First, enable powershell and script logging:
https://logrhythm.com/blog/powershell-command-line-logging/
%.invoke%
%add-exfiltration%
%add-persistence%
%add-scrnsavebackdoor%
%add-type%
%base32%
%base64%
%base64tostring%
%bypass%
%check-vm%
%copy-vss%
%create-multiplesessions%
%disable-windowsoptionalfeature%
%discover-psinterestingservices%
%discover-psmsexchangeservers%
%discover-psmssqlservers%
%dllinjection%
%do-exfiltration%
%download-execute-ps%
%downloadfile%
%downloadstring%
%enable-duplicatetoken%
%enable-psremoting%
%-enc%
%encodedcommand%
%enter-pssession%
%execute-command-mssql%
%execute-dnstxt-code%
%execute-ontime%
%expand-archive%
%find-avsignature%
%find-psserviceaccounts%
%get-applicationhost%
%get-clipboardcontents%
%get-gpppassword%
%get-information%
%get-kerberospolicy%
%get-keystrokes%
%get-lsasecret%
%get-module%
%get-passhashes%
%getprocaddress%
%get-procaddress%
%get-psadforestinfo%
%get-psadforestkrbtgtinfo%
%get-regalwaysinstallelevated%
%get-regautologon%
%get-serviceexeperms%
%get-serviceperms%
%get-serviceunquoted%
%get-timedscreenshot%
%get-unattendedinstallfiles%
%get-vaultcredential%
%get-webconfig%
%get-wmiobject%
%gupt-backdoor%
%http-backdoor%
%icm%
%iex%
%install-module%
%invoke-adsbackdoor%
%invoke-allchecks%
%invoke-bruteforce%
%invoke-callbackiex%
%invoke-command%
%invoke-cradlecrafter%
%invoke-createcertificate%
%invoke-credentialinjection%
%invoke-credentialsphish%
%invoke-decode%
%invoke-dllencode%
%invoke-encode%
%invoke-expression%
%invoke-filefinder%
%invoke-finddllhijack%
%invoke-findpathhijack%
%invoke-masscommand%
%invoke-massmimikatz%
%invoke-masssearch%
%invoke-masstemplate%
%invoke-masstokens%
%invoke-mimikatzwdigestdowngrade%
%invoke-module%
%invoke-networkrelay%
%invoke-ninjacopy%
%invoke-obfuscation%
%invoke-poshrathttp%
%invoke-poshrathttps%
%invoke-powershellicmp%
%invoke-powershelltcp%
%invoke-powershelludp%
%invoke-powershellwmi%
%invoke-psgcat%
%invoke-psgcatagent%
%invoke-psinject%
%invoke-rickascii%
%invoke-scriptanalyzer%
%invoke-servicecmd%
%invoke-servicedisable%
%invoke-serviceenable%
%invoke-servicestart%
%invoke-servicestop%
%invoke-serviceuseradd%
%invoke-sharefinder%
%invoke-shellcode%
%invoke--shellcode%
%invoke-shellcodemsil%
%invoke-tokenmanipulation%
%invoke-webrequest%
%invoke-wmimethod%
%invoke-wmiplant%
%mimikatz%
%net.webclient%
%new-elevatedpersistenceoption%
%new-object%
%-nop%
%out-chm%
%out-excel%
%out-hta%
%out-java%
%out-minidump%
%out-shortcut%
%out-word%
%payload%
%port-scan%
%powercat%
%powershellempire%
%powersploit%
%reflectivepeinjection%
%remove-eventlog%
%remove-persistence%
%remove-poshrat%
%remove-update%
%rename-item%
%restore-serviceexe%
%root%
%run-exeonremote%
%set-clipboard%
%set-content%
%set-executionpolicy%
%set-item%
%set-itemproperty%
%set-location%
%set-masterbootrecord%
%set-mppreference%
%set-service%
%set-timezone%
%stringtobase64%
%system.management%
%system.reflection%
%texttoexe%
%wmi%
%wmiclass%
%write-cmdservicebinary%
%write-eventlog%
%writeline%
%write-serviceexe%
%write-serviceexecmd%
%write-useraddmsi%
%write-useraddservicebinary%
%wsman%
%net group "domain controllers"%
.invoke
add-exfiltration
add-persistence
add-scrnsavebackdoor
add-type
base32
base64
base64tostring
bypass
certutil
check-vm
copy
copy-vss
create-multiplesessions
createobject
disable-windowsoptionalfeature
discover-psinterestingservices
discover-psmsexchangeservers
discover-psmssqlservers
dllinjection
dns_txt
dns_txt_pwnage
dnscmd
do-exfiltration
download_execute
download-execute-ps
downloadfile
downloadstring
enable-duplicatetoken
enable-psremoting
-enc
encodedcommand
enter-pssession
-ep
execute-command-mssql
execute-dnstxt-code
execute-ontime
expand-archive
find-avsignature
find-psserviceaccounts
get-accepteddomain
get-adgroupmember
get-adreplaccount
get-aduser
get-applicationhost
get-casmailbox
get-clipboardcontents
get-gpppassword
get-information
get-kerberospolicy
get-keystrokes
get-lsasecret
get-mailbox
get-managementroleassignment
get-module
get-organizationconfig
get-owavirtualdirectory
get-passhashes
getprocaddress
get-procaddress
get-process
get-psadforestinfo
get-psadforestkrbtgtinfo
get-regalwaysinstallelevated
get-regautologon
get-serviceexeperms
get-serviceperms
get-serviceunquoted
get-timedscreenshot
get-unattendedinstallfiles
get-vaultcredential
get-webconfig
get-webservicesvirtualdirectory
get-wmiobject
git
gupt-backdoor
http-backdoor
icm
iex
install-module
invoke-adsbackdoor
invoke-allchecks
invoke-bruteforce
invoke-callbackiex
invoke-command
invoke-cradlecrafter
invoke-createcertificate
invoke-credentialinjection
invoke-credentialsphish
invoke-decode
invoke-dllencode
invoke-encode
invoke-expression
invoke-filefinder
invoke-finddllhijack
invoke-findpathhijack
invoke-masscommand
invoke-massmimikatz
invoke-masssearch
invoke-masstemplate
invoke-masstokens
invoke-mimikatzwdigestdowngrade
invoke-module
invoke-networkrelay
invoke-ninjacopy
invoke-obfuscation
invoke-poshrathttp
invoke-poshrathttps
invoke-powershellicmp
invoke-powershelltcp
invoke-powershelludp
invoke-powershellwmi
invoke-psgcat
invoke-psgcatagent
invoke-psinject
invoke-rickascii
invoke-scriptanalyzer
invoke-servicecmd
invoke-servicedisable
invoke-serviceenable
invoke-servicestart
invoke-servicestop
invoke-serviceuseradd
invoke-sharefinder
invoke-shellcode
invoke--shellcode
invoke-shellcodemsil
invoke-tokenmanipulation
invoke-webrequest
invoke-wmimethod
invoke-wmiplant
ldifde
makecab
mimikatz
net
net group
net.webclient
netsh
new-elevatedpersistenceoption
new-mailboxexportrequest
new-object
nltest
-nop
ntdsutil
out-chm
out-excel
out-hta
out-java
out-minidump
out-shortcut
out-word
parse_keys
payload
port-scan
powercat
powershell
powershellempire
powersploit
rclone
reflectivepeinjection
remove-eventlog
remove-mailboxexportrequest
remove-persistence
remove-poshrat
remove-update
rename-item
req
restore-serviceexe
robocopy
root
run-exeonremote
set-casmailbox
set-clipboard
set-content
set-executionpolicy
set-item
set-itemproperty
set-location
set-masterbootrecord
set-mppreference
set-service
set-timezone
stringtobase64
system.management
system.reflection
systeminfo
tasklist
texttoexe
wevtutil
wmi
wmic
wmiclass
write-cmdservicebinary
write-eventlog
writeline
write-serviceexe
write-serviceexecmd
write-useraddmsi
write-useraddservicebinary
wsman
xcopy