public override void FormatResult(CommandBase?command, CommandDTOBase result, bool filterResults)
{
var dto = (PowerShellDTO)result;
var lowestVersion = dto.InstalledVersions.Min(v => GetVersionFromString(v));
var highestVersion = dto.InstalledVersions.Max(v => GetVersionFromString(v));
WriteLine("\n Installed CLR Versions");
foreach (var v in dto.InstalledCLRVersions)
{
WriteLine(" " + v);
}
WriteLine("\n Installed PowerShell Versions");
foreach (var v in dto.InstalledVersions)
{
WriteLine(" " + v);
if ((v == "2.0") && !dto.InstalledCLRVersions.Contains("2.0.50727"))
{
WriteLine(" [!] Version 2.0.50727 of the CLR is not installed - PowerShell v2.0 won't be able to run.");
}
}
WriteLine("\n Transcription Logging Settings");
WriteLine(" Enabled : " + dto.TranscriptionLogging);
WriteLine(" Invocation Logging : " + dto.TranscriptionInvocationLogging);
WriteLine(" Log Directory : " + dto.TranscriptionDirectory);
WriteLine("\n Module Logging Settings");
WriteLine(" Enabled : " + dto.ModuleLogging);
WriteLine(" Logged Module Names :");
if (dto.ModuleNames != null)
{
foreach (var m in dto.ModuleNames)
{
WriteLine(" " + m);
}
}
if (dto.ModuleLogging)
{
if (lowestVersion.Major < 3)
{
WriteLine(" [!] You can do a PowerShell version downgrade to bypass the logging.");
}
if (highestVersion.Major < 3)
{
WriteLine(" [!] Module logging is configured. Logging will not occur, however, because it requires PSv3.");
}
}
WriteLine("\n Script Block Logging Settings");
WriteLine(" Enabled : " + dto.ScriptBlockLogging);
WriteLine(" Invocation Logging : " + dto.ScriptBlockInvocationLogging);
if (dto.ScriptBlockLogging)
{
if (highestVersion.Major < 5)
{
WriteLine(" [!] Script block logging is configured. Logging will not occur, however, because it requires PSv5.");
}
if (lowestVersion.Major < 5)
{
WriteLine(" [!] You can do a PowerShell version downgrade to bypass the logging.");
}
}
WriteLine("\n Anti-Malware Scan Interface (AMSI)");
WriteLine(" OS Supports AMSI: " + dto.OsSupportsAmsi);
if (dto.OsSupportsAmsi && lowestVersion.Major < 3)
{
WriteLine(" [!] You can do a PowerShell version downgrade to bypass AMSI.");
}
}
public override void FormatResult(CommandBase?command, CommandDTOBase result, bool filterResults)
{
var dto = (HotfixDTO)result;
WriteLine($" {dto.HotFixID,-10} {dto.InstalledOnUTC?.ToLocalTime(),-22} {dto.Description,-30} {dto.InstalledBy}");
}
// Children implement this method to customize the command's string output public abstract void FormatResult(CommandBase?command, CommandDTOBase results, bool filterResults);
public override void FormatResult(CommandBase?command, CommandDTOBase result, bool filterResults)
{
var dto = (ExplorerRecentFilesDTO)result;
WriteLine(" {0} {1} {2} {3}", dto.Application, dto.User, dto.LastAccessDate.ToString("yyyy-MM-dd"), dto.Target);
}
public override void FormatResult(CommandBase?command, CommandDTOBase result, bool filterResults)
{
var dto = (ProcessCreationEventDTO)result;
WriteLine($" {dto.TimeCreatedUtc?.ToLocalTime(),-22} {dto.User,-30} {dto.Match}");
}