Important PowerShell Commands for Cybersecurity Analysts
What You’ll Be Learning
PowerShell is a command-line interface and scripting language for task automation and configuration management. In this article, you will learn the basics of PowerShell along with the commands useful for any Cybersecurity professional.
Table of Contents
- Basic PowerShell commands and uses
- Files in PowerShell
- Commands to manipulate files
- Commands to import and remove modules in PowerShell
- Commands for daily security tasks
- Remote PowerShell commands
- Conclusion
Basic PowerShell commands and uses
Let’s begin by reviewing some fundamental PowerShell commands and use cases. These commands are the building blocks to create scripts that will help automate and review security-related tasks.
Get-Help
To get help or more details for the particular command, you can use the Get-Help
cmdlet with the command that you need help with. For example, if we run the following:
Get- Help Get-Process
We will get additional help on a specific command.
You can view a list of all available help topics by typing Get-Help
.
Cmdlets
We just mentioned cmdlets, but what are they? cmdlets are small, lightweight PowerShell modules designed to run tasks in place of traditional commands. Cmdlets will return an output as an object (or an array of objects) which also allows you to transfer this data to other cmdlets using pipes.
Cmdlets always contain a verb and a noun separated by a dash. (For Example: Get-DnsServer
or Remove-ADGroup
.
Examples of verbs you might see are:
Get: get something Set: define something Start: run something Stop: stop something New: create something
Pipe
A pipe character |
is used to pass data from one cmdlet to another. For example, pipes can be used to sort the output of one cmdlet and redirect that output to a file. Multiple pipes can be used in tandem to build more complex actions!
For example, to create a list of running processes on your machine, and save it to a file, we would use the command below:
Get-Process | Out-File c:\PS\powershell.txt
Learn more in the Out-File docs.
Using PowerShell to traverse directories
Commands for changing directories and viewing directory listings are the same as the Linux command line and Windows command prompt. Commands such as cd
, dir
, mkdir
,ls
, type
, etc will still work.
Learn more in the Managing Current Location docs.
Aliases
Aliases in PowerShell provide an alternative name for running a cmdlet. There are several shorthand aliases built-in. For example, the ls
command will generate the same results as Get-ChildItem
.
PS C\User\U1D256> lsDirectory: C\User\U1D256>Mode LastWriteTime Length Name---- ------------- ------ ----d----- 11/5/2021 10:37AM .vscoded-r--- 11/16/2021 8:00AM .Documentsd-r--- 12/17/2021 10:02AM .DownloadsPS C\User\U1D256> Get-ChildItemDirectory: C\User\U1D256>Mode LastWriteTime Length Name---- ------------- ------ ----d----- 11/5/2021 10:37AM .vscoded-r--- 11/16/2021 8:00AM .Documentsd-r--- 12/17/2021 10:02AM .Downloads
All aliases can be viewed by running the alias
command, and specific aliases can be viewed by specifying them; for example, alias cd
. In the screenshot below we see that the alias for cd is Set-Location.
PS C\User\U1D256> alias cdCommand Type Name Version Source------------ ---- ------- ------Alias cd -> Set-Location
Files in PowerShell
In this section, we will learn how to:
- Read a file using the
Get-Content
. - Create a new file using the
Set-Content
command.
Reading from a file
Similar to the cat
command in Linux, we can use the Get-Content
cmdlet in PowerShell to read the contents of a file. When Get-Content
is run, the contents of the file are read and the result can be stored in a variable for later use or displayed on the screen.
For example, we can use the command Get-Content /PS/Names.txt
to read the file Names
which is saved on a local C Drive
in a folder named PS
.
PS C:\> Get-Content /PS/Names.txtLiam JohnsonOlivia PopeNoah ClarkEmma MichaelsonOliver WashingtonAva MillerElijah WilliamsCharlotte SmithMohammed WhiteJaris Rodriguez
Note: By adding the
-TotalCount
argument, we can specify how many lines we would like PowerShell to read from the top.
Get-Content <PATH> -TotalCount 5
Adding -TotalCount 5
shows the top five items in the names.txt
file.
PS C:\> Get-Content -TotalCount 5 /PS/Names.txtLiam JohnsonOlivia PopeNoah ClarkEmma MichaelsonOliver Washington
The -Tail
argument will do the same but read from the bottom of the file.
Writing content to a file
In addition to reading files, it is possible to write data to files, either by using the Set-Content
command to create and overwrite files or the Add-Content
command to append content to an existing file.
PS C:\> Set-Content - Value "Rachel Rose" -Path /PS/Names.txtPS C:\> Get-Content /PS/Names.txtRachel RosePS C:\>
Commands to manipulate files
In this section, you will learn how to use PowerShell to manipulate files.
Convert-To
Structured data types can be converted into different formats using PowerShell cmdlets; for example, from .txt
to .csv
. Some common ConvertTo commands in PowerShell are:
ConvertTo-Csv
ConvertTo-Html
ConvertTo-Json
ConvertTo-Xml
Here are some additional Reading on Convert commands
Convert-From
Alternatively, the Convert-From
command creates objects from different formats using variable-length strings that are generated by the ConvertTo
cmdlets.
Some common Convert-From
commands in PowerShell are:
ConvertFrom-Csv
ConvertFrom-Json
ConvertFrom-Markdown
- `ConvertFrom-StringData
For example, the ConvertTo-Json
cmdlet allows you to convert an object into a JSON-formatted string. The properties are converted to field names, the field values are converted to property values, and the methods are removed.
PS C:\Users> Get-DateThursday, December 30, 2021, 8:16:10 AMPS C:\Users> Get-Date | ConverTo-Json{"value": "\/Date(1640870187485)\/","DisplayHint": 2,"DateTime": "Thursday, December 30, 2021, 8:16:27 AM"}PS C:\Users> Get-Date | ConverTo-Json | ConvertFrom-Jsonvalue DisplayHint DateTime----- ----------- --------12/30/2021 1:16:41 PM 2 Thursday, December 30, 2021, 8:16:41 AM
Creating files and folders
We create items in PowerShell using the New-Item
command.
Example: This command creates the new folder C:\temp\Test Folder
New-Item -Path 'C:\temp\Test Folder' -ItemType Directory
Example: This command creates the new empty file C:\temp\New Folder\file.txt
New-Item -Path 'C:\temp\Test Folder\file.txt' -ItemType File
Commands to import and remove modules in PowerShell
In this section, you will learn how to use PowerShell Modules. Modules provide the capability to group like functions together. There are a number of built-in modules and additional modules can be installed or will appear on top of other modules.
In PowerShell, a module is considered a package that contains various functions, workflows, and variables that can operate as a small program.
For additional information, check out the Microsoft Documentation on modules.
PowerShell Gallery
The PowerShell Gallery is a repository for sharing useful PowerShell scripts and modules, some items are created by Microsoft and some are created by the PowerShell community.
Browse the PowerShell Gallery for modules you’ll want to install here.
Viewing modules
Using the Get-Module
cmdlet will list currently loaded modules on a computer. Using the -ListAvailable
option with this command will also allow you to view all modules that are available for use but not yet imported on the computer.
The -ListAvailable
option can also be used when a specific module has been provided to list all the available functions for that module.
Importing modules
Modules need to be imported to your local PowerShell session before the cmdlets and functions from that module can be used. Modules can be loaded into the current PowerShell session by using the Import-Module
cmdlet and specifying the module either by name (-Name)
or by path (-Path)
.
Example: If you needed to import the PKI PowerShell module, which is used in digital certificates to protect sensitive public key infrastructure data, you would use this comment:
Import-Module -Name PKI
Installing modules
If a module is not listed as available, then the module can be installed from a repository, such as the PowerShell Gallery, or from another repository using the -InstallModule
cmdlet.
Removing modules
When you need to remove a module, the commands that the module added are deleted from the session. This is useful when creating your own modules as you may need to remove and re-import a module when you make changes to it.
Example: We would remove the PKI module using the command:
Remove-Module -Name PKI
Commands for daily security tasks
In this section, you will learn some of the most common PowerShell security commands that are used by every Cybersecurity professional today. You should be familiar with these common commands used for troubleshooting well-known cyberattacks in the industry today.
Get-ExecutionPolicy
and Set-ExecutionPolicy
You can create and execute PowerShell scripts, however, Microsoft has disabled scripting by default in an effort to prevent malicious code from executing in a PowerShell environment. You can use the Get-ExecutionPolicy
to check which execution policy is enforced prior to running a script and then use the Set-ExecutionPolicy
command to change the level of security if needed.
There are four levels of security associated with the Set-ExecutionPolicy
command:
- Unrestricted: This removes all restrictions from the execution policy.
- Restricted: This is the default execution policy and only allows commands to be entered interactively. PowerShell scripts are not allowed to run.
- All Signed: If the execution policy is set to
All Signed
, scripts will be allowed to run if they are signed by a trusted publisher. - Remote Signed: If the execution policy is set to
Remote Signed
, PowerShell scripts that have been created locally will be allowed to run. Scripts created remotely will be allowed to run if they are signed by a trusted publisher.
Get-Service
This command provides a list of every service that is currently installed on your system.
If you suspect a particular service is worth checking out for security reasons, we can append the –Name
argument, and this will allow you to see the state of the service on the machine.
PS C:\Users\U1D256> Get-ServiceStatus Name Display Name------ ---- ------------Running BFE Base Filtering SystemStopped BITS Background Intelligent Transfer Ser...Running camsvc Capability Access Manager Service...
Get-Process
Unlike the Get-Service
command in PowerShell, which displays a list of the different system services, the Get-Process
command can display a list of every process the system currently runs. This command can also be used to query processes running on a remote machine or server.
PS C:\Users\U1D256> Get-ProcessHandles NPM(K) PM(K) WS(K) CPU(s) Id SI ProcessName------- ------ ----- ----- ------ -- -- -----------3071 138 359840 354688 25248 0 A180AG1001 52 52820 65824 1,557.13 8732 1 A180RS...
Stop-Process
This is the complementary command to Get-Process
. If you suspect that a malicious or unwanted process is running on your local machine or remote server, running Stop-Process -Name
or Stop-Process -Id
will terminate the running process.
For example, if you wanted to find the owner of a running process on a machine, try this script:
PS C:\Users\U1D256> Get-Process pwsh -IncludeUserNameHandles WS(K) CPU(s) Id UserName ProcessName------- ----- ------ -- -------- -----------782 132080 2.08 2188 DOMAIN01\user01 pwsh
Get-EventLog
Being able to read logs from the local machine is important. Event logs are an important part of fault diagnosis or incident response.
PowerShell can be used to parse your computer’s event logs using the Get-EventLog
command. By default, it will query the local machine; however, it can also be used to query logs from remote connections.
For additional reading, check out the Microsoft document on Get-EventLog.
Get-ADUser
The Get-ADUser cmdlet gets a specified user object or performs a search to get multiple user objects. This cmdlet retrieves a default set of user object properties. To retrieve additional properties use the -Properties
parameter.
Security teams such as Identity Access Management Teams and Identity Governance Teams heavily leverage this command.
Example: This command gets all of the properties of the user with the SAM account name Nicole Scott.
PS C:\Users\U1D256>Get-ADUser -Identity NicoleScott -Properties *Surname : ScottName : Nicole ScottUserPrincipalName :GivenName : NicoleEnabled : FalseSamAccountName : NicoleScottObjectClass : userSID : S-1-5-21-2889043008-4136710315-2444824263-3544ObjectGUID : e1418d64-096c-4cb0-b903-ebb66562d99dDistinguishedName : CN=Nicole Scott,OU=NorthAmerica,OU=Sales,OU=UserAccounts,DC=FABRIKAM,DC=COM
DNS lookups
DNS attacks remain one of the top attacks that Cybersecurity professionals will have to troubleshoot today. The DNS service is a well known attack vector for hackers today.
We can look up the DNS entry for a host using the command:
Resolve-DnsName -Name "Hostname"
By appending the -server
switch, followed by a DNS server’s IP address, we can perform a DNS resolve request against a specific server to verify resolution is working properly.
The Get-DnsClient
cmdlet lets you check the DNS client information for a device. It indicates what DNS servers are being used by the device to perform address resolutions as configured on multiple adapters.
The Set-DnsClientServerAddress
cmdlet allows for specified DNS servers to be added to the network configuration.
Here are some additional DNS PowerShell Commands
Ping devices locally or remotely
The Test-NetConnection
cmdlet allows us to test network connectivity on the LAN and WAN.
For example, the command Test-NetConnection -ComputerName "Hostname or IP"
performs a ping which determines if network connectivity between the local device and the target computer or domain exists.
This is a useful command for a security professional executing a DDoS attack.
Get-NetIPConfiguration
The Get-NetIPConfiguration
cmdlet gets network configurations, including usable interfaces, IP addresses, and DNS servers. This is helpful for any cybersecurity professional who needs to troubleshoot and identify any rogue IP addresses on the network.
Testing network connection
The Test-NetConnection
cmdlet shows diagnostic information for a connection. It supports ping tests, TCP tests, route tracing, and route selection diagnostics. Depending on the parameters, the output can include the DNS lookup results, a list of IP interfaces, IPsec rules, route/source address selection results, and/or confirmation of connection establishment.
Port security attacks are very prevalent today. If we want to verify if a port is open on our machine or server we could run this command:
Test-NetConnection -ComputerName 127.0.0.1 -Port 4000
Remote PowerShell commands
Windows PowerShell remoting lets you run any Windows PowerShell command on one or more remote computers. You can establish persistent connections, start interactive sessions, and run scripts on remote computers. The remote computer must be configured for remote management.
Read more about remove PowerShell commands here.
Start a session
To start an interactive session with a single remote computer, use the Enter-PSSession cmdlet. For example, to start an interactive session with the Server01 remote computer, use the following command:
Enter-PSSession Server01
To end the interactive session, use the following command:
Exit-PSSession
Run a script
To run a script on remote computers, use the -FilePath
parameter from the Invoke-Command
cmdlet. The script must be accessible by your local computer. The results are returned to your local computer.
Example: The following command runs the GetActiveAccounts.ps1
script on the remote computers, Server11, and Server12.
Invoke-Command -ComputerName Server11, Server12 -FilePath c:\Scripts\GetActiveAccounts.ps1
Conclusion
In this article, we reviewed some of the most important PowerShell commands and applicable use cases. Creating PowerShell scripts and running commands are a powerful way to automate daily security analyst tasks. You should continue to research and practice working with PowerShell to improve your skillset.
Author
'The Codecademy Team, composed of experienced educators and tech experts, is dedicated to making tech skills accessible to all. We empower learners worldwide with expert-reviewed content that develops and enhances the technical skills needed to advance and succeed in their careers.'
Meet the full teamRelated articles
Learn more on Codecademy
- Skill path
Cybersecurity Analyst Interview Prep
Master interview strategies for an entry-level Cybersecurity Analyst interview with this Skill Path.Includes 8 CoursesWith CertificateIntermediate2 hours - Skill path
Code Foundations
Start your programming journey with an introduction to the world of code and basic concepts.Includes 5 CoursesWith CertificateBeginner Friendly4 hours