORY_HERE
ls -l
nano PASTED_TXT_FILE_NAME (Use PgUp/PgDn to view the file and CTRL-X to exit.)
cat PASTED_TXT_FILE_NAME
cd /var/tmp/pstranscripts
grep -iR KEYWORD_HERE
## 2.4 Considerations for PowerShell Core logging