← Back to Portfolio

PowerShell IR One-Liners

50+ Incident Response Commands | Copy & Deploy

Download the complete reference guide for offline use:

Process & Persistence Analysis

List all running processes with full details including path and command line
Get-Process | Select-Object ProcessName, Id, Path, StartTime, @{Name="Owner";Expression={(Get-WmiObject Win32_Process -Filter "ProcessId=$($_.Id)").GetOwner().User}} | Format-Table -AutoSize
Find processes running from suspicious locations (Temp, AppData, Downloads)
Get-Process | Where-Object {$_.Path -match "\\Temp\\|\\AppData\\|\\Downloads\\"} | Select-Object ProcessName, Id, Path
Identify unsigned or untrusted processes
Get-Process | Where-Object {$_.Path} | ForEach-Object {[PSCustomObject]@{Name=$_.Name; Path=$_.Path; Signed=(Get-AuthenticodeSignature $_.Path).Status}} | Where-Object {$_.Signed -ne 'Valid'}
List all scheduled tasks with details (persistence mechanism)
Get-ScheduledTask | Where-Object {$_.State -ne "Disabled"} | Select-Object TaskName, TaskPath, State, @{Name="Action";Expression={$_.Actions.Execute}} | Format-Table -AutoSize
Find scheduled tasks created in the last 30 days
Get-ScheduledTask | Where-Object {$_.Date -gt (Get-Date).AddDays(-30)} | Select-Object TaskName, Author, Date, @{Name="Action";Expression={$_.Actions.Execute}}
Enumerate all startup programs from Registry Run keys
Get-ItemProperty -Path "HKLM:\Software\Microsoft\Windows\CurrentVersion\Run", "HKLM:\Software\Microsoft\Windows\CurrentVersion\RunOnce", "HKCU:\Software\Microsoft\Windows\CurrentVersion\Run", "HKCU:\Software\Microsoft\Windows\CurrentVersion\RunOnce" -ErrorAction SilentlyContinue
List all services with their paths and start types
Get-WmiObject Win32_Service | Select-Object Name, DisplayName, State, StartMode, PathName, StartName | Sort-Object State | Format-Table -AutoSize
Find services running from suspicious paths
Get-WmiObject Win32_Service | Where-Object {$_.PathName -match "\\Temp\\|\\AppData\\|\\Users\\"} | Select-Object Name, PathName, State, StartMode

Active Directory Enumeration

List all domain administrators
Get-ADGroupMember -Identity "Domain Admins" -Recursive | Select-Object Name, SamAccountName, DistinguishedName
Find user accounts that never expire
Get-ADUser -Filter {PasswordNeverExpires -eq $true -and Enabled -eq $true} -Properties PasswordNeverExpires, PasswordLastSet, LastLogonDate | Select-Object Name, SamAccountName, PasswordLastSet, LastLogonDate
List accounts with SPN set (Kerberoastable accounts)
Get-ADUser -Filter {ServicePrincipalName -ne "$null"} -Properties ServicePrincipalName, PasswordLastSet | Select-Object Name, SamAccountName, ServicePrincipalName, PasswordLastSet
Find users who haven't logged in for 90+ days
$Date = (Get-Date).AddDays(-90); Get-ADUser -Filter {LastLogonDate -lt $Date -and Enabled -eq $true} -Properties LastLogonDate | Select-Object Name, SamAccountName, LastLogonDate | Sort-Object LastLogonDate
List all computers in the domain with OS version
Get-ADComputer -Filter * -Properties OperatingSystem, OperatingSystemVersion, LastLogonDate | Select-Object Name, OperatingSystem, OperatingSystemVersion, LastLogonDate | Sort-Object OperatingSystem
Find all groups a specific user belongs to
Get-ADPrincipalGroupMembership -Identity USERNAME | Select-Object Name, GroupCategory, GroupScope | Sort-Object Name
List privileged users (Domain Admins, Enterprise Admins, Schema Admins)
"Domain Admins","Enterprise Admins","Schema Admins" | ForEach-Object {Get-ADGroupMember -Identity $_ -Recursive | Select-Object @{Name="Group";Expression={$_}}, Name, SamAccountName}
Find disabled accounts that are still in privileged groups
Get-ADUser -Filter {Enabled -eq $false} -Properties MemberOf | Where-Object {$_.MemberOf -match "Admin"} | Select-Object Name, SamAccountName, Enabled, MemberOf
List recently created user accounts (last 30 days)
$Date = (Get-Date).AddDays(-30); Get-ADUser -Filter {Created -gt $Date} -Properties Created, PasswordLastSet | Select-Object Name, SamAccountName, Created, PasswordLastSet | Sort-Object Created -Descending

Network & Connection Analysis

List all active network connections with process details
Get-NetTCPConnection | Where-Object {$_.State -eq "Established"} | Select-Object LocalAddress, LocalPort, RemoteAddress, RemotePort, State, @{Name="Process";Expression={(Get-Process -Id $_.OwningProcess).ProcessName}} | Format-Table -AutoSize
Find processes listening on network ports
Get-NetTCPConnection | Where-Object {$_.State -eq "Listen"} | Select-Object LocalAddress, LocalPort, @{Name="Process";Expression={(Get-Process -Id $_.OwningProcess).ProcessName}}, @{Name="Path";Expression={(Get-Process -Id $_.OwningProcess).Path}} | Format-Table -AutoSize
Identify unusual remote connections (not to RFC1918 addresses)
Get-NetTCPConnection | Where-Object {$_.RemoteAddress -notmatch "^10\.|^172\.1[6-9]\.|^172\.2[0-9]\.|^172\.3[0-1]\.|^192\.168\." -and $_.RemoteAddress -ne "0.0.0.0" -and $_.RemoteAddress -ne "::"} | Select-Object RemoteAddress, RemotePort, State, @{Name="Process";Expression={(Get-Process -Id $_.OwningProcess).Name}}
Check DNS cache for suspicious domains
Get-DnsClientCache | Select-Object Entry, RecordName, Data | Sort-Object Entry
List firewall rules that allow inbound connections
Get-NetFirewallRule | Where-Object {$_.Direction -eq "Inbound" -and $_.Action -eq "Allow" -and $_.Enabled -eq $true} | Select-Object DisplayName, Profile, RemoteAddress, RemotePort | Format-Table -AutoSize
Show network adapter configuration and routing table
Get-NetIPConfiguration | Select-Object InterfaceAlias, IPv4Address, IPv4DefaultGateway, DNSServer | Format-List

File System & Registry

Find recently modified files in system directories (last 7 days)
$Date = (Get-Date).AddDays(-7); Get-ChildItem -Path "C:\Windows\System32","C:\Windows\SysWOW64" -Recurse -File -ErrorAction SilentlyContinue | Where-Object {$_.LastWriteTime -gt $Date} | Select-Object FullName, LastWriteTime, Length | Sort-Object LastWriteTime -Descending
Search for files with alternate data streams (ADS)
Get-ChildItem -Path C:\ -Recurse -ErrorAction SilentlyContinue | ForEach-Object {Get-Item $_.FullName -Stream * -ErrorAction SilentlyContinue} | Where-Object {$_.Stream -ne ':$DATA'} | Select-Object FileName, Stream, Length
Find executable files in user temp directories
Get-ChildItem -Path "C:\Users\*\AppData\Local\Temp" -Include *.exe,*.dll,*.ps1,*.vbs,*.bat -Recurse -ErrorAction SilentlyContinue | Select-Object FullName, CreationTime, LastWriteTime, Length | Sort-Object LastWriteTime -Descending
List hidden files in common attack staging directories
Get-ChildItem -Path "C:\Users","C:\ProgramData","C:\Windows\Temp" -Recurse -Hidden -ErrorAction SilentlyContinue | Select-Object FullName, Attributes, LastWriteTime
Check for suspicious Registry AutoRun entries
$Keys = "HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Run","HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce","HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\Run","HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce"; $Keys | ForEach-Object {Get-ItemProperty -Path $_ -ErrorAction SilentlyContinue | Select-Object PSPath, *}
Find large files that may be exfiltration staging
Get-ChildItem -Path C:\ -Recurse -File -ErrorAction SilentlyContinue | Where-Object {$_.Length -gt 100MB} | Select-Object FullName, @{Name="SizeMB";Expression={[Math]::Round($_.Length/1MB,2)}}, LastWriteTime | Sort-Object SizeMB -Descending
Search for PowerShell execution policy changes in Registry
Get-ItemProperty -Path "HKLM:\SOFTWARE\Policies\Microsoft\Windows\PowerShell","HKLM:\SOFTWARE\Microsoft\PowerShell\1\ShellIds\Microsoft.PowerShell" -ErrorAction SilentlyContinue | Select-Object PSPath, ExecutionPolicy

Event Log Analysis

Find failed login attempts (Event ID 4625) in last 24 hours
Get-WinEvent -FilterHashtable @{LogName='Security'; ID=4625; StartTime=(Get-Date).AddDays(-1)} | Select-Object TimeCreated, @{Name="User";Expression={$_.Properties[5].Value}}, @{Name="SourceIP";Expression={$_.Properties[19].Value}} | Group-Object User | Sort-Object Count -Descending
Detect successful logins after failed attempts (potential brute force)
Get-WinEvent -FilterHashtable @{LogName='Security'; ID=4624,4625; StartTime=(Get-Date).AddHours(-4)} | Select-Object TimeCreated, Id, @{Name="User";Expression={$_.Properties[5].Value}} | Sort-Object TimeCreated
Find PowerShell script block logging events (Event ID 4104)
Get-WinEvent -FilterHashtable @{LogName='Microsoft-Windows-PowerShell/Operational'; ID=4104} -MaxEvents 100 | Select-Object TimeCreated, @{Name="ScriptBlock";Expression={$_.Properties[2].Value}} | Format-List
Detect process creation events (Event ID 4688) for suspicious processes
Get-WinEvent -FilterHashtable @{LogName='Security'; ID=4688; StartTime=(Get-Date).AddHours(-2)} | Where-Object {$_.Properties[5].Value -match "cmd.exe|powershell.exe|wscript.exe|cscript.exe"} | Select-Object TimeCreated, @{Name="Process";Expression={$_.Properties[5].Value}}, @{Name="User";Expression={$_.Properties[1].Value}}
Find account creation events (Event ID 4720)
Get-WinEvent -FilterHashtable @{LogName='Security'; ID=4720; StartTime=(Get-Date).AddDays(-7)} | Select-Object TimeCreated, @{Name="NewUser";Expression={$_.Properties[0].Value}}, @{Name="Creator";Expression={$_.Properties[4].Value}}
Check for cleared event logs (Event ID 1102)
Get-WinEvent -FilterHashtable @{LogName='Security'; ID=1102} -ErrorAction SilentlyContinue | Select-Object TimeCreated, @{Name="User";Expression={$_.Properties[1].Value}}, Message

User & Session Analysis

List currently logged-on users
Get-WmiObject Win32_LoggedOnUser | Select-Object @{Name="User";Expression={$_.Antecedent.Name}}, @{Name="Domain";Expression={$_.Antecedent.Domain}} | Sort-Object User -Unique
Find local administrator accounts
Get-LocalGroupMember -Group "Administrators" | Select-Object Name, PrincipalSource, ObjectClass
List all local user accounts with details
Get-LocalUser | Select-Object Name, Enabled, LastLogon, PasswordLastSet, PasswordExpires, UserMayChangePassword | Format-Table -AutoSize
Check for users with admin rights via WMI
Get-WmiObject Win32_GroupUser | Where-Object {$_.GroupComponent -match 'Administrators'} | ForEach-Object {[wmi]$_.PartComponent} | Select-Object Name, Domain, SID
Find shared folders and permissions
Get-SmbShare | Select-Object Name, Path, Description | ForEach-Object {$Share = $_; Get-SmbShareAccess -Name $_.Name | Select-Object @{Name="Share";Expression={$Share.Name}}, AccountName, AccessControlType, AccessRight}

Memory & Credential Analysis

List loaded DLLs for a specific process
Get-Process -Name PROCESSNAME | Select-Object -ExpandProperty Modules | Select-Object ModuleName, FileName, FileVersion | Sort-Object ModuleName
Find processes with injected or unsigned DLLs
Get-Process | ForEach-Object {$proc = $_; $_.Modules | Where-Object {(Get-AuthenticodeSignature $_.FileName -ErrorAction SilentlyContinue).Status -ne 'Valid'} | Select-Object @{Name="Process";Expression={$proc.Name}}, ModuleName, FileName}
Check for credential dumping tools in memory (Mimikatz indicators)
Get-Process | Where-Object {$_.ProcessName -match "mimikatz|procdump|dumpert"} | Select-Object ProcessName, Id, Path, StartTime

System Information & Baseline

Get comprehensive system information
Get-ComputerInfo | Select-Object CsName, WindowsVersion, OsArchitecture, OsInstallDate, OsLastBootUpTime, BiosManufacturer, BiosVersion | Format-List
List installed software and versions
Get-ItemProperty HKLM:\Software\Microsoft\Windows\CurrentVersion\Uninstall\*, HKLM:\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\* | Where-Object {$_.DisplayName} | Select-Object DisplayName, DisplayVersion, Publisher, InstallDate | Sort-Object DisplayName
Check Windows Defender status and last scan
Get-MpComputerStatus | Select-Object AntivirusEnabled, RealTimeProtectionEnabled, AntispywareSignatureLastUpdated, QuickScanStartTime, QuickScanEndTime