Table of Contents

PowerShell Cookbook

Network

Show all Listeners on Port 22/tcp

Get-NetTCPConnection -State Listen -LocalPort 22
Example
PS C:\> Get-NetTCPConnection -State Listen -LocalPort 22

LocalAddress                        LocalPort RemoteAddress                       RemotePort State       AppliedSetting OwningProcess
------------                        --------- -------------                       ---------- -----       -------------- -------------
::                                  22        ::                                  0          Listen                     2588
0.0.0.0                             22        0.0.0.0                             0          Listen                     2588

Show all Established Connections of a specific TCP Process

In this example, the process sshd (Win32-OpenSSH Server) is used.

Get-NetTCPConnection -OwningProcess (Get-Process -Name sshd).Id -State Established -ErrorAction SilentlyContinue
Example
PS C:\> Get-NetTCPConnection -OwningProcess (Get-Process -Name sshd).Id -State Established -ErrorAction SilentlyContinue

LocalAddress                        LocalPort RemoteAddress                       RemotePort State       AppliedSetting OwningProcess
------------                        --------- -------------                       ---------- -----       -------------- -------------
192.0.2.150                         22        192.0.2.1                           54497      Established Internet       2588
Additional Information
PS C:\> Get-Process -Name sshd

Handles  NPM(K)    PM(K)      WS(K)     CPU(s)     Id  SI ProcessName
-------  ------    -----      -----     ------     --  -- -----------
    128      12     1880       7464       0.05   2588   0 sshd
    139      10     2496       8444       0.06   6228   0 sshd
    145      10     2428       8476       0.03   6808   0 sshd
    
PS C:\> Get-NetTCPConnection -OwningProcess (Get-Process -Name sshd).Id -ErrorAction SilentlyContinue

LocalAddress                        LocalPort RemoteAddress                       RemotePort State       AppliedSetting OwningProcess
------------                        --------- -------------                       ---------- -----       -------------- -------------
::                                  22        ::                                  0          Listen                     2588
192.0.2.150                         22        192.0.2.1                           54497      Established Internet       2588
0.0.0.0                             22        0.0.0.0                             0          Listen                     2588

Show all UDP Connections

Get-NetUDPEndpoint | Select-Object Local*,CreationTime,OwningProcess,@{n="Process";e={(Get-Process -Id $_.OwningProcess).Name}} | Sort-Object LocalAddress,LocalPort | Format-Table -AutoSize
Example
PS C:\> Get-NetUDPEndpoint | Select-Object Local*,CreationTime,OwningProcess,@{n="Process";e={(Get-Process -Id $_.OwningProcess).Name}} | Sort-Object LocalAddress,LocalPort | Format-Table -AutoSize

LocalAddress  LocalPort CreationTime          OwningProcess Process
------------  --------- ------------          ------------- -------
::                  123 9/29/2024 11:18:37 AM          2652 svchost
::                 3389 9/24/2024 7:43:21 PM            300 svchost
::                 3702 9/29/2024 11:18:26 AM          3508 svchost
::                 5353 9/29/2024 11:18:20 AM          1540 svchost
::                 5355 9/29/2024 7:35:47 PM           1540 svchost
::                57681 9/24/2024 7:43:24 PM           3508 svchost
::                63725 9/29/2024 11:25:12 AM          1540 svchost
0.0.0.0             123 9/29/2024 11:18:37 AM          2652 svchost
0.0.0.0            3389 9/24/2024 7:43:21 PM            300 svchost
0.0.0.0            3702 9/29/2024 11:18:26 AM          3508 svchost
0.0.0.0            5353 9/29/2024 11:18:20 AM          1540 svchost
0.0.0.0            5355 9/29/2024 7:35:47 PM           1540 svchost
0.0.0.0           57680 9/24/2024 7:43:24 PM           3508 svchost
127.0.0.1         62923 9/24/2024 7:43:22 PM           2384 svchost
192.0.2.150         137 9/24/2024 7:43:20 PM              4 System
192.0.2.150         138 9/24/2024 7:43:20 PM              4 System

EventLog

List all Users with a Temporary Profile

Limited to the last 30 days.

Get-Eventlog Application -EntryType "Error" -InstanceId 1511 -Source "Microsoft-Windows-User Profiles Service" -After (Get-Date).AddDays(-30) | Where-Object { $_.Message -like "*logging you on with a temporary profile*" } | Select-Object TimeGenerated,UserName,Message

Example:

PS C:\> Get-Eventlog Application -EntryType "Error" -InstanceId 1511 -Source "Microsoft-Windows-User Profiles Service" -After (Get-Date).AddDays(-30) | Where-Object { $_.Message -like "*logging you on with a temporary profile*" } | Select-Object TimeGenerated,UserName,Message

TimeGenerated       UserName Message
-------------       -------- -------
07.03.2024 16:02:57 MYDOMAIN\user1 Windows cannot find the local profile and is logging you on with a temporary profile. Changes you make to this profile will be lost when you log off.
07.03.2024 15:34:09 MYDOMAIN\user1 Windows cannot find the local profile and is logging you on with a temporary profile. Changes you make to this profile will be lost when you log off.
07.03.2024 15:32:24 MYDOMAIN\user2 Windows cannot find the local profile and is logging you on with a temporary profile. Changes you make to this profile will be lost when you log off.
07.03.2024 13:40:41 MYDOMAIN\user3 Windows cannot find the local profile and is logging you on with a temporary profile. Changes you make to this profile will be lost when you log off.
07.03.2024 12:36:36 MYDOMAIN\user2 Windows cannot find the local profile and is logging you on with a temporary profile. Changes you make to this profile will be lost when you log off.
07.03.2024 11:25:54 MYDOMAIN\user3 Windows cannot find the local profile and is logging you on with a temporary profile. Changes you make to this profile will be lost when you log off.
07.03.2024 08:57:32 MYDOMAIN\user1 Windows cannot find the local profile and is logging you on with a temporary profile. Changes you make to this profile will be lost when you log off.

Quick Assist

If you work in an organization and don't use quick assist, you can prevent its use to minimize the attack vector.

Source: https://x.com/NathanMcNulty/status/1790992514041995357

Uninstall.

Get-AppxPackage -Name MicrosoftCorporationII.QuickAssist -AllUsers | Remove-AppxPackage -AllUsers

Prevent DNS resolution.

Add-DnsClientNrptRule -Namespace "remoteassistance.support.services.microsoft.com" -NameServers "10.0.0.0"