Get-NetTCPConnection -State EstablishedGet-ItemProperty -Path HKCU:\SOFTWARE\Microsoft\Office\16.0\Common\Internet\Server Cache*If this command returns an error check if your version is correct. If that is the case then no connection was made from office.
Get-ChildItem -Path HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\Get-SmbShareqwinsta /server:localhostGet-CimInstance -ClassName Win32_StartupCommand |
Select-Object -Property Command, Description, User, Location |
Out-GridViewGet-WinEvent -FilterHashtable @{LogName='Security';ID=4688} -MaxEvents 10 | Format-List *$SecurityEvents = Get-EventLog -LogName security -After (Get-Date).AddDays(-2)
$SecurityEvents | Group-Object -Property EventID -NoElement | Sort-Object -Property Count -Descending$SecurityEvents = Get-EventLog -LogName security -After (Get-Date).AddDays(-2)
$SecurityEvents | Group-Object -Property EventID -NoElement | Sort-Object -Property Count -Descendingquery user /server:$servernet localgroup administratorsGet-LocalUser | Format-Table Get-Process explorer | Format-List *Get-WmiObject Win32_Process | Select-Object Name, ProcessId, CommandLine, Path | Format-ListhistoryStop-Process -Name "Teams"Stop-Process -ID 666Get-ScheduledTask | Where-Object {$_.State -ne "Disabled"} | Format-ListGet-ScheduledTask | Where-Object {$_.State -ne "Disabled"} | Get-ScheduledTaskInfo$InstalledSoftware = Get-ChildItem "HKLM:\Software\Microsoft\Windows\CurrentVersion\Uninstall"
foreach($obj in $InstalledSoftware){write-host $obj.GetValue('DisplayName') -NoNewline; write-host " - " -NoNewline; write-host $obj.GetValue('DisplayVersion')}Get-WinEvent -ProviderName msiinstaller | where id -eq 1033 | select timecreated,message | FL *Get-Service | Where-Object {$_.Status -eq "Running"} | format-listGet-Item .\DFIR-Script.ps1 -Stream *Get-Content .\DFIR-Script.ps1Get-Content .\DFIR-Script.ps1 -Encoding Byte | Format-hexGet-ItemProperty -Path HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\RecentDocs\
# based on the list select an ID to further investigate
(Get-ItemProperty -Path HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\RecentDocs\).71 | Format-Hex$encodedstring = "aHR0cHM6Ly90aGlzaXNhbWFsaWNpb3VzZG9tYWluLmNvbS9kb3dubG9hZC9tYWx3YXJlLmV4ZQ=="
[System.Text.Encoding]::ASCII.GetString([System.Convert]::FromBase64String($encodedstring))Get-FileHash -Algorithm SHA1 -Path C:\Users\User\AppData\Roaming\Microsoft\MaliciousFile.exeGet-FileHash -Algorithm MD5 -Path C:\Users\User\AppData\Roaming\Microsoft\MaliciousFile.exeGet-FileHash -Algorithm SHA256 -Path C:\Users\User\AppData\Roaming\Microsoft\MaliciousFile.exeGet-PnpDeviceFor the best results run the retrieval of the logs as local admin. Otherwise not all logs can be collected.
$eventLogs = 'Application', 'System', 'Security'
foreach ($logName in $eventLogs) {
# Get event log entries for the specified log name
$entries = Get-EventLog -LogName $logName
# Append entries to the logEntries array
$logEntries += $entries
}
$logEntriesGet-EventLog -LogName Security$ExecutionDate = $(get-date -f yyyy-MM-dd)
$OutputName = "SecurityEvents-$ExecutionDate.csv"
Get-EventLog -LogName Security | Export-Csv -Path $OutputName -NoTypeInformation
if (Test-Path -Path $OutputName) {
$folderPath = (Get-Item $OutputName).DirectoryName
Write-Host "Output File Location: $folderPath\$OutputName"
} else {
Write-Host "File does not exist."
}List the defender exclusions that are defined for your (local) machine.
Get-MpPreference | Select-Object -ExpandProperty ExclusionIpAddressGet-MpPreference | Select-Object -ExpandProperty ExclusionPathGet-MpPreference | Select-Object -ExpandProperty ExclusionProcessGet-MpPreference | Select-Object -ExpandProperty ExclusionExtension