Gathering Artifacts
Powershell
How to gather some basic artifacts when you can’t query remotely
Autostart
look for some autostart locations
get-cimInstance win32_startupCommand | Select-Object name, command, location, user | format-list
Logs
get log from the last day
$yesterday = (Get-Date) - (New-TimeSpan -Days 1) Get-WinEvent -logname "Windows Powershell" | Where-Object {$_.TimeCreated -ge $yesterday}
count the number of events
$events = get-winEvent -Logname "Windows Powershell" $events.count
.....| Select-Object -First 100
Drivers
get loaded drivers
Get-WindowsDriver -online -all
Directory Walk
Get-ChildItem -path <path> -recurse -force
Users
net user
Network
netstat.exe -ano
Process
Get-Process | Select-Object name, id, productversion, company
Outputting to file
..... | Out-File -filePath <path> $env:Computer.txt (-append)