Merge pull request #836 from AndrewRathbun/master

Create PowerShellTranscripts.tkape

Targets/Windows/PowerShellTranscripts.tkape

@@ -0,0 +1,34 @@
+Description: PowerShell Transcripts
+Author: Andrew Rathbun and Chad Tilbury
+Version: 1.0
+Id: 316cd490-7a40-4518-aade-1de070191f3d
+RecreateDirectories: true
+Targets:
+ -
+ Name: PowerShell Transcripts - Default Location
+ Category: PowerShellTranscripts
+ Path: C:\Users\%user%\Documents\20*\
+ FileMask: 'PowerShell_transcript.*.txt'
+ -
+ Name: PowerShell Transcripts - Observed Location
+ Category: PowerShellTranscripts
+ Path: C:\Windows\SysWOW64\*\
+ FileMask: 'PowerShell_transcript.*.txt'
+ -
+ Name: PowerShell Transcripts - Observed Location
+ Category: PowerShellTranscripts
+ Path: C:\Program Files\Amazon\Ec2ConfigService\Scripts\*\
+ FileMask: 'PowerShell_transcript.*.txt'
+ -
+ Name: PowerShell Transcripts - Observed Location
+ Category: PowerShellTranscripts
+ Path: C:\Windows\System32\*\
+ FileMask: 'PowerShell_transcript.*.txt'
+
+# Documentation
+# https://lazyadmin.nl/powershell/start-transcript/
+# https://www.stigviewer.com/stig/windows_10/2021-03-10/finding/V-230220
+# https://www.itprotoday.com/powershell/how-use-automatic-powershell-transcription
+# These logs appears when auditing is turned on via Group Policy or Start-Transcript is used during PowerShell execution
+# As more locations are observed, they will be added here
+# Example location (default): c:\users\name\documents\20220301\PowerShell_transcript.DEVICENAME.qp9EOTN2.20220301132612.txt