Juvenal is a PowerShell (Version 7/5/2) script that enumerates Windows PowerShell logging group policies by reading the registry. It also checks for Powershell Version 2.
Have you ever felt like you are being watched?
If so, Juvenal is for you.
Juvenal makes it easy for blue (and red) teams to identify Windows PowerShell group-policy mis-configurations. The script looks at HKEY_LOCAL_MACHINE and HKEY_CURRENT_USER keys to determine if PowerShell is being logged.
PowerShell logging is seperated into three "main" types:
- Script Block Logging
- Logs the raw script supplied through the command line, a function, script, workflow, etc.
- Module Logging
- Allows auditing of specific PowerShell modules when used.
- Transcription
- Logs commands run (and their output)
Juvenal checks for all of these in HKLM and HKCU and provides a color coded output (Red for danger). Then it displays the execution policy, language mode, and current user priviliges.
PowerShell V3.0+ One-liner:
Invoke-Expression (Invoke-WebRequest 'https://tinyurl.com/Juv3nal')
To install and use locally using PowerShell V3.0+:
- Navigate to the desired install path:
Set-Location <install\path>
-
Place Juvenal.ps1 into path:
(Invoke-WebRequest -URI "https://raw.githubusercontent.com/Operational-Sciences-Group/Project-Juvenal/main/Juvenal.ps1").Content > Juvenal.ps1 -
Run Juvenal.ps1:
.\Juvenal.ps1
All the contents of this repository should be used for authorized and/or educational purposes only. Any misuse of this repository will not be the responsibility of the author or of any other collaborator.