CLI

Windows Management Instrumentation (WMI) Command-Line Utility (WMIC)

Get running services: wmic service where "state='running'" get displayname,state, pathname,processid

Get Users: wmic USERACCOUNT Get Domain,Name, Sid

List Users (netlogin): wmic netlogin get name,numberoflogons,badpasswordcount

Running Processes: wmic process get name,processid,parentprocessid,executablepath,sessionid

List antivirus products: wmic /namespace:\\root\securitycenter2 path antivirusproduct get displayname, productState, pathToSignedProductExe

Show startup programs: wmic startup list brief

Get list of running services: wmic service where 'State="Running"' list brief

if failing, try switching around the ' and "

Nics on the system: wmic nic list full

Computer system Info: wmic computersystem list brief

List system drives: wmic volume list brief

Log files: wmic NTEVENT WHERE "LogFile='Security'" GET LogFile,SourceName,EventType,Message,TimeGenerated /FORMAT:list

Additional details of running services: wmic service where ‘State="Running"’ get name,processId,installDate,pathName, StartMode,Caption

Get products with version and install location: wmic path win32_product get name, version, installlocation

More detailed products with version: wmic product get Description, InstallDate, Name, Vendor, Version, ProcessID

Powershell

Port Scan single IP Ports (1..1024)

1..1024 | % {echo ((new-object Net.Sockets.TcpClient).Connect("[IP Address]",$_)) "Port $_ is open!"} 2>$null

IP Scan / Ping

foreach ($ip in 1..20) {Test-NetConnection -Port 80 -InformationLevel "Detailed" [First 3 octets].$ip}

Program Versions

Get-WmiObject Win32_Product | Select-Object Name,Version

Hash full Directories

Get-FileHash 'C:\Program Files (x86)\path\to\directory\*' -Algorithm MD5 | Format-List

Log Search

Get-EventLog "Windows Powershell" -After (Get-Date).AddHours(-2) | where {($_.EventId -eq 400) -or ($_.EventId -eq 500)-or ($_.EventId -eq 501) -or ($_.EventId -eq 800) -or ($_.EventId -eq 4104) -or ($_.EventId -eq 4106)}

Enable SMB1

Enable-WIndowsOptionalFeature -Online -FeatureName smb1protocol

Start Powershell version 2

powershell -version 2

Check current Powershell version

$psversiontable

Check version Windows Defender

Get-MpComputerStatus

EventLog query (change event ID number)

Get-EventLog "Security" | where-object {$_.EventId =eq 4624}

Logs written to since you logged in

Get-WinEvent -ListLog * | ? {$_.lastwritetime -gt 'Tuesday, May 14, 2019 3:15:42 PM'}

Logs created since you logged in

Get-WinEvent -ListLog * | ? {$_.lastwritetime -gt 'Tuesday, May 14, 2019'}

Single Port Scan

Test-NetConnection [IP address] -Port 80

Antivirus on system

Get-WmiObject -Namespace root\SecurityCenter2 -Class AntiVirusProduct

Netstat with pid and Process name

get-nettcpconnection | sort-object -Property state | format-table local*,remote*,state,OwningProcess, @{Name="Process";Expression={(Get-Process -Id $_.OwningProcess).ProcessName}}

Startup Programs

Get-CimInstance Win32_StartupCommand |Select-Object Name, command, Location, User |Format-List

PowerShell Logging

wevtutil gl "Windows PowerShell"

wevtUtil gl "Microsoft-Windows-PowerShell/Operational"

wevtutil qe "Windows Powershell" /rd:false /c:25 /f:text

wevtutil qe "Microsoft-Windows-PowerShell/Operational" /rd:false /c:25 /f:text