PowerShell For Incident Response

Process Analysis

Get-Process

Purpose: List all running processes to identify malware/spoofed processes. Use Case: Find high-CPU processes, unrecognized paths, or missing vendor info.

Get-Process | Select-Object Name, Id, CPU, Path | Sort-Object CPU -Descending

Network Connections

Get-NetTCPConnection / Get-NetUDPEndpoint

Purpose: List active network connections to detect C2 traffic. Use Case: Identify unknown remote IPs or ports.

Get-NetTCPConnection -State Established | Select-Object LocalAddress, RemoteAddress, OwningProcess

Registry Persistence

Run Keys (User & Machine)

Purpose: Check auto-start locations for malware persistence. Use Case: Find unauthorized startup entries.

Get-ItemProperty -Path "HKCU:\Software\Microsoft\Windows\CurrentVersion\Run", "HKLM:\Software\Microsoft\Windows\CurrentVersion\Run"

UserAssist (ROT13 Encoded)

Purpose: Decode GUI program execution history.

Use Case: Find evidence of executed malware via GUI.

Get-ItemProperty -Path "HKCU:\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\*\Count"

USB Device History

Purpose: List connected USB devices.

Use Case: Identify unauthorized storage devices.

Get-ItemProperty -Path "HKLM:\SYSTEM\CurrentControlSet\Enum\USBSTOR\*\*" | Select-Object FriendlyName

ShimCache (AppCompatCache)

Purpose: List executables seen by the system.

Use Case: Find deleted/cleared malware traces.

Get-ItemProperty -Path "HKLM:\SYSTEM\CurrentControlSet\Control\Session Manager\AppCompatCache" -Name AppCompatCache

Prefetch Files

Purpose: Track program execution history.

Use Case: Identify malware execution frequency.

Get-ChildItem -Path "C:\Windows\Prefetch\*.pf" | Select-Object Name, LastAccessTime

LNK Files (Recent Shortcuts)

Purpose: Reveal accessed files/executables.

Use Case: Find lateral movement or data exfiltration.

Get-ChildItem -Path "$env:APPDATA\Microsoft\Windows\Recent\*.lnk" | Select-Object Name, LastAccessTime

Scheduled Tasks

Purpose: Check for malicious scheduled jobs.

Use Case: Find persistence/backdoor tasks.

Get-ScheduledTask | Where-Object { $_.State -ne "Disabled" } | Select-Object TaskName, Author, TaskPath

DNS Cache

Purpose: List resolved domains.

Use Case: Detect C2 domains.

Get-DnsClientCache | Where-Object { $_.Entry -notmatch "microsoft|windows" }

Browser History (Chrome)

Purpose: Extract browsing activity.

Use Case: Find phishing/exploit kit visits.

Stop-Process -Name chrome -Force; Invoke-SqliteQuery -DataSource "$env:LOCALAPPDATA\Google\Chrome\User Data\Default\History" -Query "SELECT url, title FROM urls LIMIT 5"

Windows Event Logs (4624)

Purpose: Identify successful authentication events

Use Case: Detect lateral movement or unauthorized access

Get-WinEvent -FilterHashtable @{LogName='Security'; ID=4624} -MaxEvents 20 | Select-Object TimeCreated,Message | Format-Table -Wrap

Defender Detection Logs

Purpose: List detected (but possibly unblocked) threats

Use Case: Identify past attack attempts

Get-WinEvent -LogName "Microsoft-Windows-Windows Defender/Operational" | Where-Object {$_.Id -eq 1116} | Select-Object -First 10

Recycle Bin Contents

Purpose: List recently deleted files

Use Case: Recover attacker-dropped tools

Get-ChildItem -Path "C:\`$Recycle.Bin" -Recurse -Force -ErrorAction SilentlyContinue | Select-Object FullName,LastWriteTime

BITS Transfer Jobs

Purpose: Check for off-hours data transfers

Use Case: Detect exfiltration jobs

Get-BitsTransfer | Where-Object {$_.JobState -ne "Transferred"} | Select-Object DisplayName,FileList

PowerShell Operational Logs

Purpose: Extract executed script blocks

Use Case: Find malicious PowerShell activity

Get-WinEvent -LogName "Microsoft-Windows-PowerShell/Operational" -MaxEvents 15 | Where-Object {$_.Id -eq 4104} | Select-Object Message

Volume Shadow Copies

Purpose: List available system restore points

Use Case: Recover pre-attack file versions

vssadmin list shadows

Shellbags (Folder Access History)

Purpose: Reveal accessed folders (including disconnected drives)

Use Case: Identify data staging locations

Get-ItemProperty -Path "HKCU:\Software\Microsoft\Windows\Shell\Bags\*\Shell" | Select-Object PSChildName,ItemPos*

Group Policy Changes

Purpose: Detect malicious policy modifications

Use Case: Find disabled security controls or attacker-added login scripts

Get-ChildItem -Path "C:\Windows\System32\GroupPolicy\DataStore\*\*" -Recurse -Force | Where-Object {$_.LastWriteTime -gt (Get-Date).AddDays(-7)}

Environment Variables

Purpose: Detect malicious policy modifications

Use Case: Find disabled security controls or attacker-added login scripts

Get-ItemProperty -Path "HKLM:\System\CurrentControlSet\Control\Session Manager\Environment" | Select-Object Path,PSChildName,*

VMI Persistence

Event Filters

Purpose: List all WMI event filters

Use Case: Detect malicious event subscriptions (e.g., process creation triggers)

Get-WmiObject -Namespace root\Subscription -Class __EventFilter | Select-Object Name,Query

Event Consumers

Purpose: List active WMI consumers

Use Case: Identify malicious payload delivery mechanisms

Get-WmiObject -Namespace root\Subscription -Class __EventConsumer | Select-Object Name,CommandLineTemplate

Filter-Consumer Bindings

Purpose: Reveal filter-to-consumer relationships

Use Case: Map complete WMI persistence chains

Get-WmiObject -Namespace root\Subscription -Class __FilterToConsumerBinding | Select-Object Filter,Consumer

Service Management

List All Services

Purpose: Enumerate all installed services

Use Case: Baseline service inventory for anomaly detection

Get-Service | Select-Object Status,Name,DisplayName | Sort-Object Status -Descending

List Running Services

Purpose: Identify currently active services

Use Case: Spot suspicious services consuming resources

Get-Service | Where-Object {$_.Status -eq "Running"} | Select-Object Name,StartType

List Stopped Services

Purpose: Identify services that are installed but not running

Use Case: Spot misconfigurations or detect if critical services (e.g., AV) were stopped maliciously

Get-Service | Where-Object {$_.Status -eq "Stopped"} | Select-Object Name,StartType

Detailed Service Info

Purpose: Examine service binaries and configurations

Use Case: Detect service hijacking or fake services

Get-CimInstance Win32_Service | Select-Object Name,State,PathName,StartMode | Where-Object {$_.PathName -notlike '"*'}

Processes in Temp/AppData

Purpose: Find executables running from suspicious locations

Use Case: Detect fileless malware or staged payloads

Get-Process | Where-Object {$_.Path -like "*temp*" -or $_.Path -like "*appdata*"} | Select-Object Name,Id,Path
PreviousPowerShell in Incident Response and Threat HuntingNextPowerShell For Threat Hunting

Last updated

Was this helpful?