Powershell commands for Security and System Administration (Part 2)

Posted byrobertbennettfb87d63221Posted inPowershell, Tech BlogTags:, ,

This is the 2nd of two blog posts looking at useful PowerShell commands for security engineers or system administrators. This time we are concentrating on Audit and Log Analysis, Malware and Threat Hunting, and System Hardening.

Audit and Log Analysis

Check failed logins from the event log. Monitoring failed logins in the Windows Event Log is a crucial security practice because it helps detect brute force attacks, unauthorised access attempts, insider threats, and system misconfigurations.

Get-WinEvent -FilterHashtable @{LogName='Security'; ID='4625'} | Format-Table -AutoSize
PowerShell command output showing failed login attempts from the Windows Security Event Log, indicating account login failures.

Search for security-related events. This commandlet allows you to search Windows Event Logs and aggregate them by the LogName of ‘Security’ and limits the result to 20 items.

Get-WinEvent -LogName Security -MaxEvents 20
Screenshot of PowerShell command output displaying security event logs related to Windows logins.

Check login events (successful logins – Event ID 4624). This command allows you to monitor successful logons by specifying the EventID 4624.

Get-WinEvent -FilterHashtable @{LogName='Security'; ID='4624'} | Format-Table -AutoSize
Command line output showing successful login events from the Windows Event Log, filtered by Event ID 4624, with timestamps and messages.

Check password changes (Event ID 4724). Tracking password changes helps ensure that credentials are being updated securely and not being manipulated by attackers or compromised users.

Get-WinEvent -FilterHashtable @{LogName='Security'; ID='4724'} | Format-Table -AutoSize
PowerShell command output showing an event log related to password reset attempts with Event ID 4724, including timestamps and information level.

Malware and Threat Hunting

Find recently modified files (potential malware). Attackers and malware often modify or create new files to establish persistence, execute payloads, or exfiltrate data, so this commanlet is useful for tracking these changes. The output can be very large, so you might want to modify the time window.

 Get-ChildItem -Path C:\ -Recurse -ErrorAction SilentlyContinue | Where-Object { $_.LastWriteTime -gt (Get-Date).AddDays(-1) }
Command line output displaying recently modified files in C:\Program Files using PowerShell.

Check scheduled tasks for suspicious entries. Attackers and malware often use Scheduled Tasks to achieve persistence, execute malicious scripts, and maintain unauthorised access. This command can be used to monitor scheduled tasks to help detect and prevent security threats before they escalate.

Get-ScheduledTask | Where-Object {$_.State -eq 'Running'} | Format-Table -AutoSize
Screenshot showing the output of a PowerShell command to list running scheduled tasks on a Windows system.

Check autostart registry keys for persistence. Attackers or malware can modify Windows registry keys to ensure that malicious code runs every time a user logs in or the system starts. This command will show which keys are set to run on device start up.

Get-ItemProperty -Path 'HKLM:\Software\Microsoft\Windows\CurrentVersion\Run'
PowerShell command output displaying startup registry keys from 'HKLM:\Software\Microsoft\Windows\CurrentVersion\Run'.

Scan system for suspicious executables. Malicious actors may replace system files with altered versions. This command exports a list of executables and their hashes so that they can be compared against a trusted database (e.g., VirusTotal, Microsoft).

Get-ChildItem -Path C:\Windows\System32 -Filter *.exe -Recurse | Get-FileHash
Output of PowerShell command displaying SHA-256 hashes for executables in the C:\Windows\System32 directory.

System Hardening

Check Windows Defender status. Attackers and malware often disable or tamper with Windows Defender to avoid detection, ensuring it’s enabled and functioning properly is crucial for system security. This command outputs a snapshot of the current Windows Defender status.

Get-MpComputerStatus
Screenshot of Windows PowerShell displaying the output of the Get-MpComputerStatus command, showing the current status of Windows Defender along with various details such as version numbers, enabled features, and computer state.

Run a Windows Defender scan. This command is particularly useful for running an adhoc scan task on a commandline Windows server. If you are running this to test the command be aware that it uses significant system resources, and can take a long time to run.

Start-MpScan -ScanType FullScan
Command line interface displaying a Microsoft Defender Antivirus full scan in progress, indicating the scan status and completion percentage.

List installed security updates. The Get-HotFix command will show all installed updates but it is extremely slow. The second command queries the registry and is much faster.

Get-HotFix | Where-Object {$_.Description -match "Security"}
Get-ItemProperty -Path "HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\*" | 
    Where-Object { $_.DisplayName -like "*Update*" } | 
    Select-Object DisplayName, InstallDate
PowerShell command output showing installed updates with their display names and installation dates.

Disable SMBv1 (to prevent ransomware attacks). SMBv1 (Server Message Block version 1) is an old, vulnerable protocol used for file sharing between Windows machines. Disabling SMBv1 is crucial because it is a major security risk, often exploited by ransomware and other malware. 

 Set-SmbServerConfiguration -EnableSMB1Protocol $false -Force
Screenshot of PowerShell commands showing configurations for disabling SMBv1 protocol and querying current SMB server settings.

In the previous two blog we have investigated using Powershell for SysAdmin and security tasks but we have barely scratched the surface and powershell is a entire discipline in itself. All the information you could need can be found in the Microsoft Powershell docs area HERE.

Leave a Reply

Discover more from Planned Link

Subscribe now to keep reading and get access to the full archive.

Continue reading