====== PowerShell Cookbook ======
===== Network =====
==== Show all Listeners on Port 22/tcp ====
Get-NetTCPConnection -State Listen -LocalPort 22
PS C:\> Get-NetTCPConnection -State Listen -LocalPort 22
LocalAddress LocalPort RemoteAddress RemotePort State AppliedSetting OwningProcess
------------ --------- ------------- ---------- ----- -------------- -------------
:: 22 :: 0 Listen 2588
0.0.0.0 22 0.0.0.0 0 Listen 2588
==== Show all Established Connections of a specific TCP Process ====
In this example, the process sshd (Win32-OpenSSH Server) is used.
Get-NetTCPConnection -OwningProcess (Get-Process -Name sshd).Id -State Established -ErrorAction SilentlyContinue
PS C:\> Get-NetTCPConnection -OwningProcess (Get-Process -Name sshd).Id -State Established -ErrorAction SilentlyContinue
LocalAddress LocalPort RemoteAddress RemotePort State AppliedSetting OwningProcess
------------ --------- ------------- ---------- ----- -------------- -------------
192.0.2.150 22 192.0.2.1 54497 Established Internet 2588
PS C:\> Get-Process -Name sshd
Handles NPM(K) PM(K) WS(K) CPU(s) Id SI ProcessName
------- ------ ----- ----- ------ -- -- -----------
128 12 1880 7464 0.05 2588 0 sshd
139 10 2496 8444 0.06 6228 0 sshd
145 10 2428 8476 0.03 6808 0 sshd
PS C:\> Get-NetTCPConnection -OwningProcess (Get-Process -Name sshd).Id -ErrorAction SilentlyContinue
LocalAddress LocalPort RemoteAddress RemotePort State AppliedSetting OwningProcess
------------ --------- ------------- ---------- ----- -------------- -------------
:: 22 :: 0 Listen 2588
192.0.2.150 22 192.0.2.1 54497 Established Internet 2588
0.0.0.0 22 0.0.0.0 0 Listen 2588
==== Show all UDP Connections ====
Get-NetUDPEndpoint | Select-Object Local*,CreationTime,OwningProcess,@{n="Process";e={(Get-Process -Id $_.OwningProcess).Name}} | Sort-Object LocalAddress,LocalPort | Format-Table -AutoSize
PS C:\> Get-NetUDPEndpoint | Select-Object Local*,CreationTime,OwningProcess,@{n="Process";e={(Get-Process -Id $_.OwningProcess).Name}} | Sort-Object LocalAddress,LocalPort | Format-Table -AutoSize
LocalAddress LocalPort CreationTime OwningProcess Process
------------ --------- ------------ ------------- -------
:: 123 9/29/2024 11:18:37 AM 2652 svchost
:: 3389 9/24/2024 7:43:21 PM 300 svchost
:: 3702 9/29/2024 11:18:26 AM 3508 svchost
:: 5353 9/29/2024 11:18:20 AM 1540 svchost
:: 5355 9/29/2024 7:35:47 PM 1540 svchost
:: 57681 9/24/2024 7:43:24 PM 3508 svchost
:: 63725 9/29/2024 11:25:12 AM 1540 svchost
0.0.0.0 123 9/29/2024 11:18:37 AM 2652 svchost
0.0.0.0 3389 9/24/2024 7:43:21 PM 300 svchost
0.0.0.0 3702 9/29/2024 11:18:26 AM 3508 svchost
0.0.0.0 5353 9/29/2024 11:18:20 AM 1540 svchost
0.0.0.0 5355 9/29/2024 7:35:47 PM 1540 svchost
0.0.0.0 57680 9/24/2024 7:43:24 PM 3508 svchost
127.0.0.1 62923 9/24/2024 7:43:22 PM 2384 svchost
192.0.2.150 137 9/24/2024 7:43:20 PM 4 System
192.0.2.150 138 9/24/2024 7:43:20 PM 4 System
===== EventLog =====
==== List all Users with a Temporary Profile ====
Limited to the last 30 days.
Get-Eventlog Application -EntryType "Error" -InstanceId 1511 -Source "Microsoft-Windows-User Profiles Service" -After (Get-Date).AddDays(-30) | Where-Object { $_.Message -like "*logging you on with a temporary profile*" } | Select-Object TimeGenerated,UserName,Message
Example:
PS C:\> Get-Eventlog Application -EntryType "Error" -InstanceId 1511 -Source "Microsoft-Windows-User Profiles Service" -After (Get-Date).AddDays(-30) | Where-Object { $_.Message -like "*logging you on with a temporary profile*" } | Select-Object TimeGenerated,UserName,Message
TimeGenerated UserName Message
------------- -------- -------
07.03.2024 16:02:57 MYDOMAIN\user1 Windows cannot find the local profile and is logging you on with a temporary profile. Changes you make to this profile will be lost when you log off.
07.03.2024 15:34:09 MYDOMAIN\user1 Windows cannot find the local profile and is logging you on with a temporary profile. Changes you make to this profile will be lost when you log off.
07.03.2024 15:32:24 MYDOMAIN\user2 Windows cannot find the local profile and is logging you on with a temporary profile. Changes you make to this profile will be lost when you log off.
07.03.2024 13:40:41 MYDOMAIN\user3 Windows cannot find the local profile and is logging you on with a temporary profile. Changes you make to this profile will be lost when you log off.
07.03.2024 12:36:36 MYDOMAIN\user2 Windows cannot find the local profile and is logging you on with a temporary profile. Changes you make to this profile will be lost when you log off.
07.03.2024 11:25:54 MYDOMAIN\user3 Windows cannot find the local profile and is logging you on with a temporary profile. Changes you make to this profile will be lost when you log off.
07.03.2024 08:57:32 MYDOMAIN\user1 Windows cannot find the local profile and is logging you on with a temporary profile. Changes you make to this profile will be lost when you log off.
===== Quick Assist =====
If you work in an organization and don't use quick assist, you can prevent its use to minimize the attack vector.
Source: [[https://x.com/NathanMcNulty/status/1790992514041995357]]
Uninstall.
Get-AppxPackage -Name MicrosoftCorporationII.QuickAssist -AllUsers | Remove-AppxPackage -AllUsers
Prevent DNS resolution.
Add-DnsClientNrptRule -Namespace "remoteassistance.support.services.microsoft.com" -NameServers "10.0.0.0"