Att kontrollera lokalt i windows dator (WIP)

Saker att titta på i en windows dator man undersöker

Nätanslutningar

Aktiva

Get-NetTCPConnection -State Established | select LocalAddress, LocalPort, RemoteAddress, RemotePort, State, OwningProcess | ft

Aktiva anslutningar för viss process

Get-NetTCPConnection | where {$_.owningprocess -eq "4"} | select LocalAddress, LocalPort, RemoteAddress, RemotePort, State, OwningProcess | ft

Aktiva till Port (ex. 80 och 443)

Get-NetTCPConnection -State Established -RemotePort 80,443 | select LocalAddress, LocalPort, RemoteAddress, RemotePort, State, OwningProcess | ft

Försök till utgående anslutning

Get-NetTCPConnection -State SynSent | select LocalAddress, LocalPort, RemoteAddress, RemotePort, State, OwningProcess | ft

Lyssnar efter inkommande anslutningar

Get-NetTCPConnection -State Listen | select LocalAddress, LocalPort, RemoteAddress, RemotePort, State, OwningProcess | ft

Bevaka trafik (ex. till specifik IP)

$ErrorActionPreference = "SilentlyContinue" ; while ($true) {Get-NetTCPConnection -RemoteAddress 192.168.1.1 ; sleep -Seconds 1}

Användbar om man vill ha koll på om trafik etableras över tid, loopar en gång i sekunden.

Processer

Lista på Process ID

Get-Process -Id <processid> | select name,company,description,path

Lista specifik process (namn)

Get-Process -Name *name*  | select name,company,description,path

Lista de 10 processer som drar mest CPU

get-process | Sort-Object CPU -Descending | Select-Object -First 10 | Format-Table CPU, Id, ProcessName, path

Sök i eventloggar

Ex. Från Sysmon

Network connection (DNS port)

Get-WinEvent -LogName Microsoft-Windows-Sysmon/Operational | Where-Object {$_.ID -eq 3 -and $_.Message -like "*Destinationport: 53*"}|Select-Object Message | Select-Object -First 10 | fl

Get-WinEvent -LogName Microsoft-Windows-Sysmon/Operational | Where-Object {$_.ID -eq 3 -and $_.Message -like "*DestinationIp: 192.168.0.*"}|Select-Object Message | Select-Object -First 10 | fl

DNS query (frågor mot *pdaklubben*)

Get-WinEvent -LogName Microsoft-Windows-Sysmon/Operational | Where-Object {$_.ID -eq 22 -and $_.Message -like "*QueryName: *pdaklubben*"}|Select-Object Message | Select-Object -First 10 | fl

Process create (sök efter powershell.exe som startas)

Get-WinEvent -LogName Microsoft-Windows-Sysmon/Operational | Where-Object {$_.ID -eq 1 -and $_.Message -like "*powershell.exe*"}|Select-Object Message | Select-Object -First 10 | fl

Ex. Från EventLog

security (kräver admin)

Get-WinEvent -LogName Security | where {$_.ID -eq 4624} |Select-Object TimeCreated,Message | fl

Get-WinEvent -LogName Security | where {$_.ID -eq 4625} |Select-Object TimeCreated,Message | fl

Get-WinEvent -LogName Security | where {$_.ID -eq 4688} |Select-Object TimeCreated,Message | fl

System

Get-WinEvent -LogName system | where {$_.ID -eq 1001} |Select-Object TimeCreated,Message | fl  (lista alla gånger som datorn blåskärmat, skapat dump och startat om)

Sök efter filer

På lokal dator

Get-ChildItem -Path C:\ -Include *.xlsx,foo.txt,*.doc -File -Recurse | select creationtime,lastaccesstime,lastwritetime,fullname

Get-ChildItem -Path C:\ -Include *.xlsx,foo.txt,*.doc -File -Recurse | select creationtime,lastaccesstime,lastwritetime,fullname | sort lastwritetime -Descending

På specifik remote dator

Invoke-Command -ComputerName compname -ScriptBlock {Get-ChildItem -Path C:\ -Include *.xlsx,foo.txt,*.doc -File -Recurse | select creationtime,lastaccesstime,lastwritetime,fullname}

På ett antal datorer

$foo = "pcnamn1","pcnamn2","pcnamn3"

foreach($dator in $foo)
{
  write-host $dator
  Write-Host "-----------------"
  Invoke-Command -ComputerName $dator -ScriptBlock {Get-ChildItem -Path C:\ -Include *.xlsx,foo.txt,*.doc -File -Recurse | select creationtime,lastaccesstime,lastwritetime,fullname}
}

På alla windowsdatorer i en domän

$foo = get-adcomputer -filter * -Properties operatingsystem | where {$_.operatingsystem -like "*windows*"} | select -ExpandProperty name
foreach($dator in $foo)
{
  write-host $dator
  Write-Host "-----------------"
  Invoke-Command -ComputerName $dator -ScriptBlock {Get-ChildItem -Path C:\ -Include *.xlsx,foo.txt,*.doc -File -Recurse | select creationtime,lastaccesstime,lastwritetime,fullname}
}

AD verktygen för PS behöver finnas installerade samt att remote powershell går att nå till alla system.

Lista senast ändrade fil(er) på disk

Get-ChildItem C:\windows\ -file | Sort-Object LastWriteTime -Descending| Select-Object -First 10 (en katalognivå)

Get-ChildItem C:\Users\olle\ -file -Recurse | Sort-Object LastWriteTime -Descending | Select-Object -First 10 | select creationtime,lastaccesstime,lastwritetime,fullname (alla nivåer under denna katalogen)

Lista installerade program

lista allt

Get-ItemProperty HKLM:\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\* | Select-Object DisplayName, Publisher, InstallDate, InstallLocation, InstallSource | Format-Table -AutoSize

Lista allt utom MS patchar

Get-ItemProperty HKLM:\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\* | where {$_.Publisher -ne "MicrosoftP"} | Select-Object DisplayName, Publisher, InstallDate, InstallLocation, InstallSource | Format-Table -AutoSize

Lista specifik applikation (ex. visio)

Get-ItemProperty HKLM:\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\* | where {$_.displayname -like "*visio*"} | Select-Object DisplayName, Publisher, InstallDate, InstallLocation, InstallSource | Format-Table -AutoSize

Lista applikationer som autostartar

Get-CimInstance Win32_StartupCommand | Select-Object Name, command, Location, User | Format-List

Lista lokala grupper och användare

Get-LocalGroup (lista alla grupper)

Get-LocalgroupMember -group <gruppnamn> (lista alla användare i gruppen)

Get-LocalUser (lista alla användare i datorn)

Lista alla aktiva tjänster

Get-WmiObject win32_service |where state -like "running" | ft name, startname, startmode, state

fortsättning följer....