📒
Book of VanLuong
  • 👨‍💻About the Author
  • Cryptography
    • Cryptanalysis
      • RSA & RSA ATTACK
      • DES (Data Encryption Standard)
      • AES (Advanced Encryption Standard)
      • ECC ( Elliptic Curve of Cryptography)
      • Group-based Cryptography
      • Lattice-based Cryptography
      • ChaCha20-Poly1305
      • Hash Function
      • Wargame CTF
  • C2
    • Practical with Havoc Framework
  • Blue Teaming
    • SIEM & SOC
      • SIEM
      • SOC
      • Splunk
    • Cybersecurity Lab & Threat Intelligence
      • Build ELK Lab
        • Configure Elasticsearch and Kibana setup in ubuntu
        • Fluent Bit – Sending Logs to ELK with Fluent Bit
        • Winlogbeat – Collecting and Forwarding Windows Event Logs.
        • Filebeat – Collecting and Forwarding Windows Event Logs.
        • Send Logs from Winlogbeat through Logstash to ELK
        • Audit policy & Winlogbeat
      • Sysmon configuration
    • PowerShell in Incident Response and Threat Hunting
      • PowerShell For Incident Response
      • PowerShell For Threat Hunting
  • Techniques used in malware
    • DLL side loading
    • DLL Unhooking
    • Call stack spoofing
  • Wazuh App Dashboards for Splunk
  • Windows
    • 70 Vital Windows Commands
    • Windows Registry Forensics
  • Guide to Installing Kali Linux, DVWA, and bWAPP
    • Phần 1. CÀI ĐẶT HỆ ĐIỀU HÀNH KALI LINUX
    • Phần 2. CÀI ĐẶT DVWA
    • Phần 3. CÀI ĐẶT BWAPP
  • CTF
    • CTF-writeup-in-KCSC
Powered by GitBook
On this page
  • Process Analysis
  • Network Connections
  • Registry Persistence
  • UserAssist (ROT13 Encoded)
  • USB Device History
  • ShimCache (AppCompatCache)
  • Prefetch Files
  • LNK Files (Recent Shortcuts)
  • Scheduled Tasks
  • DNS Cache
  • Browser History (Chrome)
  • Windows Event Logs (4624)
  • Defender Detection Logs
  • Recycle Bin Contents
  • BITS Transfer Jobs
  • PowerShell Operational Logs
  • Volume Shadow Copies
  • Shellbags (Folder Access History)
  • Group Policy Changes
  • Environment Variables
  • VMI Persistence
  • Event Filters
  • Event Consumers
  • Filter-Consumer Bindings
  • Service Management
  • List All Services
  • List Running Services
  • List Stopped Services
  • Detailed Service Info
  • Processes in Temp/AppData

Was this helpful?

  1. Blue Teaming
  2. PowerShell in Incident Response and Threat Hunting

PowerShell For Incident Response

Process Analysis

Get-Process

Purpose: List all running processes to identify malware/spoofed processes. Use Case: Find high-CPU processes, unrecognized paths, or missing vendor info.

Get-Process | Select-Object Name, Id, CPU, Path | Sort-Object CPU -Descending

Network Connections

Get-NetTCPConnection / Get-NetUDPEndpoint

Purpose: List active network connections to detect C2 traffic. Use Case: Identify unknown remote IPs or ports.

Get-NetTCPConnection -State Established | Select-Object LocalAddress, RemoteAddress, OwningProcess

Registry Persistence

Run Keys (User & Machine)

Purpose: Check auto-start locations for malware persistence. Use Case: Find unauthorized startup entries.

Get-ItemProperty -Path "HKCU:\Software\Microsoft\Windows\CurrentVersion\Run", "HKLM:\Software\Microsoft\Windows\CurrentVersion\Run"

UserAssist (ROT13 Encoded)

Purpose: Decode GUI program execution history.

Use Case: Find evidence of executed malware via GUI.

Get-ItemProperty -Path "HKCU:\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\*\Count"

USB Device History

Purpose: List connected USB devices.

Use Case: Identify unauthorized storage devices.

Get-ItemProperty -Path "HKLM:\SYSTEM\CurrentControlSet\Enum\USBSTOR\*\*" | Select-Object FriendlyName

ShimCache (AppCompatCache)

Purpose: List executables seen by the system.

Use Case: Find deleted/cleared malware traces.

Get-ItemProperty -Path "HKLM:\SYSTEM\CurrentControlSet\Control\Session Manager\AppCompatCache" -Name AppCompatCache

Prefetch Files

Purpose: Track program execution history.

Use Case: Identify malware execution frequency.

Get-ChildItem -Path "C:\Windows\Prefetch\*.pf" | Select-Object Name, LastAccessTime

LNK Files (Recent Shortcuts)

Purpose: Reveal accessed files/executables.

Use Case: Find lateral movement or data exfiltration.

Get-ChildItem -Path "$env:APPDATA\Microsoft\Windows\Recent\*.lnk" | Select-Object Name, LastAccessTime

Scheduled Tasks

Purpose: Check for malicious scheduled jobs.

Use Case: Find persistence/backdoor tasks.

Get-ScheduledTask | Where-Object { $_.State -ne "Disabled" } | Select-Object TaskName, Author, TaskPath

DNS Cache

Purpose: List resolved domains.

Use Case: Detect C2 domains.

Get-DnsClientCache | Where-Object { $_.Entry -notmatch "microsoft|windows" }

Browser History (Chrome)

Purpose: Extract browsing activity.

Use Case: Find phishing/exploit kit visits.

Stop-Process -Name chrome -Force; Invoke-SqliteQuery -DataSource "$env:LOCALAPPDATA\Google\Chrome\User Data\Default\History" -Query "SELECT url, title FROM urls LIMIT 5"

Windows Event Logs (4624)

Purpose: Identify successful authentication events

Use Case: Detect lateral movement or unauthorized access

Get-WinEvent -FilterHashtable @{LogName='Security'; ID=4624} -MaxEvents 20 | Select-Object TimeCreated,Message | Format-Table -Wrap

Defender Detection Logs

Purpose: List detected (but possibly unblocked) threats

Use Case: Identify past attack attempts

Get-WinEvent -LogName "Microsoft-Windows-Windows Defender/Operational" | Where-Object {$_.Id -eq 1116} | Select-Object -First 10

Recycle Bin Contents

Purpose: List recently deleted files

Use Case: Recover attacker-dropped tools

Get-ChildItem -Path "C:\`$Recycle.Bin" -Recurse -Force -ErrorAction SilentlyContinue | Select-Object FullName,LastWriteTime

BITS Transfer Jobs

Purpose: Check for off-hours data transfers

Use Case: Detect exfiltration jobs

Get-BitsTransfer | Where-Object {$_.JobState -ne "Transferred"} | Select-Object DisplayName,FileList

PowerShell Operational Logs

Purpose: Extract executed script blocks

Use Case: Find malicious PowerShell activity

Get-WinEvent -LogName "Microsoft-Windows-PowerShell/Operational" -MaxEvents 15 | Where-Object {$_.Id -eq 4104} | Select-Object Message

Volume Shadow Copies

Purpose: List available system restore points

Use Case: Recover pre-attack file versions

vssadmin list shadows

Shellbags (Folder Access History)

Purpose: Reveal accessed folders (including disconnected drives)

Use Case: Identify data staging locations

Get-ItemProperty -Path "HKCU:\Software\Microsoft\Windows\Shell\Bags\*\Shell" | Select-Object PSChildName,ItemPos*

Group Policy Changes

Purpose: Detect malicious policy modifications

Use Case: Find disabled security controls or attacker-added login scripts

Get-ChildItem -Path "C:\Windows\System32\GroupPolicy\DataStore\*\*" -Recurse -Force | Where-Object {$_.LastWriteTime -gt (Get-Date).AddDays(-7)}

Environment Variables

Purpose: Detect malicious policy modifications

Use Case: Find disabled security controls or attacker-added login scripts

Get-ItemProperty -Path "HKLM:\System\CurrentControlSet\Control\Session Manager\Environment" | Select-Object Path,PSChildName,*

VMI Persistence

Event Filters

Purpose: List all WMI event filters

Use Case: Detect malicious event subscriptions (e.g., process creation triggers)

Get-WmiObject -Namespace root\Subscription -Class __EventFilter | Select-Object Name,Query

Event Consumers

Purpose: List active WMI consumers

Use Case: Identify malicious payload delivery mechanisms

Get-WmiObject -Namespace root\Subscription -Class __EventConsumer | Select-Object Name,CommandLineTemplate

Filter-Consumer Bindings

Purpose: Reveal filter-to-consumer relationships

Use Case: Map complete WMI persistence chains

Get-WmiObject -Namespace root\Subscription -Class __FilterToConsumerBinding | Select-Object Filter,Consumer

Service Management

List All Services

Purpose: Enumerate all installed services

Use Case: Baseline service inventory for anomaly detection

Get-Service | Select-Object Status,Name,DisplayName | Sort-Object Status -Descending

List Running Services

Purpose: Identify currently active services

Use Case: Spot suspicious services consuming resources

Get-Service | Where-Object {$_.Status -eq "Running"} | Select-Object Name,StartType

List Stopped Services

Purpose: Identify services that are installed but not running

Use Case: Spot misconfigurations or detect if critical services (e.g., AV) were stopped maliciously

Get-Service | Where-Object {$_.Status -eq "Stopped"} | Select-Object Name,StartType

Detailed Service Info

Purpose: Examine service binaries and configurations

Use Case: Detect service hijacking or fake services

Get-CimInstance Win32_Service | Select-Object Name,State,PathName,StartMode | Where-Object {$_.PathName -notlike '"*'}

Processes in Temp/AppData

Purpose: Find executables running from suspicious locations

Use Case: Detect fileless malware or staged payloads

Get-Process | Where-Object {$_.Path -like "*temp*" -or $_.Path -like "*appdata*"} | Select-Object Name,Id,Path
PreviousPowerShell in Incident Response and Threat HuntingNextPowerShell For Threat Hunting

Last updated 1 month ago

Was this helpful?