PowerShell Security Commands
4624
T1078
Valid Accounts
Get-WinEvent -LogName Security -MaxEvents 1000 | Where-Object {$_.Id -eq 4624} | Select-Object TimeCreated, Id, @{n='Account';e={$_.Properties[5].Value}}, @{n='LogonType';e={$_.Properties[8].Value}}, @{n='SourceIP';e={$_.Properties[18].Value}} | Format-Table -AutoSize
Connexions reussies - LogonType: 2=Interactive, 3=Network, 4=Batch, 5=Service, 10=RemoteInteractive
4625
T1110
Brute Force
Get-WinEvent -LogName Security -MaxEvents 5000 | Where-Object {$_.Id -eq 4625} | Select-Object TimeCreated, @{n='TargetUser';e={$_.Properties[5].Value}}, @{n='LogonType';e={$_.Properties[10].Value}}, @{n='SourceIP';e={$_.Properties[19].Value}}, @{n='FailureReason';e={$_.Properties[8].Value}} | Format-Table -AutoSize
Echecs de connexion - Rechercher patterns de brute force, FailureReason: 0xC000006A=bad password, 0xC000006D=bad username
4634
Logoff Event
Get-WinEvent -LogName Security | Where-Object {$_.Id -eq 4634} | Select-Object TimeCreated, @{n='User';e={$_.Properties[1].Value}}, @{n='LogonType';e={$_.Properties[3].Value}} | Format-Table -AutoSize
Deconnexions - Correler avec 4624 pour duree de session
4740
T1110
Account Lockout
Get-WinEvent -LogName Security | Where-Object {$_.Id -eq 4740} | Select-Object TimeCreated, @{n='LockedAccount';e={$_.Properties[0].Value}}, @{n='SourceComputer';e={$_.Properties[1].Value}} | Format-Table -AutoSize
Verrouillages de compte - Indicateur de brute force ou compromission
4768
T1558
Kerberos TGT Request
Get-WinEvent -LogName Security | Where-Object {$_.Id -eq 4768} | Select-Object TimeCreated, @{n='Account';e={$_.Properties[0].Value}}, @{n='ClientIP';e={$_.Properties[9].Value}}, @{n='TicketOptions';e={$_.Properties[4].Value}} | Format-Table -AutoSize
Demandes TGT Kerberos - Détecter Kerberoasting, AS-REP Roasting
4769
T1558.003
Kerberos Service Ticket
Get-WinEvent -LogName Security | Where-Object {$_.Id -eq 4769} | Select-Object TimeCreated, @{n='Account';e={$_.Properties[0].Value}}, @{n='ServiceName';e={$_.Properties[2].Value}}, @{n='ClientIP';e={$_.Properties[9].Value}}, @{n='TicketEncryption';e={$_.Properties[5].Value}} | Format-Table -AutoSize
Tickets de service - Encryption 0x17=RC4 (suspect pour Kerberoasting)
4624/10
T1021.001
Remote Desktop
Get-WinEvent -LogName Security | Where-Object {$_.Id -eq 4624 -and $_.Properties[8].Value -eq 10} | Select-Object TimeCreated, @{n='Account';e={$_.Properties[5].Value}}, @{n='SourceIP';e={$_.Properties[18].Value}} | Format-Table -AutoSize
Connexions RDP - LogonType 10 = RemoteInteractive
EventLog Analysis & XML Queries
XML
Failed Logon Query
<QueryList><Query Id="0" Path="Security"><Select Path="Security">*[System[(EventID=4625)]] and *[EventData[Data[@Name='LogonType'] and (Data='2' or Data='3' or Data='10')]]</Select></Query></QueryList>
Filtrage avance des echecs de connexion par type
XML
T1059.001
PowerShell ScriptBlock
<QueryList><Query Id="0" Path="Microsoft-Windows-PowerShell/Operational"><Select>*[System[(EventID=4104)]] and *[EventData[Data[@Name='ScriptBlockText'] and (contains(Data,'Invoke-Expression') or contains(Data,'DownloadString') or contains(Data,'FromBase64String'))]]</Select></Query></QueryList>
Detection d'execution PowerShell suspecte
XML
T1546.003
WMI Persistence
<QueryList><Query Id="0" Path="Microsoft-Windows-WMI-Activity/Operational"><Select>*[System[(EventID=5861)]]</Select></Query></QueryList>
Creation de consumers/filtres WMI pour persistence
XML
T1053.005
Scheduled Task Created
<QueryList><Query Id="0" Path="Microsoft-Windows-TaskScheduler/Operational"><Select>*[System[(EventID=106 or EventID=140 or EventID=141)]]</Select></Query></QueryList>
Creation/modification/suppression de taches planifiees
XML
Defender Detections
<QueryList><Query Id="0" Path="Microsoft-Windows-Windows Defender/Operational"><Select>*[System[(EventID=1116 or EventID=1117)]]</Select></Query></QueryList>
Detection et remediation de menaces par Defender
AuditPol Configuration
auditpol /get /category:*
Afficher toutes les categories d'audit
auditpol /get /category:"Logon/Logoff"
Audit des ouvertures/fermetures de session
auditpol /get /category:"Object Access"
Audit des acces aux objets (fichiers, registre, etc.)
CONFIG
Enable Auditing
auditpol /set /subcategory:"Logon" /success:enable /failure:enable
Activer l'audit des logons succes et echecs
CONFIG
Process Command Line
auditpol /set /subcategory:"Process Creation" /success:enable /failure:enable
Activer l'audit de creation de processus (combiner avec GPO pour command line)
auditpol /backup /file:C:\audit-policy-backup.csv
Sauvegarder la configuration d'audit actuelle
Sysinternals Suite
Process Monitor
procmon /AcceptEula /Minimized /BackingFile log.pml
Capture en arriere-plan
procmon /OpenLog log.pml /SaveApplyFilter
Ouvrir et filtrer un log
Autoruns
autorunds -a -h -s -m * > autoruns.txt
Liste complete des points de persistence
autorundsc -a -h -s -vt
Verification VirusTotal
TCPView
tcpvcon -a -c -n > connections.csv
Export des connexions en CSV
Strings
strings -n 10 malware.exe > strings.txt
Extract strings min 10 chars
strings -n 8 -u malware.exe
Extract Unicode strings
Sigcheck
sigcheck -u -e C:\Windows\System32
Executables non signes
sigcheck -vt -v suspicious.exe
Verification VirusTotal
Handle
handle -p malicious.exe
Handles ouverts par un processus
handle -a -p <PID>
Tous les handles incluant les sections
Critical Security Event IDs
| Event ID | Description | MITRE ATT&CK | Severity | Log |
|---|---|---|---|---|
| 4625 | Failed logon - Brute force indicator | T1110 | Critical | Security |
| 4624 LogonType=10 | RDP connection - Remote Interactive | T1021.001 | Medium | Security |
| 4688 | Process creation - Enable command line logging | T1059 | Medium | Security |
| 1102 | Audit log cleared - Anti-forensics | T1070.001 | Critical | Security |
| 4672 | Special privileges assigned - Admin/Service | T1078 | High | Security |
| 4720 | User account created | T1136.001 | Critical | Security |
| 4732 | Member added to local admin group | T1098 | Critical | Security |
| 4769 | Kerberos service ticket requested - Kerberoasting | T1558.003 | High | Security |
| 7045 | Service installed - Persistence mechanism | T1543.003 | High | System |
| 4104 | PowerShell script block execution | T1059.001 | High | PowerShell |
| 106 | Scheduled task created | T1053.005 | High | TaskScheduler |
| 4616 | System time changed - Anti-forensics | T1070.006 | High | Security |
| 4740 | Account locked out | T1110 | High | Security |
| 5140 | Network share accessed | T1135 | Medium | Security |
| 5144 | Network share deleted | T1485 | Medium | Security |
Windows Forensic Artifacts
Prefetch Files
C:\Windows\Prefetch\*.pf
Evidence of execution - Use PECmd or WinPrefetchView
Get-ChildItem C:\Windows\Prefetch | Select-Object Name, LastWriteTime, CreationTime
$MFT
C:\$MFT
Master File Table - Use MFTECmd or Autopsy
Get-ChildItem C:\ -Force -ErrorAction SilentlyContinue | Where-Object {$_.Name -eq '$MFT'}
USN Journal
fsutil usn readjournal C: start
File system changes - Detect file deletion/creation
Amcache.hve
C:\Windows\AppCompat\Programs\Amcache.hve
Application execution history - Use AmcacheParser
SRUM
C:\Windows\System32\sru\SRUDB.dat
Application resource usage - Network, CPU, energy
Background Activity Moderator
HKLM\SYSTEM\CurrentControlSet\Services\bam\State\UserSettings
Background execution tracking - Win10+ only
Shimcache (AppCompatCache)
HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\AppCompatCache
Application execution evidence - Use AppCompatCacheParser
LNK Files
C:\Users\*\AppData\Roaming\Microsoft\Windows\Recent\*.lnk
Recent files - Use LECmd for parsing
Persistence Mechanisms Detection
T1547.001
Registry Run Keys
Locations to check:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run
HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnce
HKCU\Software\Microsoft\Windows\CurrentVersion\Run
HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnce
Get-ItemProperty "HKLM:\Software\Microsoft\Windows\CurrentVersion\Run*" | Format-List
T1053.005
Scheduled Tasks
schtasks /query /fo LIST /v
Get-ScheduledTask | Select-Object TaskName, TaskPath, State, @{n='Action';e={$_.Actions.Execute}} | Format-Table
Suspicious indicators: Tasks in root folder, SYSTEM execution, unusual paths, encoded commands
T1543.003
Windows Services
Get-WmiObject Win32_Service | Where-Object {$_.StartMode -eq 'Auto' -and $_.State -eq 'Running'} | Select-Object Name, DisplayName, PathName, StartName | Format-Table -Wrap
Suspicious: Services with paths in user directories, temp folders, or with unusual account contexts
T1546.003
WMI Event Subscriptions
Get-WmiObject -Class __EventFilter -Namespace root\subscription | Select-Object Name, Query
Get-WmiObject -Class __EventConsumer -Namespace root\subscription | Select-Object Name
Get-WmiObject -Class __FilterToConsumerBinding -Namespace root\subscription | Select-Object Filter, Consumer
T1574.001
DLL Hijacking
Get-Process | ForEach-Object { $_.Modules } | Where-Object {$_.ModuleName -notlike "*\Windows\*"} | Select-Object ProcessName, ModuleName, FileName
Detect loaded DLLs outside Windows directories
Lateral Movement Detection
T1021.002
PsExec Detection
Get-WinEvent -LogName Security | Where-Object {$_.Id -eq 4624 -and $_.Properties[8].Value -eq 3 -and $_.Properties[5].Value -like "*$"} | Select-Object TimeCreated, @{n='Account';e={$_.Properties[5].Value}}, @{n='SourceIP';e={$_.Properties[18].Value}}
PsExec utilise des connexions reseau avec comptes machine$
T1047
Remote WMI
Get-WinEvent -LogName "Microsoft-Windows-WMI-Activity/Operational" | Where-Object {$_.Id -eq 5857 -or $_.Id -eq 5859 -or $_.Id -eq 5860}
WMI remote connections et modifications
T1021.002
SMB Sessions
Get-SmbSession | Select-Object SessionId, ClientComputerName, ClientUserName, NumOpens
Get-WinEvent -LogName Security | Where-Object {$_.Id -eq 5140} | Select-Object TimeCreated, @{n='Share';e={$_.Properties[2].Value}}, @{n='Account';e={$_.Properties[1].Value}}, @{n='SourceIP';e={$_.Properties[4].Value}}
Partages accedes et sessions SMB actives
T1021.001
RDP Connections
Get-WinEvent -LogName "Microsoft-Windows-TerminalServices-LocalSessionManager/Operational" | Where-Object {$_.Id -in 21,22,23,24,25} | Select-Object TimeCreated, Id, @{n='User';e={$_.Properties[0].Value}}, @{n='SourceIP';e={$_.Properties[2].Value}}
21=Logon, 22=ShellStart, 23=Logoff, 24=Disconnect, 25=Reconnect
T1550.002
Pass-the-Hash Indicators
Get-WinEvent -LogName Security | Where-Object {$_.Id -eq 4624 -and $_.Properties[8].Value -eq 3 -and $_.Properties[11].Value -eq 'NTLM'} | Select-Object TimeCreated, @{n='Account';e={$_.Properties[5].Value}}, @{n='SourceIP';e={$_.Properties[18].Value}}, @{n='LogonProcess';e={$_.Properties[10].Value}}
LogonProcess 'NtLmSsp' avec NTLM = possible PtH
CMD Cheatsheet
System Information
systeminfoFull system infohostnameComputer namewhoami /allUser + groups + privsnet config workstationDomain infosetEnvironment varsdriverquery /vInstalled driversUser Management
net userList usersnet user [user]User detailsnet localgroup administratorsLocal adminsnet group "domain admins" /domainDomain adminsnet accountsPassword policynet accounts /domainDomain policyNetwork
ipconfig /allIP configurationnetstat -anoConnections + PIDsnetstat -anob+ Binary names (admin)netstat -rnRouting tablearp -aARP cacheroute printFull routingnetsh wlan show profilesWiFi profilesnetsh interface portproxy show allPort forwardsProcesses & Services
tasklist /vProcesses verbosetasklist /svcProcesses + servicestaskkill /PID [n] /FForce kill by PIDsc query state= allAll servicessc qc [service]Service configwmic service get name,pathname,startmodeService pathsFile System
dir /a /s /o:nAll files recursivedir /a:h /sHidden filestree /f /aDirectory treeicacls [file]File permissionsfsutil usn readjournal C:USN journalcipher /u /n /hEncrypted filesDomain / AD
nltest /domain_trustsDomain trustsnltest /dclist:Domain controllersnet group "Domain Controllers" /domainDCs via groupnet group "Domain Admins" /domainDomain adminsnet group "Enterprise Admins" /domainEnterprise adminsgpresult /h gpo.htmlGPO report HTMLWMIC Reference
wmic process get name,processid,executablepath
Processus avec chemins
wmic process where "name='powershell.exe'" get processid,commandline
Command line par processus
wmic service get name,pathname,startmode,state
Services avec paths
wmic startup get caption,command,location
Startup entries
wmic product get name,version
Installed software
wmic qfe get hotfixid,description,installedon
Patches installes
wmic useraccount get name,sid
Utilisateurs + SIDs
wmic group get name,sid
Groupes + SIDs
wmic share get name,path
Partages
wmic logicaldisk get deviceid,volumename,filesystem,size,freespace
Disques logiques
wmic nic get name,macaddress,netconnectionstatus
Interfaces reseau
wmic ntevent where "logfile='Security'" get timegenerated,eventcode,message
Event log query
Registry Analysis
Critical Persistence Keys
Run/RunOnce:
Get-ItemProperty "HKLM:\Software\Microsoft\Windows\CurrentVersion\Run*"
Winlogon:
Get-ItemProperty "HKLM:\Software\Microsoft\Windows NT\CurrentVersion\Winlogon" | Select-Object Shell, Userinit, Taskman
LSA Authentication:
Get-ItemProperty "HKLM:\System\CurrentControlSet\Control\Lsa" | Select-Object RunAsPPL, DisableRestrictedAdmin
SafeBoot:
Get-ChildItem "HKLM:\System\CurrentControlSet\Control\SafeBoot"
Network Configuration
Get-ItemProperty "HKLM:\System\CurrentControlSet\Services\Tcpip\Parameters" | Select-Object SearchList, Domain, Hostname
Get-ChildItem "HKLM:\System\CurrentControlSet\Services\Tcpip\Parameters\Interfaces" | ForEach-Object { Get-ItemProperty $_.PSPath }
Security Settings
Get-ItemProperty "HKLM:\Software\Microsoft\Windows\CurrentVersion\Policies\System" | Select-Object EnableLUA, ConsentPromptBehaviorAdmin, EnableUIADesktopToggle
UAC Settings: EnableLUA=1 (enabled), ConsentPromptBehaviorAdmin values
PowerShell Configuration
Get-ItemProperty "HKLM:\Software\Policies\Microsoft\Windows\PowerShell" -ErrorAction SilentlyContinue
Get-ItemProperty "HKLM:\Software\Policies\Microsoft\Windows\PowerShell\ScriptBlockLogging" -ErrorAction SilentlyContinue | Select-Object EnableScriptBlockLogging
Network Analysis Commands
netstat -anob | findstr LISTENING
Ports en ecoute avec processus (admin requis pour -b)
netstat -ano | findstr ESTABLISHED
Connexions etablies actives
Get-NetTCPConnection -State Established | Select-Object LocalAddress, LocalPort, RemoteAddress, RemotePort, OwningProcess | Format-Table
Connexions TCP PowerShell
Get-DnsClientCache | Select-Object Entry, Name, Data | Format-Table
Cache DNS - Rechercher domaines suspects
netsh advfirewall firewall show rule name=all dir=out | findstr -i "Enabled:Yes Action:Block"
Regles firewall sortantes actives
route print -4
Table de routage IPv4 - Verifier routes suspectes
Get-NetRoute | Where-Object {$_.DestinationPrefix -ne '0.0.0.0/0'} | Format-Table
Routes non-default - Detournement potentiel
Incident Response Workflow
1. Initial Assessment
- - Documenter l'heure de detection et la source de l'alerte
- - Identifier les systemes affectes (hostname, IP, utilisateur)
- - Capturer l'etat actuel avant toute modification
- - Verifier si l'incident est toujours actif ou contenu
2. Evidence Collection
- -
Get-WinEvent -LogName Security -MaxEvents 10000 | Export-Clixml security.xml - -
Get-Process | Export-Clixml processes.xml - -
netstat -anob > network.txt - -
reg export HKLM\Software\Microsoft\Windows\CurrentVersion\Run run.reg
3. Timeline Reconstruction
- - Analyser les logs 4624/4625 pour les connexions
- - Correler avec les 4688 pour les processus crees
- - Verifier les artifacts (Prefetch, Amcache, USN Journal)
- - Identifier le point d'entree initial
4. Containment & Eradication
- - Isoler le systeme du reseau si necessaire
- - Terminer les processus malveillants:
Stop-Process -Id [PID] -Force - - Desactiver les comptes compromis:
Disable-ADAccount -Identity [user] - - Supprimer les mecanismes de persistence identifies
5. Documentation & Lessons Learned
- - Documenter toutes les actions entreprises avec horodatage
- - Identifier les IOCs (IPs, hashes, domaines, signatures)
- - Mettre a jour les regles de detection
- - Rapport post-incident avec recommandations