PowerShell For Incident Response

Process Analysis

Get-Process

Purpose: List all running processes to identify malware/spoofed processes. Use Case: Find high-CPU processes, unrecognized paths, or missing vendor info.

Get-Process | Select-Object Name, Id, CPU, Path | Sort-Object CPU -Descending

Network Connections

Get-NetTCPConnection / Get-NetUDPEndpoint

Purpose: List active network connections to detect C2 traffic. Use Case: Identify unknown remote IPs or ports.

Get-NetTCPConnection -State Established | Select-Object LocalAddress, RemoteAddress, OwningProcess

Registry Persistence

Run Keys (User & Machine)

Purpose: Check auto-start locations for malware persistence. Use Case: Find unauthorized startup entries.

Get-ItemProperty -Path "HKCU:\Software\Microsoft\Windows\CurrentVersion\Run", "HKLM:\Software\Microsoft\Windows\CurrentVersion\Run"

UserAssist (ROT13 Encoded)

Purpose: Decode GUI program execution history.

Use Case: Find evidence of executed malware via GUI.

Get-ItemProperty -Path "HKCU:\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\*\Count"

USB Device History

Purpose: List connected USB devices.

Use Case: Identify unauthorized storage devices.

Get-ItemProperty -Path "HKLM:\SYSTEM\CurrentControlSet\Enum\USBSTOR\*\*" | Select-Object FriendlyName

ShimCache (AppCompatCache)

Purpose: List executables seen by the system.

Use Case: Find deleted/cleared malware traces.

Get-ItemProperty -Path "HKLM:\SYSTEM\CurrentControlSet\Control\Session Manager\AppCompatCache" -Name AppCompatCache

Prefetch Files

Purpose: Track program execution history.

Use Case: Identify malware execution frequency.

Get-ChildItem -Path "C:\Windows\Prefetch\*.pf" | Select-Object Name, LastAccessTime

LNK Files (Recent Shortcuts)

Purpose: Reveal accessed files/executables.

Use Case: Find lateral movement or data exfiltration.

Get-ChildItem -Path "$env:APPDATA\Microsoft\Windows\Recent\*.lnk" | Select-Object Name, LastAccessTime

Scheduled Tasks

Purpose: Check for malicious scheduled jobs.

Use Case: Find persistence/backdoor tasks.

Get-ScheduledTask | Where-Object { $_.State -ne "Disabled" } | Select-Object TaskName, Author, TaskPath

DNS Cache

Purpose: List resolved domains.

Use Case: Detect C2 domains.

Get-DnsClientCache | Where-Object { $_.Entry -notmatch "microsoft|windows" }

Browser History (Chrome)

Purpose: Extract browsing activity.

Use Case: Find phishing/exploit kit visits.

Stop-Process -Name chrome -Force; Invoke-SqliteQuery -DataSource "$env:LOCALAPPDATA\Google\Chrome\User Data\Default\History" -Query "SELECT url, title FROM urls LIMIT 5"

Windows Event Logs (4624)

Purpose: Identify successful authentication events

Use Case: Detect lateral movement or unauthorized access

Get-WinEvent -FilterHashtable @{LogName='Security'; ID=4624} -MaxEvents 20 | Select-Object TimeCreated,Message | Format-Table -Wrap

Defender Detection Logs

Purpose: List detected (but possibly unblocked) threats

Use Case: Identify past attack attempts

Get-WinEvent -LogName "Microsoft-Windows-Windows Defender/Operational" | Where-Object {$_.Id -eq 1116} | Select-Object -First 10

Recycle Bin Contents

Purpose: List recently deleted files

Use Case: Recover attacker-dropped tools

Get-ChildItem -Path "C:\`$Recycle.Bin" -Recurse -Force -ErrorAction SilentlyContinue | Select-Object FullName,LastWriteTime

BITS Transfer Jobs

Purpose: Check for off-hours data transfers

Use Case: Detect exfiltration jobs

Get-BitsTransfer | Where-Object {$_.JobState -ne "Transferred"} | Select-Object DisplayName,FileList

PowerShell Operational Logs

Purpose: Extract executed script blocks

Use Case: Find malicious PowerShell activity

Get-WinEvent -LogName "Microsoft-Windows-PowerShell/Operational" -MaxEvents 15 | Where-Object {$_.Id -eq 4104} | Select-Object Message

Volume Shadow Copies

Purpose: List available system restore points

Use Case: Recover pre-attack file versions

vssadmin list shadows

Shellbags (Folder Access History)

Purpose: Reveal accessed folders (including disconnected drives)

Use Case: Identify data staging locations

Get-ItemProperty -Path "HKCU:\Software\Microsoft\Windows\Shell\Bags\*\Shell" | Select-Object PSChildName,ItemPos*

Group Policy Changes

Purpose: Detect malicious policy modifications

Use Case: Find disabled security controls or attacker-added login scripts

Get-ChildItem -Path "C:\Windows\System32\GroupPolicy\DataStore\*\*" -Recurse -Force | Where-Object {$_.LastWriteTime -gt (Get-Date).AddDays(-7)}

Environment Variables

Purpose: Detect malicious policy modifications

Use Case: Find disabled security controls or attacker-added login scripts

Get-ItemProperty -Path "HKLM:\System\CurrentControlSet\Control\Session Manager\Environment" | Select-Object Path,PSChildName,*

VMI Persistence

Event Filters

Purpose: List all WMI event filters

Use Case: Detect malicious event subscriptions (e.g., process creation triggers)

Get-WmiObject -Namespace root\Subscription -Class __EventFilter | Select-Object Name,Query

Event Consumers

Purpose: List active WMI consumers

Use Case: Identify malicious payload delivery mechanisms

Get-WmiObject -Namespace root\Subscription -Class __EventConsumer | Select-Object Name,CommandLineTemplate

Filter-Consumer Bindings

Purpose: Reveal filter-to-consumer relationships

Use Case: Map complete WMI persistence chains

Get-WmiObject -Namespace root\Subscription -Class __FilterToConsumerBinding | Select-Object Filter,Consumer

Service Management

List All Services

Purpose: Enumerate all installed services

Use Case: Baseline service inventory for anomaly detection

Get-Service | Select-Object Status,Name,DisplayName | Sort-Object Status -Descending

List Running Services

Purpose: Identify currently active services

Use Case: Spot suspicious services consuming resources

Get-Service | Where-Object {$_.Status -eq "Running"} | Select-Object Name,StartType

List Stopped Services

Purpose: Identify services that are installed but not running

Use Case: Spot misconfigurations or detect if critical services (e.g., AV) were stopped maliciously

Get-Service | Where-Object {$_.Status -eq "Stopped"} | Select-Object Name,StartType

Detailed Service Info

Purpose: Examine service binaries and configurations

Use Case: Detect service hijacking or fake services

Get-CimInstance Win32_Service | Select-Object Name,State,PathName,StartMode | Where-Object {$_.PathName -notlike '"*'}

Processes in Temp/AppData

Purpose: Find executables running from suspicious locations

Use Case: Detect fileless malware or staged payloads

Get-Process | Where-Object {$_.Path -like "*temp*" -or $_.Path -like "*appdata*"} | Select-Object Name,Id,Path

PreviousPowerShell in Incident Response and Threat Hunting NextPowerShell For Threat Hunting

Last updated 9 months ago

hashtagProcess Analysis

hashtagNetwork Connections

hashtagRegistry Persistence

hashtagUserAssist (ROT13 Encoded)

hashtagUSB Device History

hashtagShimCache (AppCompatCache)

hashtagPrefetch Files

hashtagLNK Files (Recent Shortcuts)

hashtagScheduled Tasks

hashtagDNS Cache

hashtagBrowser History (Chrome)

hashtagWindows Event Logs (4624)

hashtagDefender Detection Logs

hashtagRecycle Bin Contents

hashtagBITS Transfer Jobs

hashtagPowerShell Operational Logs

hashtagVolume Shadow Copies

hashtagShellbags (Folder Access History)

hashtagGroup Policy Changes

hashtagEnvironment Variables

hashtagVMI Persistence

hashtagEvent Filters

hashtagEvent Consumers

hashtagFilter-Consumer Bindings

hashtagService Management

hashtagList All Services

hashtagList Running Services

hashtagList Stopped Services

hashtagDetailed Service Info

hashtagProcesses in Temp/AppData