Windows Powershell Forensics

System Information and Metadata Collection

Get-SystemInfo: Retrieves detailed system information.
Get-ComputerInfo : 
Get-WmiObject -Class Win32_OperatingSystem : Gather information about the Operating System
Get-ItemProperty HKLM:\Software\Microsoft\Windows\CurrentVersion\Uninstall\* : Retrieve Installed Software
(Get-WmiObject -Class Win32_OperatingSystem).LastBootUpTime : Check System Boot Time
Get-ChildItem env:\  : to get all Environment Variables
dir env:\

User Activity and Login Tracking

quser : List Active User Sessions 
Get-LocalUser : Retrieve Local User Accounts
Get-EventLog -LogName Security | Where-Object {$_.EventID -eq 4624} : 

Network Information

Get-NetTCPConnection : List Active Network Connections
Get-NetIPAddress : Retrieve IP Address Information 
Get-SmbShare : List Active Network Shares 

Get-NetTCPConnection | Where-Object { $_.RemoteAddress -notlike "127.*" -and $_.RemoteAddress -notlike "::1" } : List Only Foreign (External) Network Connections

Get-NetTCPConnection | Where-Object { $_.RemotePort -eq 443 -or $_.RemoteAddress -match "^192\.168\." } : Filter Connections by Specific Port or IP Range

Get-NetTCPConnection -State Established : Find Established Network Connections 

Process and Service Monitoring

Get-Process : List Running Processes 
Get-Process | Where-Object {$_.ProcessName -match "powershell|notepad"} : Filter Output from Commands
Get-Process | Select-Object -Property Path, Name, Id 
Get-Service  :  List Installed Services 
Get-ItemProperty -Path "HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" : Query Startup Applications 
Get-Service | Export-Csv -Path services.csv : print all the info into csv file
Get-Process | Out-File -FilePath processes.txt -Append :
Get-Process | ForEach-Object {
    if ($_.CPU -gt 100) {
        Write-Output "$($_.ProcessName) is using high CPU!"  
    }
}
 
Get-Service | Where-Object { $_.Status -eq 'Running' } | ForEach-Object { $_.DisplayName } : Extract Information from Command Output (Pipeline Parsing)

Functionality	PowerShell	Command
List processes	Get-Process	wmic.exe process
Network connections	Get-NetTCPConnection	netstat.exe -nao
Registry access	Get-ChildItem	reg.exe
List services	Get-Service	sc.exe query
List users	Get-LocalUser	net.exe user
List groups	Get-LocalGroup	net.exe localgroup
List scheduled tasks	Get-ScheduledTask	schtasks.exe
Access Event Logs	Get-WinEvent	wevtutil.exe

Inspecting Loaded Modules and DLLs for Process Analysis

Get-Process | ForEach-Object { $_.Modules | Select-Object -Property ModuleName, FileName } : List Loaded Modules for Each Process
(Get-Process -Name "notepad").Modules | Select-Object ModuleName, FileName  :  Analyze DLLs Loaded by a Specific Process 

File System and Registry Analysis

Get-PSDrive : Enumerate All Drives
Get-ChildItem -Path C:\path\to\directory -Recurse : Retrieve Files in a Specific Directory 
Get-ItemProperty -Path "HKCU:\Software\Microsoft\Windows\CurrentVersion\Run" : Query Registry Key for Persistence Mechanisms
Get-ItemProperty -Path "HKCU:\Software\Microsoft\Windows\Shell\BagMRU": Retrieve ShellBag Information (User File and Folder History)
Get-ChildItem -Path "C:\Logs\" -Filter *.log | Select-String -Pattern "error|fail|attack"  : Search Across Log Files for Keywords

Get-ItemProperty -Path "HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" |
Where-Object { $_.Property -match "cmd|powershell|vbs" }  : Searching within the Registry for Suspicious Keys 

Get-ChildItem -Path HKLM:\ -Recurse | Get-ItemProperty -ErrorAction SilentlyContinue |
Where-Object { $_.PSChildName -match "suspicious_keyword" } : Search for Specific String Across Registry Keys

Get-Item "C:\path\to\file.txt" | Select-Object -Property Name, CreationTime, LastAccessTime, LastWriteTime  : Extracting Artifact Metadata from Files

Event Log Analysis

Get-EventLog -LogName Security : Retrieve Security Event Logs
Get-WinEvent -LogName Security | Where-Object {$_.Id -eq 4624} : Filter Specific Event ID (e.g., Successful Logon)
Get-EventLog -LogName Security | Export-Csv -Path C:\Logs\SecurityLog.csv : Export Event Logs for Analysis 
Get-ChildItem -Path "C:\Logs" -Filter *.log | Select-String -Pattern "error|login failure" |
Out-File -FilePath "C:\Forensics\matching_logs.txt"  : Log Matching Results to a File
Get-WinEvent -FilterHashtable @{LogName='Security'; Id=4624} | Where-Object {$_.Message -match "Admin"}

History

Get-History 
Get-History | Format-Table -AutoSize

Browser and Internet Activity

Get-Item -Path "HKCU:\Software\Microsoft\Internet Explorer\TypedURLs": Retrieve Browser History for Edge/IE 
ipconfig /displaydns : Retrieve DNS Cache 

Collecting Evidence

Get-WmiObject -Class Win32_PhysicalMemory : Take a Snapshot of Memory Information 
Get-ChildItem Env :  Retrieve System Environment Variables
(Get-PSReadLineOption).HistorySavePath : Dump All Available PowerShell History

Malware Detection and Analysis

Get-ItemProperty -Path "HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" : List Autoruns for Persistence Detection 
Get-ScheduledTask | Select-Object TaskName,TaskPath,State : List All Scheduled Tasks 
Get-WmiObject -Class Win32_Service | Where-Object { $_.StartMode -eq 'Auto' -and $_.State -ne 'Running' } : Check for Hidden Services or Processes

Using Hashing for File Integrity Verification

Get-FileHash -Algorithm SHA256 -Path "C:\path\to\file" : Compute File Hash 

$hash1 = Get-FileHash -Path "C:\path\to\original_file"
$hash2 = Get-FileHash -Path "C:\path\to\new_file"                               : Compare Hashes Across Files for Tampering Detection
if ($hash1.Hash -ne $hash2.Hash) { Write-Output "Files differ!" }

Using WMI and CIM for Deeper System Insights

Get-CimInstance -ClassName Win32_QuickFixEngineering | Select-Object -Property Description, HotFixID, InstalledOn  : Query Installed Hotfixes and Patches
Get-CimInstance -ClassName Win32_BIOS | Format-List -Property * : Inspect BIOS Information
Get-WmiObject -Class Win32_OperatingSystem | Select-Object -Property LastBootUpTime, LocalDateTime  : Check System Startup and Shutdown History
Get-CimInstance -Class Win32_Process | Select-Object ProcessId, ProcessName, CommandLine
Get-CimInstance -ClassName Win32_Service | Format-List Name, Caption, Description, PathName
wmic process list brief                                               # List all running processes:
wmic process list full                                                # Detailed information about all processes
Get-ChildItem 'HKLM:\SOFTWARE\Wow6432Node\Microsoft\Windows
\CurrentVersion\Uninstall\' | Select-Object PSChildName

PowerShell Commands to Discover WMI Events

Get-WmiObject -Namespace "root\subscription" -Class __EventFilter 
Get-WmiObject -Namespace "root\subscription" -Class __EventConsumer
Get-WmiObject -Namespace "root\subscription" -Class __FilterToConsumerBinding

Unusual Accounts

Get-LocalUser
Get-LocalGroup
Get-LocalGroupMember Administrators

Unusual Log Entries

$start = Get-Date 8/23/2024;
$end = Get-Date 8/25/2024;
Get-WinEvent -FilterHashtable @{LogName='Security'; StartTime=$start; EndTime=$end;}
Get-WinEvent -LogName System | Where-Object -Property Id -EQ 7045 |
Format-List -Property TimeCreated,Message