2 min read

There are a lot of PowerShell commands that can be used for enumerating Windows.

# List all AD users (IFF the machine is joined to a domain!)
#
Get-ADUser -Filter *
 
# List AD users within a particular LDAP subtree
#
Get-ADUser -Filter * -SearchBase "CN=Users,DC=example,DC=com"
 
# Enumerate antivirus
#
Get-CimInstance -Namespace root/SecurityCenter2 `
                -ClassName AntivirusProduct
 
# Check if the Windows Defender service is running
#
Get-Service WinDefend
 
# Check if real-time protection is enabled for Windows
# Defender
#
Get-MpComputerStatus | select RealTimeProtectionEnabled
 
# Get information about potential threats recently detected by
# Windows Defender
#
Get-MpThreat
 
# Check the status of the Windows Firewall
#
Get-NetFirewallProfile | Format-Table Name,Enabled
 
# Disable all WIndows Firewall profiles
#
Set-NetFirewallProfile -Profile Domain,Public,Private `
                       -Enabled False
 
# List Windows Firewall rules
#
Get-NetFirewallRule | select DisplayName,Enabled,Description
 
# Two ways to check if a port can be connected to (the first
# provides more output, while the second is more suitable for
# scripting)
#
Test-NetConnection -ComputerName $IP_OR_HOSTNAME -Port $PORT
 
(New-Object System.Net.Sockets.TcpClient("$IP_OR_HOSTNAME", "$PORT")).Connected
 
# List all current Windows logs
#
Get-EventLog -List
 
# Sysmon is dangerous for an attacker! Three ways to check if
# it's running...
#
Get-Process | Where-Object { $_.ProcessName -eq "Sysmon" }
 
Get-CimInstance win32_service `
	-Filter "Description = 'System Monitor service'"
 
Get-Service | where-object {$_.DisplayName -like "sysm"}
 
# List hidden directories
#
Get-ChildItem -Hidden -Path $SOME_PATH
 
# Get a process with a particular "image name" (generally example.exe has an image name of "example")
#
Get-Process -Name $IMAGE_NAME

When checking to see if Sysmon is running, you can also examine the HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\WINEVT\Channels\Microsoft-Windows-Sysmon\Operational Registry entry.

PowerShell Command History

View PowerShell’s history.

type $Env:USERPROFILE\AppData\Roaming\Microsoft\Windows\PowerShell\PSReadline\ConsoleHost_history.txt

Use %USERPROFILE% instead of $Env:USERPROFILE if running from cmd.exe.

Graph View