# Windows Powershell Forensics
### System Information and Metadata Collection
```
Get-SystemInfo: Retrieves detailed system information.
Get-ComputerInfo :
Get-WmiObject -Class Win32_OperatingSystem : Gather information about the Operating System
Get-ItemProperty HKLM:\Software\Microsoft\Windows\CurrentVersion\Uninstall\* : Retrieve Installed Software
(Get-WmiObject -Class Win32_OperatingSystem).LastBootUpTime : Check System Boot Time
Get-ChildItem env:\ : to get all Environment Variables
dir env:\
```
### User Activity and Login Tracking
```
quser : List Active User Sessions
Get-LocalUser : Retrieve Local User Accounts
Get-EventLog -LogName Security | Where-Object {$_.EventID -eq 4624} :
```
### Network Information
```
Get-NetTCPConnection : List Active Network Connections
Get-NetIPAddress : Retrieve IP Address Information
Get-SmbShare : List Active Network Shares
Get-NetTCPConnection | Where-Object { $_.RemoteAddress -notlike "127.*" -and $_.RemoteAddress -notlike "::1" } : List Only Foreign (External) Network Connections
Get-NetTCPConnection | Where-Object { $_.RemotePort -eq 443 -or $_.RemoteAddress -match "^192\.168\." } : Filter Connections by Specific Port or IP Range
Get-NetTCPConnection -State Established : Find Established Network Connections
```
### Process and Service Monitoring
```
Get-Process : List Running Processes
Get-Process | Where-Object {$_.ProcessName -match "powershell|notepad"} : Filter Output from Commands
Get-Process | Select-Object -Property Path, Name, Id
Get-Service : List Installed Services
Get-ItemProperty -Path "HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" : Query Startup Applications
Get-Service | Export-Csv -Path services.csv : print all the info into csv file
Get-Process | Out-File -FilePath processes.txt -Append :
Get-Process | ForEach-Object {
if ($_.CPU -gt 100) {
Write-Output "$($_.ProcessName) is using high CPU!"
}
}
Get-Service | Where-Object { $_.Status -eq 'Running' } | ForEach-Object { $_.DisplayName } : Extract Information from Command Output (Pipeline Parsing)
```
| Functionality | PowerShell | Command |
| -------------------- | -------------------- | ------------------ |
| List processes | Get-Process | wmic.exe process |
| Network connections | Get-NetTCPConnection | netstat.exe -nao |
| Registry access | Get-ChildItem | reg.exe |
| List services | Get-Service | sc.exe query |
| List users | Get-LocalUser | net.exe user |
| List groups | Get-LocalGroup | net.exe localgroup |
| List scheduled tasks | Get-ScheduledTask | schtasks.exe |
| Access Event Logs | Get-WinEvent | wevtutil.exe |
### Inspecting Loaded Modules and DLLs for Process Analysis
```
Get-Process | ForEach-Object { $_.Modules | Select-Object -Property ModuleName, FileName } : List Loaded Modules for Each Process
(Get-Process -Name "notepad").Modules | Select-Object ModuleName, FileName : Analyze DLLs Loaded by a Specific Process
```
### File System and Registry Analysis
```
Get-PSDrive : Enumerate All Drives
Get-ChildItem -Path C:\path\to\directory -Recurse : Retrieve Files in a Specific Directory
Get-ItemProperty -Path "HKCU:\Software\Microsoft\Windows\CurrentVersion\Run" : Query Registry Key for Persistence Mechanisms
Get-ItemProperty -Path "HKCU:\Software\Microsoft\Windows\Shell\BagMRU": Retrieve ShellBag Information (User File and Folder History)
Get-ChildItem -Path "C:\Logs\" -Filter *.log | Select-String -Pattern "error|fail|attack" : Search Across Log Files for Keywords
Get-ItemProperty -Path "HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" |
Where-Object { $_.Property -match "cmd|powershell|vbs" } : Searching within the Registry for Suspicious Keys
Get-ChildItem -Path HKLM:\ -Recurse | Get-ItemProperty -ErrorAction SilentlyContinue |
Where-Object { $_.PSChildName -match "suspicious_keyword" } : Search for Specific String Across Registry Keys
Get-Item "C:\path\to\file.txt" | Select-Object -Property Name, CreationTime, LastAccessTime, LastWriteTime : Extracting Artifact Metadata from Files
```
### Event Log Analysis
```
Get-EventLog -LogName Security : Retrieve Security Event Logs
Get-WinEvent -LogName Security | Where-Object {$_.Id -eq 4624} : Filter Specific Event ID (e.g., Successful Logon)
Get-EventLog -LogName Security | Export-Csv -Path C:\Logs\SecurityLog.csv : Export Event Logs for Analysis
Get-ChildItem -Path "C:\Logs" -Filter *.log | Select-String -Pattern "error|login failure" |
Out-File -FilePath "C:\Forensics\matching_logs.txt" : Log Matching Results to a File
Get-WinEvent -FilterHashtable @{LogName='Security'; Id=4624} | Where-Object {$_.Message -match "Admin"}
```
### History
```
Get-History
Get-History | Format-Table -AutoSize
```
### Browser and Internet Activity
```
Get-Item -Path "HKCU:\Software\Microsoft\Internet Explorer\TypedURLs": Retrieve Browser History for Edge/IE
ipconfig /displaydns : Retrieve DNS Cache
```
### Collecting Evidence
```
Get-WmiObject -Class Win32_PhysicalMemory : Take a Snapshot of Memory Information
Get-ChildItem Env : Retrieve System Environment Variables
(Get-PSReadLineOption).HistorySavePath : Dump All Available PowerShell History
```
### Malware Detection and Analysis
```
Get-ItemProperty -Path "HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" : List Autoruns for Persistence Detection
Get-ScheduledTask | Select-Object TaskName,TaskPath,State : List All Scheduled Tasks
Get-WmiObject -Class Win32_Service | Where-Object { $_.StartMode -eq 'Auto' -and $_.State -ne 'Running' } : Check for Hidden Services or Processes
```
### Using Hashing for File Integrity Verification
```
Get-FileHash -Algorithm SHA256 -Path "C:\path\to\file" : Compute File Hash
$hash1 = Get-FileHash -Path "C:\path\to\original_file"
$hash2 = Get-FileHash -Path "C:\path\to\new_file" : Compare Hashes Across Files for Tampering Detection
if ($hash1.Hash -ne $hash2.Hash) { Write-Output "Files differ!" }
```
### Using WMI and CIM for Deeper System Insights
```
Get-CimInstance -ClassName Win32_QuickFixEngineering | Select-Object -Property Description, HotFixID, InstalledOn : Query Installed Hotfixes and Patches
Get-CimInstance -ClassName Win32_BIOS | Format-List -Property * : Inspect BIOS Information
Get-WmiObject -Class Win32_OperatingSystem | Select-Object -Property LastBootUpTime, LocalDateTime : Check System Startup and Shutdown History
Get-CimInstance -Class Win32_Process | Select-Object ProcessId, ProcessName, CommandLine
Get-CimInstance -ClassName Win32_Service | Format-List Name, Caption, Description, PathName
wmic process list brief # List all running processes:
wmic process list full # Detailed information about all processes
Get-ChildItem 'HKLM:\SOFTWARE\Wow6432Node\Microsoft\Windows
\CurrentVersion\Uninstall\' | Select-Object PSChildName
```
### PowerShell Commands to Discover WMI Events
```
Get-WmiObject -Namespace "root\subscription" -Class __EventFilter
Get-WmiObject -Namespace "root\subscription" -Class __EventConsumer
Get-WmiObject -Namespace "root\subscription" -Class __FilterToConsumerBinding
```
## Unusual Accounts
```
Get-LocalUser
Get-LocalGroup
Get-LocalGroupMember Administrators
```
### Unusual Log Entries
```
$start = Get-Date 8/23/2024;
$end = Get-Date 8/25/2024;
Get-WinEvent -FilterHashtable @{LogName='Security'; StartTime=$start; EndTime=$end;}
Get-WinEvent -LogName System | Where-Object -Property Id -EQ 7045 |
Format-List -Property TimeCreated,Message
```
---
# Agent Instructions: Querying This Documentation
If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.
Perform an HTTP GET request on the current page URL with the `ask` query parameter:
```
GET https://mahmoud-shaker.gitbook.io/dfir-notes/windows-powershell-forensics.md?ask=
```
The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.
Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.