Powershell Cheat Sheet
Setting Environment Variable Examples
Can also use Get-Credential
● $Password = Read-Host -Prompt "Set admin password" -AsSecureString
● $UserAccount = Get-LocalUser -Name "administrator"
Calling Environment Variables Examples
$UserAccount | Set-LocalUser -Password $Password
Useful things to pipe with
● | findstr “what you want to find”
● | Format-Table
● | Format-List
User Accounts
Identify curious-looking/High Privilege accounts in the administrators group
● Related command: Get-LocalUser
● Related command: Get-LocalUser -Name user | Set-LocalUser -Password
● Related command: Get-LocalUser -Name "administrator" | Enable-LocalUser
● Related command: Get-LocalUser -Name "administrator" | Set-LocalUser -Name
"administrator" -Password $Password
● New-LocalUser -Name "user" -Description "" -Password <password>
Local groups
● Related command: Get-LocalGroupMember Administrators
● Related command: Get-LocalGroupMember
● Related command: Get-LocalUser -Name user | Add-LocalGroupMember -Group
"Administrators"
● Related command: Get-ACL
Domain related user commands
● Related command: Get-ADUser
● Related command: Get-ADGroupMember
Domain related group commands
● Related command: New-ADGroup -Name <Group Name> -GroupScope <domain>
● Related command: Add-ADGroupMember -Identity <New group> -Members
user1,user2,user3
● Related command: Remove-ADGroupMember -Identity <Group name>
Domain GPO
Related command: Gpupdate /force
Related command: gpresult (will display options)
Processes (focus on those running with high privileges)
Identify abnormal processes/vulnerable
● Related command: Get-Process
Services
Identify abnormal/vulnerable services
● Related command: Get-Service | Format-Table
● Related command: Stop-Service <service name>
● Related command: Start-Service <service name>
Scheduled tasks
Identify curious-looking scheduled tasks [search for task scheduler in start menu search]
● Related command: Get-ScheduledTask
Extra startup items
Identify users’ autostart folders
● Related command: Get-CimInstance -ClassName Win32_StartUpCommand
●
Auto-start reg key entries
Check below registry keys for malicious autorun configurations
Get-ChildItem
● HKLM:\Software\Microsoft\Windows\CurrentVersion\Run
● HKLM:\Software\Microsoft\Windows\CurrentVersion\Runonce
● HKLM:\Software\Microsoft\Windows\CurrentVersion\RunonceEx
Listening and active TCP and UDP ports
Identify abnormal listening and active TCP and UDP ports
● Related command: Get-NetTCPConnection
● Related command: Get-NetUDPEndpoint
File Shares
All available file shares of a machine should be justified
● Related command: Get-SMBShare
● Related command: Get-FileShare
● Related command: Get-SMBServerConfiguration
Firewall Settings
Examining current firewall settings to detect abnormalities from a baseline
● Get-FirewallProfile
● Related command:Get-NetFirewallRule -Action Allow -Direction Inbound -Enabled True
|Format-Table
Systems connected to the machine
Identify NetBIOS over TCP/IP activity
● Related command: nbtstat -S
Open sessions/Logged on Users
Knowing who has an open session with a machine is very important
● Related command: gwmi Win32_LoggedOnUser | Select Antecedent
● Related command: Get-SMBOpenFile
Log entries
Identify curious-looking events
● Related command: Get-EventLog -LogName -Security -Source bacon (must be done
with admin privileges, piping findstr is highly advised)
Networking Commands
Related command: route print
Related command: Get-NetNeighbor -AddressFamily IPv4
Related command: Get-NetIPConfiguration
Other useful commands
Web requests
Invoke-WebRequest -Uri <IP_Address or web domain> -Outfile <filename>
You might also like
- Devil in the Grove: Thurgood Marshall, the Groveland Boys, and the Dawn of a New AmericaFrom EverandDevil in the Grove: Thurgood Marshall, the Groveland Boys, and the Dawn of a New AmericaRating: 4.5 out of 5 stars4.5/5 (266)
- A Heartbreaking Work Of Staggering Genius: A Memoir Based on a True StoryFrom EverandA Heartbreaking Work Of Staggering Genius: A Memoir Based on a True StoryRating: 3.5 out of 5 stars3.5/5 (231)
- The Sympathizer: A Novel (Pulitzer Prize for Fiction)From EverandThe Sympathizer: A Novel (Pulitzer Prize for Fiction)Rating: 4.5 out of 5 stars4.5/5 (122)
- Grit: The Power of Passion and PerseveranceFrom EverandGrit: The Power of Passion and PerseveranceRating: 4 out of 5 stars4/5 (590)
- The World Is Flat 3.0: A Brief History of the Twenty-first CenturyFrom EverandThe World Is Flat 3.0: A Brief History of the Twenty-first CenturyRating: 3.5 out of 5 stars3.5/5 (2259)
- Shoe Dog: A Memoir by the Creator of NikeFrom EverandShoe Dog: A Memoir by the Creator of NikeRating: 4.5 out of 5 stars4.5/5 (540)
- The Little Book of Hygge: Danish Secrets to Happy LivingFrom EverandThe Little Book of Hygge: Danish Secrets to Happy LivingRating: 3.5 out of 5 stars3.5/5 (401)
- The Subtle Art of Not Giving a F*ck: A Counterintuitive Approach to Living a Good LifeFrom EverandThe Subtle Art of Not Giving a F*ck: A Counterintuitive Approach to Living a Good LifeRating: 4 out of 5 stars4/5 (5813)
- Never Split the Difference: Negotiating As If Your Life Depended On ItFrom EverandNever Split the Difference: Negotiating As If Your Life Depended On ItRating: 4.5 out of 5 stars4.5/5 (844)
- Her Body and Other Parties: StoriesFrom EverandHer Body and Other Parties: StoriesRating: 4 out of 5 stars4/5 (822)
- Team of Rivals: The Political Genius of Abraham LincolnFrom EverandTeam of Rivals: The Political Genius of Abraham LincolnRating: 4.5 out of 5 stars4.5/5 (234)
- The Emperor of All Maladies: A Biography of CancerFrom EverandThe Emperor of All Maladies: A Biography of CancerRating: 4.5 out of 5 stars4.5/5 (271)
- Hidden Figures: The American Dream and the Untold Story of the Black Women Mathematicians Who Helped Win the Space RaceFrom EverandHidden Figures: The American Dream and the Untold Story of the Black Women Mathematicians Who Helped Win the Space RaceRating: 4 out of 5 stars4/5 (897)
- Elon Musk: Tesla, SpaceX, and the Quest for a Fantastic FutureFrom EverandElon Musk: Tesla, SpaceX, and the Quest for a Fantastic FutureRating: 4.5 out of 5 stars4.5/5 (474)
- The Hard Thing About Hard Things: Building a Business When There Are No Easy AnswersFrom EverandThe Hard Thing About Hard Things: Building a Business When There Are No Easy AnswersRating: 4.5 out of 5 stars4.5/5 (348)
- The Gifts of Imperfection: Let Go of Who You Think You're Supposed to Be and Embrace Who You AreFrom EverandThe Gifts of Imperfection: Let Go of Who You Think You're Supposed to Be and Embrace Who You AreRating: 4 out of 5 stars4/5 (1092)
- Arrests and Executions of Famous People 2021Document6 pagesArrests and Executions of Famous People 2021Super SlinkyNo ratings yet
- On Fire: The (Burning) Case for a Green New DealFrom EverandOn Fire: The (Burning) Case for a Green New DealRating: 4 out of 5 stars4/5 (74)
- Restored Republic Via A GCR 4 6 2022Document10 pagesRestored Republic Via A GCR 4 6 2022Super SlinkyNo ratings yet
- The Yellow House: A Memoir (2019 National Book Award Winner)From EverandThe Yellow House: A Memoir (2019 National Book Award Winner)Rating: 4 out of 5 stars4/5 (98)
- Secret Space Program We Are Alr - Gil CarlsonDocument156 pagesSecret Space Program We Are Alr - Gil CarlsonSuper Slinky100% (2)
- The Unwinding: An Inner History of the New AmericaFrom EverandThe Unwinding: An Inner History of the New AmericaRating: 4 out of 5 stars4/5 (45)
- Babes in Tomorrowland Walt Disney and The Making of The American Child, 1930-1960 (Nicholas Sammond)Document485 pagesBabes in Tomorrowland Walt Disney and The Making of The American Child, 1930-1960 (Nicholas Sammond)Super SlinkyNo ratings yet
- Archiving BriefDocument9 pagesArchiving BriefSuper SlinkyNo ratings yet
- Commonwealth of Kentucky Enhanced Hazard Mitigation Plan 2013 VersionDocument636 pagesCommonwealth of Kentucky Enhanced Hazard Mitigation Plan 2013 VersionSuper SlinkyNo ratings yet
- Timeline of Treason v3Document12 pagesTimeline of Treason v3Super SlinkyNo ratings yet
- FUTURE WORLD (S) A Critique of Disneys EPCOT and Creating A FutuDocument221 pagesFUTURE WORLD (S) A Critique of Disneys EPCOT and Creating A FutuSuper SlinkyNo ratings yet
- Workout Agreement - Updated 12292020Document8 pagesWorkout Agreement - Updated 12292020Super SlinkyNo ratings yet
- Release List q1 2023Document8 pagesRelease List q1 2023Super SlinkyNo ratings yet
- Lion Wood Whistleblower Test 17-6750-2017-12-07Document2 pagesLion Wood Whistleblower Test 17-6750-2017-12-07Super SlinkyNo ratings yet
- Camp Hero State Park - Google MapsDocument1 pageCamp Hero State Park - Google MapsSuper SlinkyNo ratings yet
- Benjamin Fulford - December 5th 2016 - The Dominoes Keep Falling, Hollande, Renzi, Sarkozy Down, Xi, Putin, Abe and Merkel Now TargetedDocument9 pagesBenjamin Fulford - December 5th 2016 - The Dominoes Keep Falling, Hollande, Renzi, Sarkozy Down, Xi, Putin, Abe and Merkel Now TargetedSuper SlinkyNo ratings yet
- MemorandumDocument413 pagesMemorandumSuper SlinkyNo ratings yet
- Wireless SISO Channel Propagation ModelDocument6 pagesWireless SISO Channel Propagation ModelSuper SlinkyNo ratings yet
