Fast PowerShell Commands For Cybersecurity Experts

Use these awesome powershell commands and scripts to elevate your cybersecurity toolkit.

There are a lot of things you can do with Powershell, and we thought it would be cool to share some nifty commands and scripts that you can use to investigate a compromised system for digital forensics.

First, we have listed 5 commands that you can edit to quickly find files and directories with Powershell.
Then there is a script, that will tell you which files have newly been created in a specific folder.
There is also a powershell script that tells you which users have logged into a specific system.
We also have a script for you that tells which files have been accessed by which user.

Now as you can imagine, these are powerful commands that one day might be very helpful. So bookmark them for future usage.

5 PowerShell Commands that you can use to Search for files on your Windows system

Here are five PowerShell commands that you can use to search for files on any Windows system:

Search for Files by Name:
- powershell Get-ChildItem -Path C:\ -Filter "filename.ext" -Recurse
- Replace “filename.ext” with the name of the file you’re looking for. This command searches the entire C:\ drive recursively.
Search for Files by Extension:
- powershell Get-ChildItem -Path C:\ -Filter "*.txt" -Recurse
- Replace “*.txt” with the file extension you want to search for. This command will search for all files with the “.txt” extension.
Search for Files by Modified Date:
- powershell Get-ChildItem -Path C:\ -Recurse | Where-Object { $_.LastWriteTime -gt (Get-Date).AddDays(-7) }
- This command searches for files modified within the last 7 days on the C:\ drive. You can adjust the number of days as needed.
Search for Hidden Files:
- powershell Get-ChildItem -Path C:\ -Hidden -Recurse
- This command searches for hidden files on the C:\ drive. Hidden files are typically system files or configuration files.
Search for Large Files:
- powershell Get-ChildItem -Path C:\ -File -Recurse | Where-Object { $_.Length -gt 100MB }
- This command searches for files larger than 100 megabytes on the C:\ drive. You can change the file size threshold as required.

Remember to replace “C:” with the directory path where you want to start your search. These PowerShell commands provide flexibility for searching files based on different criteria.

Check which files have been created

You can use PowerShell to list files created in the last 3 days on a system and calculate their SHA-256, SHA-1, and MD5 checksums.

Here’s a PowerShell script that accomplishes this:

$targetDirectory = "C:\Your\Target\Directory"
$outputFile = "C:\Path\To\output.txt"

$threeDaysAgo = (Get-Date).AddDays(-3)

$files = Get-ChildItem -Path $targetDirectory -File -Recurse | Where-Object { $_.CreationTime -ge $threeDaysAgo }

foreach ($file in $files) {
    $fileInfo = Get-FileHash -Path $file.FullName -Algorithm SHA256,SHA1,MD5
    $output = "File: $($file.FullName)"
    $output += "`r`nSHA-256: $($fileInfo.Hash[0])"
    $output += "`r`nSHA-1: $($fileInfo.Hash[1])"
    $output += "`r`nMD5: $($fileInfo.Hash[2])"
    $output | Out-File -Append -FilePath $outputFile
}

Write-Host "File information has been saved to $outputFile"

Make sure to replace "C:\Your\Target\Directory" with the directory you want to search in, and "C:\Path\To\output.txt" with the path where you want to save the output.

This script will find files created in the last 3 days, calculate their SHA-256, SHA-1, and MD5 checksums, and save the results to the specified output file.

Please note that calculating checksums for a large number of files can take some time, so be patient when running this script on directories with many files.

See which Users Have Logged In on A System (4624)

You can check the history of user logins on a Windows system using PowerShell. One common way to do this is by examining the Windows Event Logs and search for event ID 4624¹.

Here’s how you can retrieve login history using PowerShell:

# Get user login history from the Security Event Log
$loginEvents = Get-WinEvent -LogName Security -FilterXPath "*[System[(EventID=4624)]]" | Sort-Object TimeCreated

# Display login events
foreach ($event in $loginEvents) {
    $eventTime = $event.TimeCreated
    $user = $event.Properties[5].Value
    $ipAddress = $event.Properties[18].Value
    $message = "User '$user' logged in at $eventTime from IP address $ipAddress"
    Write-Host $message
}

Find Accessed files with Powershell

To check which user has Accessed files in the last 7 days on a Windows system using PowerShell, you can examine the Windows Security Event Log for file 4663² events.

Here’s how you can do it:

# Define the target directory where Accessed files will be checked
$targetDirectory = "C:\Path\To\Your\Directory"

# Calculate the start date for the search (7 days ago)
$startDate = (Get-Date).AddDays(-7)

# Get file Accessed events from the Security Event Log
$xEvents = Get-WinEvent -LogName Security -FilterXPath "*[System[(EventID=4663)]]" | Sort-Object TimeCreated

# Iterate through Accessed events and identify the user
foreach ($event in $xEvents) {
    $eventTime = $event.TimeCreated
    $message = $event.Properties[8].Value  # The message contains information about the accessed file
    $user = $event.Properties[1].Value     # The user who performed the action

    # Check if the event is related to the target directory and occurred within the last 7 days
    if ($message -like "*$targetDirectory*" -and $eventTime -ge $startDate) {
        Write-Host "User '$user' Accessed a file in '$targetDirectory' at $eventTime"
    }
}

https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4624 ↩︎
https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4663 ↩︎

Think This Is Crucial Info? Share to Inform Others!