Commands

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25

# List all running services
Get-Service | ? {$_.Status -eq "Running"} | select -First 2 |fl
tasklist /svc

# Handle specific service
sc qc SERVICE_NAME # Query service
sc start SERVICE_NAME
sc stop SERVICE_NAME 
sc config SERVICE_NAME KEY=VALUE # ex) sc config wuauserv binPATH=C:\Windows\pwn.exe
sc sdshow SERVICE_NAME

# List running application under currently logged in user
reg query HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run 

# Query specific service with the registry (returns more info than sc)
Get-ACL -Path HKLM:\PATH\TO\SERVICE

# Check Windows Defender Status
Get-MpComputerStatus

# List AppLocker Rules
Get-AppLockerPolicy -Effective | select -ExpandProperty RuleCollections

# Test AppLocker Policy
Get-AppLockerPolicy -Local | Test-AppLockerPolicy -path PATH_TO_FILE -User USER

1
2
3
4
5
6

.\SCRIPT.ps1 # Execute script
.\SCRIPT.ps1;MODULE # Excute particular module from the script
Import-Module .\SCRIPT.ps1 # Import modules from the script
Get-Module # List all loaded modules
Get-ExecutionPolicy -List
Set-ExecutionPolicy POLICY -Scope SCOPE # Can set policy if proper rights given. Limited to user session

1
2
3
4
5

# The command "wmic" is suited for CMD where as Powershell utilizes "Get-WmiObject" and "Invoke-WmiMethod
wmic # Used in CMD
Get-WmiObject # Get instances or information of WMI classes
Get-WmiObject win32_useraccount # List user accounts with sid
Invoke-WmiMethod # Get methods of WMI objects

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17

# Environment
set 
systeminfo

# Check quick fix
wmic qfe
Get-HotFix | ft -AutoSize  # pwsh

# List installed programs
wmic product get name 
Get-WmiObject -Class Win32_Product |  select Name, Version  # pwsh

# User & Group
query user # w in linux
net user # list users
net localgroup # list groups
net localgroup GROUP # list members of the group