First, enable powershell and script logging:
https://logrhythm.com/blog/powershell-command-line-logging/
%.invoke%
%add-exfiltration%
%add-persistence%
%add-scrnsavebackdoor%
%add-type%
%base32%
%base64%
%base64tostring%
%bypass%
%check-vm%
%copy-vss%
%create-multiplesessions%
%disable-windowsoptionalfeature%
%discover-psinterestingservices%
%discover-psmsexchangeservers%
%discover-psmssqlservers%
%dllinjection%
%do-exfiltration%
%download-execute-ps%
%downloadfile%
%downloadstring%
%enable-duplicatetoken%
%enable-psremoting%
%-enc%
%encodedcommand%
%enter-pssession%
%execute-command-mssql%
%execute-dnstxt-code%
%execute-ontime%
%expand-archive%
%find-avsignature%
%find-psserviceaccounts%
%get-applicationhost%
%get-clipboardcontents%
%get-gpppassword%
%get-information%
%get-kerberospolicy%
%get-keystrokes%
%get-lsasecret%
%get-module%
%get-passhashes%
%getprocaddress%
%get-procaddress%
%get-psadforestinfo%
%get-psadforestkrbtgtinfo%
%get-regalwaysinstallelevated%
%get-regautologon%
%get-serviceexeperms%
%get-serviceperms%
%get-serviceunquoted%
%get-timedscreenshot%
%get-unattendedinstallfiles%
%get-vaultcredential%
%get-webconfig%
%get-wmiobject%
%gupt-backdoor%
%http-backdoor%
%icm%
%iex%
%install-module%
%invoke-adsbackdoor%
%invoke-allchecks%
%invoke-bruteforce%
%invoke-callbackiex%
%invoke-command%
%invoke-cradlecrafter%
%invoke-createcertificate%
%invoke-credentialinjection%
%invoke-credentialsphish%
%invoke-decode%
%invoke-dllencode%
%invoke-encode%
%invoke-expression%
%invoke-filefinder%
%invoke-finddllhijack%
%invoke-findpathhijack%
%invoke-masscommand%
%invoke-massmimikatz%
%invoke-masssearch%
%invoke-masstemplate%
%invoke-masstokens%
%invoke-mimikatzwdigestdowngrade%
%invoke-module%
%invoke-networkrelay%
%invoke-ninjacopy%
%invoke-obfuscation%
%invoke-poshrathttp%
%invoke-poshrathttps%
%invoke-powershellicmp%
%invoke-powershelltcp%
%invoke-powershelludp%
%invoke-powershellwmi%
%invoke-psgcat%
%invoke-psgcatagent%
%invoke-psinject%
%invoke-rickascii%
%invoke-scriptanalyzer%
%invoke-servicecmd%
%invoke-servicedisable%
%invoke-serviceenable%
%invoke-servicestart%
%invoke-servicestop%
%invoke-serviceuseradd%
%invoke-sharefinder%
%invoke-shellcode%
%invoke--shellcode%
%invoke-shellcodemsil%
%invoke-tokenmanipulation%
%invoke-webrequest%
%invoke-wmimethod%
%invoke-wmiplant%
%mimikatz%
%net.webclient%
%new-elevatedpersistenceoption%
%new-object%
%-nop%
%out-chm%
%out-excel%
%out-hta%
%out-java%
%out-minidump%
%out-shortcut%
%out-word%
%payload%
%port-scan%
%powercat%
%powershellempire%
%powersploit%
%reflectivepeinjection%
%remove-eventlog%
%remove-persistence%
%remove-poshrat%
%remove-update%
%rename-item%
%restore-serviceexe%
%root%
%run-exeonremote%
%set-clipboard%
%set-content%
%set-executionpolicy%
%set-item%
%set-itemproperty%
%set-location%
%set-masterbootrecord%
%set-mppreference%
%set-service%
%set-timezone%
%stringtobase64%
%system.management%
%system.reflection%
%texttoexe%
%wmi%
%wmiclass%
%write-cmdservicebinary%
%write-eventlog%
%writeline%
%write-serviceexe%
%write-serviceexecmd%
%write-useraddmsi%
%write-useraddservicebinary%
%wsman%
%net group "domain controllers"%
.invoke
add-exfiltration
add-persistence
add-scrnsavebackdoor
add-type
base32
base64
base64tostring
bypass
certutil
check-vm
copy
copy-vss
create-multiplesessions
createobject
disable-windowsoptionalfeature
discover-psinterestingservices
discover-psmsexchangeservers
discover-psmssqlservers
dllinjection
dns_txt
dns_txt_pwnage
dnscmd
do-exfiltration
download_execute
download-execute-ps
downloadfile
downloadstring
enable-duplicatetoken
enable-psremoting
-enc
encodedcommand
enter-pssession
-ep
execute-command-mssql
execute-dnstxt-code
execute-ontime
expand-archive
find-avsignature
find-psserviceaccounts
get-accepteddomain
get-adgroupmember
get-adreplaccount
get-aduser
get-applicationhost
get-casmailbox
get-clipboardcontents
get-gpppassword
get-information
get-kerberospolicy
get-keystrokes
get-lsasecret
get-mailbox
get-managementroleassignment
get-module
get-organizationconfig
get-owavirtualdirectory
get-passhashes
getprocaddress
get-procaddress
get-process
get-psadforestinfo
get-psadforestkrbtgtinfo
get-regalwaysinstallelevated
get-regautologon
get-serviceexeperms
get-serviceperms
get-serviceunquoted
get-timedscreenshot
get-unattendedinstallfiles
get-vaultcredential
get-webconfig
get-webservicesvirtualdirectory
get-wmiobject
git
gupt-backdoor
http-backdoor
icm
iex
install-module
invoke-adsbackdoor
invoke-allchecks
invoke-bruteforce
invoke-callbackiex
invoke-command
invoke-cradlecrafter
invoke-createcertificate
invoke-credentialinjection
invoke-credentialsphish
invoke-decode
invoke-dllencode
invoke-encode
invoke-expression
invoke-filefinder
invoke-finddllhijack
invoke-findpathhijack
invoke-masscommand
invoke-massmimikatz
invoke-masssearch
invoke-masstemplate
invoke-masstokens
invoke-mimikatzwdigestdowngrade
invoke-module
invoke-networkrelay
invoke-ninjacopy
invoke-obfuscation
invoke-poshrathttp
invoke-poshrathttps
invoke-powershellicmp
invoke-powershelltcp
invoke-powershelludp
invoke-powershellwmi
invoke-psgcat
invoke-psgcatagent
invoke-psinject
invoke-rickascii
invoke-scriptanalyzer
invoke-servicecmd
invoke-servicedisable
invoke-serviceenable
invoke-servicestart
invoke-servicestop
invoke-serviceuseradd
invoke-sharefinder
invoke-shellcode
invoke--shellcode
invoke-shellcodemsil
invoke-tokenmanipulation
invoke-webrequest
invoke-wmimethod
invoke-wmiplant
ldifde
makecab
mimikatz
net
net group
net.webclient
netsh
new-elevatedpersistenceoption
new-mailboxexportrequest
new-object
nltest
-nop
ntdsutil
out-chm
out-excel
out-hta
out-java
out-minidump
out-shortcut
out-word
parse_keys
payload
port-scan
powercat
powershell
powershellempire
powersploit
rclone
reflectivepeinjection
remove-eventlog
remove-mailboxexportrequest
remove-persistence
remove-poshrat
remove-update
rename-item
req
restore-serviceexe
robocopy
root
run-exeonremote
set-casmailbox
set-clipboard
set-content
set-executionpolicy
set-item
set-itemproperty
set-location
set-masterbootrecord
set-mppreference
set-service
set-timezone
stringtobase64
system.management
system.reflection
systeminfo
tasklist
texttoexe
wevtutil
wmi
wmic
wmiclass
write-cmdservicebinary
write-eventlog
writeline
write-serviceexe
write-serviceexecmd
write-useraddmsi
write-useraddservicebinary
wsman
xcopy
#/etc/audit/rules.d/audit.rules
-a always,exit -F arch=b32 -S adjtimex,settimeofday,stime -F key=time-change
-a always,exit -F arch=b64 -S adjtimex,settimeofday -F key=time-change
-a always,exit -F arch=b32 -S adjtimex -k audit_time_rules
-a always,exit -F arch=b64 -S adjtimex -k audit_time_rules
-a always,exit -F arch=b64 -S adjtimex -S settimeofday -S clock_settime -k audit_time_rule
-a always,exit -F arch=b32 -S settimeofday -k audit_time_rules
-a always,exit -F arch=b64 -S settimeofday -k audit_time_rules
-a always,exit -F arch=b64 -S adjtimex -S settimeofday -S clock_settime -k audit_time_rules
-a always,exit -F arch=b32 -S clock_settime -F a0=0x0 -F key=time-change
-a always,exit -F arch=b64 -S clock_settime -F a0=0x0 -F key=time-change
-a always,exit -F arch=b32 -S clock_settime -k audit_time_rules
-a always,exit -F arch=b64 -S clock_settime -k audit_time_rules
-w /etc/localtime -p wa -k time-change
-a always,exit -F arch=b32 -S execve -C uid!=euid -F euid=0 -k setuid
-a always,exit -F arch=b64 -S execve -C uid!=euid -F euid=0 -k setuid
-a always,exit -F arch=b32 -S execve -C gid!=egid -F egid=0 -k setgid
-a always,exit -F arch=b64 -S execve -C gid!=egid -F egid=0 -k setgid
-a always,exit -F arch=b64 -S sethostname -S setdomainname -k audit_rules_networkconfig_modification
-a always,exit -F arch=b32 -S sethostname,setdomainname -F key=system-locale
-a always,exit -F arch=b64 -S sethostname,setdomainname -F key=system-locale
-w /etc/issue -p wa -k audit_rules_networkconfig_modification
-w /etc/issue.net -p wa -k audit_rules_networkconfig_modification
-w /etc/issue -p wa -k system-locale
-w /etc/issue.net -p wa -k system-locale
-w /etc/hosts -p wa -k system-locale
-w /etc/hosts -p wa -k audit_rules_networkconfig_modification
-w /etc/hostname -p wa -k system-locale
-a always,exit -F dir=/etc/NetworkManager/ -F perm=wa -F key=system-locale
-a always,exit -F dir=/etc/selinux/ -F perm=wa -F key=MAC-policy
-w /etc/selinux/ -p wa -k MAC-policy
-w /var/run/utmp -p wa -k session
-w /var/log/btmp -p wa -k session
-w /var/log/wtmp -p wa -k session
-a always,exit -F arch=b32 -S mount -F auid>=1000 -F auid!=unset -F key=export
-a always,exit -F arch=b64 -S mount -F auid>=1000 -F auid!=unset -F key=export
-w /etc/sudoers -p wa -k actions
-w /etc/sudoers.d/ -p wa -k actions
-a always,exit -F arch=b32 -S create_module -k module-change
-a always,exit -F arch=b64 -S create_module -k module-change
-a always,exit -F arch=b32 -S finit_module -k module-change
-a always,exit -F arch=b64 -S finit_module -k module-change
-w /etc/sysconfig/network -p wa -k system-locale
-w /etc/sysconfig/network -p wa -k audit_rules_networkconfig_modification
-w /usr/sbin/insmod -p x -k modules
-w /usr/sbin/rmmod -p x -k modules
-w /usr/sbin/modprobe -p x -k modules
-a always,exit -F arch=b64 -S init_module -S delete_module -k modules
-a always,exit -F arch=b32 -S init_module -S delete_module -k modules
-a always,exit -F arch=b32 -S init_module -k module-change
-a always,exit -F arch=b64 -S init_module -k module-change
-a always,exit -F perm=x -F path=/usr/bin/dnf-3 -F key=software-installer
-a always,exit -F perm=x -F path=/usr/bin/yum -F key=software-installer
-a always,exit -F perm=x -F path=/usr/bin/pip -F key=software-installer
-a always,exit -F perm=x -F path=/usr/bin/npm -F key=software-installer
-a always,exit -F perm=x -F path=/usr/bin/cpan -F key=software-installer
-a always,exit -F perm=x -F path=/usr/bin/gem -F key=software-installer
-a always,exit -F perm=x -F path=/usr/bin/luarocks -F key=software-installer
#Vul ID: V-258176
-a always,exit -F arch=b32 -S execve -C uid!=euid -F euid=0 -k execpriv
-a always,exit -F arch=b64 -S execve -C uid!=euid -F euid=0 -k execpriv
-a always,exit -F arch=b32 -S execve -C gid!=egid -F egid=0 -k execpriv
-a always,exit -F arch=b64 -S execve -C gid!=egid -F egid=0 -k execpriv
#Vul ID: V-258177
-a always,exit -F arch=b32 -S chmod,fchmod,fchmodat -F auid>=1000 -F auid!=unset -F key=perm_mod
-a always,exit -F arch=b64 -S chmod,fchmod,fchmodat -F auid>=1000 -F auid!=unset -F key=perm_mod
#Vul ID: V-258178
-a always,exit -F arch=b32 -S chown,fchown,fchownat,lchown -F auid>=1000 -F auid!=unset -k perm_mod
-a always,exit -F arch=b64 -S chown,fchown,fchownat,lchown -F auid>=1000 -F auid!=unset -k perm_mod
#Vul ID: V-258179
-a always,exit -F arch=b32 -S setxattr,lsetxattr,fsetxattr,removexattr,lremovexattr,fremovexattr -F auid>=1000 -F auid!=unset -F key=perm_mod
-a always,exit -F arch=b64 -S setxattr,lsetxattr,fsetxattr,removexattr,lremovexattr,fremovexattr -F auid>=1000 -F auid!=unset -F key=perm_mod
-a always,exit -F arch=b32 -S setxattr,fsetxattr,lsetxattr,removexattr,fremovexattr,lremovexattr -F auid=0 -k perm_mod
-a always,exit -F arch=b64 -S setxattr,fsetxattr,lsetxattr,removexattr,fremovexattr,lremovexattr -F auid=0 -k perm_mod
#Vul ID: V-258180
-a always,exit -F path=/usr/bin/umount -F perm=x -F auid>=1000 -F auid!=unset -k privileged-mount
#Vul ID: V-258181
-a always,exit -F path=/usr/bin/chacl -F perm=x -F auid>=1000 -F auid!=unset -k perm_mod
-a always,exit -F path=/usr/bin/chacl -F perm=x -F auid>=1000 -F auid!=unset -k perm_chng
#Vul ID: V-258182
-a always,exit -F path=/usr/bin/setfacl -F perm=x -F auid>=1000 -F auid!=unset -k perm_mod
#Vul ID: V-258183
-a always,exit -F path=/usr/bin/chcon -F perm=x -F auid>=1000 -F auid!=unset -k perm_mod
#Vul ID: V-258184
-a always,exit -F path=/usr/sbin/semanage -F perm=x -F auid>=1000 -F auid!=unset -k privileged-unix-update
#Vul ID: V-258185
-a always,exit -F path=/usr/sbin/setfiles -F perm=x -F auid>=1000 -F auid!=unset -k privileged-unix-update
#Vul ID: V-258186
-a always,exit -F path=/usr/sbin/setsebool -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged
#Vul ID: V-258187
-a always,exit -F arch=b32 -S rename,unlink,rmdir,renameat,unlinkat -F auid>=1000 -F auid!=unset -k delete
-a always,exit -F arch=b64 -S rename,unlink,rmdir,renameat,unlinkat -F auid>=1000 -F auid!=unset -k delete
#Vul ID: V-258188
-a always,exit -F arch=b32 -S truncate,ftruncate,creat,open,openat,open_by_handle_at -F exit=-EPERM -F auid>=1000 -F auid!=unset -k perm_access
-a always,exit -F arch=b64 -S truncate,ftruncate,creat,open,openat,open_by_handle_at -F exit=-EPERM -F auid>=1000 -F auid!=unset -k perm_access
-a always,exit -F arch=b32 -S truncate,ftruncate,creat,open,openat,open_by_handle_at -F exit=-EACCES -F auid>=1000 -F auid!=unset -k perm_access
-a always,exit -F arch=b64 -S truncate,ftruncate,creat,open,openat,open_by_handle_at -F exit=-EACCES -F auid>=1000 -F auid!=unset -k perm_access
#Vul ID: V-258189
-a always,exit -F arch=b32 -S delete_module -F auid>=1000 -F auid!=unset -k module_chng
-a always,exit -F arch=b64 -S delete_module -F auid>=1000 -F auid!=unset -k module_chng
#Vul ID: V-258190
-a always,exit -F arch=b32 -S init_module,finit_module -F auid>=1000 -F auid!=unset -k module_chng
-a always,exit -F arch=b64 -S init_module,finit_module -F auid>=1000 -F auid!=unset -k module_chng
#Vul ID: V-258191
-a always,exit -F path=/usr/bin/chage -F perm=x -F auid>=1000 -F auid!=unset -k privileged-chage
#Vul ID: V-258192
-a always,exit -F path=/usr/bin/chsh -F perm=x -F auid>=1000 -F auid!=unset -k priv_cmd
#Vul ID: V-258193
-a always,exit -F path=/usr/bin/crontab -F perm=x -F auid>=1000 -F auid!=unset -k privileged-crontab
#Vul ID: V-258194
-a always,exit -F path=/usr/bin/gpasswd -F perm=x -F auid>=1000 -F auid!=unset -k privileged-gpasswd
#Vul ID: V-258195
-a always,exit -F path=/usr/bin/kmod -F perm=x -F auid>=1000 -F auid!=unset -k modules
#Vul ID: V-258196
-a always,exit -F path=/usr/bin/newgrp -F perm=x -F auid>=1000 -F auid!=unset -k priv_cmd
#Vul ID: V-258197
-a always,exit -F path=/usr/sbin/pam_timestamp_check -F perm=x -F auid>=1000 -F auid!=unset -k privileged-pam_timestamp_check
#Vul ID: V-258198
-a always,exit -F path=/usr/bin/passwd -F perm=x -F auid>=1000 -F auid!=unset -k privileged-passwd
#Vul ID: V-258199
-a always,exit -F path=/usr/sbin/postdrop -F perm=x -F auid>=1000 -F auid!=unset -k privileged-unix-update
#Vul ID: V-258200
-a always,exit -F path=/usr/sbin/postqueue -F perm=x -F auid>=1000 -F auid!=unset -k privileged-unix-update
#Vul ID: V-258201
-a always,exit -F path=/usr/bin/ssh-agent -F perm=x -F auid>=1000 -F auid!=unset -k privileged-ssh
#Vul ID: V-258202
-a always,exit -F path=/usr/libexec/openssh/ssh-keysign -F perm=x -F auid>=1000 -F auid!=unset -k privileged-ssh
#Vul ID: V-258203
-a always,exit -F path=/usr/bin/su -F perm=x -F auid>=1000 -F auid!=unset -k privileged-priv_change
#Vul ID: V-258204
-a always,exit -F path=/usr/bin/sudo -F perm=x -F auid>=1000 -F auid!=unset -k priv_cmd
#Vul ID: V-258205
-a always,exit -F path=/usr/bin/sudoedit -F perm=x -F auid>=1000 -F auid!=unset -k priv_cmd
#Vul ID: V-258206
-a always,exit -F path=/usr/sbin/unix_chkpwd -F perm=x -F auid>=1000 -F auid!=unset -k privileged-unix-update
#Vul ID: V-258207
#Vul ID: V-258208
-a always,exit -F path=/usr/sbin/userhelper -F perm=x -F auid>=1000 -F auid!=unset -k privileged-unix-update
#Vul ID: V-258209
-a always,exit -F path=/usr/sbin/usermod -F perm=x -F auid>=1000 -F auid!=unset -k privileged-usermod
#Vul ID: V-258210
-a always,exit -F path=/usr/bin/mount -F perm=x -F auid>=1000 -F auid!=unset -k privileged-mount
#Vul ID: V-258211
-a always,exit -F path=/usr/sbin/init -F perm=x -F auid>=1000 -F auid!=unset -k privileged-init
#Vul ID: V-258212
-a always,exit -F path=/usr/sbin/poweroff -F perm=x -F auid>=1000 -F auid!=unset -k privileged-poweroff
#Vul ID: V-258213
-a always,exit -F path=/usr/sbin/reboot -F perm=x -F auid>=1000 -F auid!=unset -k privileged-reboot
#Vul ID: V-258214
-a always,exit -F path=/usr/sbin/shutdown -F perm=x -F auid>=1000 -F auid!=unset -k privileged-shutdown
#Vul ID: V-258215
-a always,exit -F arch=b32 -S umount -F auid>=1000 -F auid!=unset -k perm_mod
-a always,exit -F arch=b32 -S umount -F auid>=1000 -F auid!=unset -k privileged-umount
#Vul ID: V-258216
-a always,exit -F arch=b32 -S umount2 -F auid>=1000 -F auid!=unset -k perm_mod
-a always,exit -F arch=b64 -S umount2 -F auid>=1000 -F auid!=unset -k perm_mod
#Vul ID: V-258217
-w /etc/sudoers -p wa -k identity
#Vul ID: V-258218
-w /etc/sudoers.d/ -p wa -k identity
#Vul ID: V-258219
-w /etc/group -p wa -k identity
#Vul ID: V-258220
-w /etc/gshadow -p wa -k identity
#Vul ID: V-258221
-w /etc/security/opasswd -p wa -k identity
#Vul ID: V-258222
-w /etc/passwd -p wa -k identity
#Vul ID: V-258223
-w /etc/shadow -p wa -k identity
#Vul ID: V-258224
-w /var/log/faillock -p wa -k logins
#Vul ID: V-258225
-w /var/log/lastlog -p wa -k logins
#Vul ID: V-258226
-w /var/log/tallylog -p wa -k logins
#Vul ID: V-258228
#--loginuid-immutable
#Vul ID: V-258229
#-e 2
#--backlog_wait_time 60000
#Vul ID: V-258227
#-f 2