Free Cheatsheet
PowerShell for Security Operations
The commands defenders run during investigations and triage, organized by ATT&CK tactic. 31 commands across 9 tactics, each with the syntax, what it reveals, and what to look for. No account needed.
Run elevated where required. These are read-and-collect commands for investigation and triage, paired with what each output reveals and how to read it. Organized by the ATT&CK tactic the command helps you investigate.
Discovery 6
Local System InformationT1082
Get-ComputerInfo | Select-Object CsName, OsName, OsVersion, OsBuildNumber, CsDomain, CsWorkgroup, TimeZoneNetwork ConfigurationT1016
Get-NetIPConfiguration | Select-Object InterfaceAlias, IPv4Address, DNSServer, DefaultGatewayDomain ControllersT1018
Get-ADDomainController -Filter * | Select-Object Name, IPv4Address, Site, OperatingSystem, IsGlobalCatalogLocal Users and GroupsT1087.001
Get-LocalUser | Select-Object Name, Enabled, LastLogon, PasswordLastSet, Description
Get-LocalGroupMember -Group "Administrators" | Select-Object Name, ObjectClass, PrincipalSourceAD User EnumerationT1087.002
Get-ADUser -Filter * -Properties LastLogonDate, PasswordLastSet, Enabled, MemberOf | Where-Object { $_.Enabled -eq $true } | Select-Object Name, SamAccountName, LastLogonDate, PasswordLastSetShared ResourcesT1135
Get-SmbShare | Select-Object Name, Path, Description
Get-SmbOpenFile | Select-Object ClientComputerName, ClientUserName, PathPersistence 5
Registry Run KeysT1547.001
Get-ItemProperty "HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" -ErrorAction SilentlyContinue
Get-ItemProperty "HKCU:\Software\Microsoft\Windows\CurrentVersion\Run" -ErrorAction SilentlyContinue
Get-ItemProperty "HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce" -ErrorAction SilentlyContinueScheduled TasksT1053.005
Get-ScheduledTask | Where-Object { $_.State -ne "Disabled" } | Select-Object TaskName, TaskPath, State, @{N="Actions";E={$_.Actions.Execute + " " + $_.Actions.Arguments}} | Format-ListServicesT1543.003
Get-WmiObject Win32_Service | Where-Object { $_.PathName -match "temp|appdata|programdata|users" } | Select-Object Name, DisplayName, State, StartMode, PathNameWMI Event SubscriptionsT1546.003
Get-WMIObject -Namespace root\subscription -Class __EventFilter
Get-WMIObject -Namespace root\subscription -Class __EventConsumer
Get-WMIObject -Namespace root\subscription -Class __FilterToConsumerBindingStartup Folder ContentsT1547.001
Get-ChildItem "$env:APPDATA\Microsoft\Windows\Start Menu\Programs\Startup"
Get-ChildItem "C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup"Credential Access 3
Cached Credentials CheckT1003
reg query "HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\WDigest" /v UseLogonCredential
Get-ItemProperty "HKLM:\SYSTEM\CurrentControlSet\Control\Lsa" | Select-Object RunAsPPL, LmCompatibilityLevelKerberos Ticket EnumerationT1558
klist
klist sessionsSPN Enumeration (Kerberoast Targets)T1558.003
Get-ADUser -Filter { ServicePrincipalName -ne "$null" } -Properties ServicePrincipalName, PasswordLastSet | Select-Object SamAccountName, ServicePrincipalName, PasswordLastSet, EnabledExecution 3
Running Processes with Command LinesT1059
Get-WmiObject Win32_Process | Select-Object ProcessId, Name, CommandLine, @{N="ParentPID";E={$_.ParentProcessId}} | Sort-Object ParentPID | Format-ListPowerShell Execution PolicyT1059.001
Get-ExecutionPolicy -List
Get-ItemProperty "HKLM:\SOFTWARE\Microsoft\PowerShell\1\ShellIds\Microsoft.PowerShell" -Name ExecutionPolicy -ErrorAction SilentlyContinueRecently Modified ExecutablesT1036
Get-ChildItem -Path C:\Windows\Temp, $env:TEMP, $env:APPDATA -Include *.exe,*.dll,*.ps1,*.bat,*.vbs -Recurse -ErrorAction SilentlyContinue | Where-Object { $_.LastWriteTime -gt (Get-Date).AddDays(-7) } | Select-Object FullName, LastWriteTime, LengthLateral Movement 4
Active Network ConnectionsT1021
Get-NetTCPConnection -State Established | Select-Object LocalAddress, LocalPort, RemoteAddress, RemotePort, OwningProcess, @{N="Process";E={(Get-Process -Id $_.OwningProcess -ErrorAction SilentlyContinue).ProcessName}} | Sort-Object RemoteAddressRDP Session HistoryT1021.001
Get-ItemProperty "HKCU:\Software\Microsoft\Terminal Server Client\Servers\*" -ErrorAction SilentlyContinue | Select-Object PSChildName, UsernameHint
Get-WinEvent -LogName "Microsoft-Windows-TerminalServices-LocalSessionManager/Operational" -MaxEvents 50 | Select-Object TimeCreated, Id, MessageSMB Sessions and Open FilesT1021.002
Get-SmbSession | Select-Object ClientComputerName, ClientUserName, NumOpens
Get-SmbOpenFile | Select-Object ClientComputerName, ClientUserName, PathRemote WinRM SessionsT1021.006
Get-WSManInstance -ResourceURI shell -Enumerate
Get-WinEvent -LogName "Microsoft-Windows-WinRM/Operational" -MaxEvents 20 | Select-Object TimeCreated, Id, MessageCollection 2
Recently Accessed FilesT1005
Get-ChildItem "$env:APPDATA\Microsoft\Windows\Recent" -ErrorAction SilentlyContinue | Sort-Object LastWriteTime -Descending | Select-Object Name, LastWriteTime -First 30Large Files and ArchivesT1074
Get-ChildItem -Path C:\Users -Include *.zip,*.rar,*.7z,*.tar,*.gz -Recurse -ErrorAction SilentlyContinue | Where-Object { $_.Length -gt 10MB } | Select-Object FullName, @{N="SizeMB";E={[math]::Round($_.Length/1MB,1)}}, LastWriteTimeDefense Evasion 3
Defender Status and ExclusionsT1562.001
Get-MpComputerStatus | Select-Object RealTimeProtectionEnabled, AntivirusEnabled, AntispywareEnabled, BehaviorMonitorEnabled
Get-MpPreference | Select-Object -ExpandProperty ExclusionPath
Get-MpPreference | Select-Object -ExpandProperty ExclusionProcessEvent Log StatusT1070.001
Get-WinEvent -ListLog Security,System,Application,"Microsoft-Windows-PowerShell/Operational","Microsoft-Windows-Sysmon/Operational" -ErrorAction SilentlyContinue | Select-Object LogName, IsEnabled, RecordCount, FileSize, LastWriteTimeHidden Files and Alternate Data StreamsT1564
Get-ChildItem -Path C:\Users -Force -Hidden -Recurse -ErrorAction SilentlyContinue | Where-Object { $_.LastWriteTime -gt (Get-Date).AddDays(-7) } | Select-Object FullName, LastWriteTime, Length
Get-Item -Path C:\Users\*\Desktop\* -Stream * -ErrorAction SilentlyContinue | Where-Object { $_.Stream -ne ":$DATA" }Exfiltration 2
DNS Resolution CacheT1048
Get-DnsClientCache | Select-Object Entry, RecordName, RecordType, Data | Sort-Object EntryUSB Device HistoryT1052
Get-ItemProperty "HKLM:\SYSTEM\CurrentControlSet\Enum\USBSTOR\*\*" -ErrorAction SilentlyContinue | Select-Object FriendlyName, @{N="Serial";E={$_.PSChildName}}, ContainerIDContainment 3
Disable AD AccountResponse
Disable-ADAccount -Identity "compromised_user"
Search-ADAccount -LockedOut | Unlock-ADAccountRevoke Cloud SessionsResponse
# Microsoft Graph PowerShell
Revoke-MgUserSignInSession -UserId "user@domain.com"
# Reset password
Update-MgUser -UserId "user@domain.com" -PasswordProfile @{ ForceChangePasswordNextSignIn = $true }Network Isolation CheckResponse
Test-NetConnection -ComputerName "isolated-host" -Port 445
Get-NetFirewallRule | Where-Object { $_.Action -eq "Block" -and $_.Enabled -eq "True" } | Select-Object DisplayName, DirectionFrom running commands to running the investigation
These collect the evidence. Windows Endpoint Investigation teaches the method: correlating what they return into a defensible account of what happened on the host, and proving it. Built by practitioners who still do the job.
Explore the course