Created
November 16, 2017 10:12
-
-
Save CrazyLlama/e9c5a931c9b37fc2cf40d184e23a7c94 to your computer and use it in GitHub Desktop.
Example one-liners, powershell edition
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
## Sources: | |
# https://www.dionach.com/blog/powershell-in-forensic-investigations | |
# https://www.sans.org/reading-room/whitepapers/critical/uncovering-indicators-compromise-ioc-powershell-event-logs-traditional-monitoring-tool-36352 | |
# https://blogs.technet.microsoft.com/heyscriptingguy/2012/05/28/use-powershell-to-aid-in-security-forensics/ | |
# Lists out all established TCP connections, you can also use netstat to list all connections regardless of status. Make sure you decide whether this is TCP or UDP you want to see and remove the parentheses | |
Get-NetTCPConnection –State Established | |
netstat -ano -p (TCP/UDP) | |
# List out all processes running on the server | |
Get-Process | |
# Get more details on a specific process (hint: replace "{process-name}" with the name of the process) | |
Get-Process {process-name} | format-list * | |
# Lists out everything in the Event logs under "Security", "System", and "Application" | |
Get-WinEvent -LogName "Security","System","Application" | |
# Lists out groups under the Domain with their users | |
ForEach ($Group in (Get-ADGroup -Filter *)) { Get-ADGroupMember $Group | Select @{Label="Group";Expression={$Group.Name}},Name,SamAccountName } | |
# Checks for processes set to automatically start on server restart - this is potentially useful for identifying malware/rootkits. | |
Get-CimInstance win32_service -Filter "startmode = 'auto'" | |
# This should get any files on the C drive that have been changed within the last week, you can edit the days to whatever timeframe needed | |
Get-ChildItem -Recurse C:\ | ? {$_.lastwritetime -gt (Get-Date).AddDays(-7)} |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment