Skip to content

Instantly share code, notes, and snippets.

@rollwagen

rollwagen/my_own_cheat_sheet.md

Last active July 14, 2022 04:07
Show Gist options
  • Save rollwagen/b8a15c087bf1dbe81997c8d00a35c507 to your computer and use it in GitHub Desktop.
Save rollwagen/b8a15c087bf1dbe81997c8d00a35c507 to your computer and use it in GitHub Desktop.
Download ZIP
Useful windows command line commands for incident investigations. #windows #powershell #wmic
Raw
my_own_cheat_sheet.md

Unusual Processes, Services, Reg keys, Scheduled tasks, Accounts

Unusual Processes

cmd.exe

taskmgr.exe
tasklist
wmic process list full

Note: wmic is deprecated, see Powershell Get-CimInstance instead below

Powershell

Get-CimInstance Win32_Process
Get-CimInstance Win32_Process -Filter "name = 'nc.exe'"

$p = Get-CimInstance Win32_Process -Filter "ProcessId = 4008"
Invoke-CimMethod -InputObject $p -MethodName GetOwner
$p.ParentProcessId

List processes and their signatures (yes/no, and valid?)

Get-Process |
ForEach-Object {
    $cert = try {Get-AuthenticodeSignature -FilePath $_.path} catch { } ; $_ |
    Select-Object name,ID,path |
    Add-Member "NoteProperty" CertStatus $( If($cert) {$cert.Status} else {"Access Denied"} )  -PassThru
} | Sort-Object -Property 'Certstatus'  | Format-Table

Unusual Services

cmd.exe

services.msc
net start
sc query

List of services with each process tasklist /svc

Powershell

Get-Service

List all services starting with "win"

Get-Service | Where-Object {$_ -like "win*"}

List all services starting with "win" and they services' executable (PathName)

Get-WmiObject win32_service | Where-Object {$_.Name -like "win*"} | ft Name, DisplayName, State, PathName

Note: Get-WmiObject - Starting in PowerShell 3.0, this cmdlet has been superseded by Get-CimInstance.

Unusual Registry key settings

regedit
reg query hklm\software\microsoft\windows\currentversion\run

Unusual Scheduled tasks

schtasks

Unusual Accounts

cmd.exe

lusrmgr.msc
net localgroup administrators

Powershell

([ADSI]"WinNT://localhost/Administrators,group").Members() | % { ([ADSI]$_).Path }

ADSI = Active Directory Services Interface

Useful other commands

List listening TCP and UDP ports including the owning process id

netstat -nao

or

Get-NetTCPConnection -AppliedSetting internet

Get-NetTCPConnection -State Established

wmic process where ProcessId=1516 list full tasklist /M /FI "pid eq 1516" Get-Process -PID 1484 | Format-List -Property *

Get-Counter '\Process(*)\IO Data Operations/sec'

curl - http(s) download of files with PowerShell

Invoke-WebRequest -Uri https://download.sysinternals.com/files/Autoruns.zip -OutFile autoruns.zip

Autorun REG keys

reg query hklm\software\microsoft\windows\currentversion\run

reg query hklm\software\microsoft\windows\currentversion\runonce

reg query hklm\software\microsoft\windows\currentversion\runonceex

reg query hkcu\software\microsoft\windows\currentversion\run

reg query hkcu\software\microsoft\windows\currentversion\runonce

reg query hkcu\software\microsoft\windows\currentversion\runonceex

Events

wevtutil.exe qe security /f:text

Failed login attempts

Query if enabled / disabled; and how to enable or disable

auditpol /get /category:"Logon/Logoff"

auditpol /set /category:"Logon/Logoff" /Success:disable /Failure:enable

Query events/attemps

auditpol /get /subcategory:"Logon"

auditpol /set /subcategory:"Logon" /Failure:enable

Get-EventLog security -InstanceId 4625

(Event ID: 4625 An account failed to log on.)

or

Get-WinEvent -FilterHashtable @{LogName="Security"; ID=4625}

Get-WinEvent -FilterHashtable @{LogName="Security"; ID=4720,4722,4724,4738,4732,1102}

PowerShell V5 Helpful Stuff

Find location of 'name' in filesystem
Get-ChildItem C:\ -Recurse -Name <name>

Find files >1MB
Get-ChildItem 'C:\' -Recurse | Where-Object {$_.Length -gt 1MB} | Sort-Object Length -Descending | Select Name, Length

Zip extraction
Expand-Archive c:\a.zip -DestinationPath c:\a

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment