Hey there, fellow threat hunters! 👋 Today we're diving into something every blue teamer needs in their toolkit - PowerShell one-liners. Because let's face it, sometimes you need answers fast, and you don't have time to write a full script. Let's get into the good stuff!

Process Investigation

First up, let's look at some process-related commands. These are your bread and butter for quick investigation:

Get-Process | Where-Object {$_.CPU -gt 50} | Select-Object ProcessName, CPU, WorkingSet | Sort-Object CPU -Descending

This beauty shows you all processes eating more than 50% CPU. Perfect for catching crypto miners trying to have a party on your systems! Want to see what's making weird network connections?

Get-NetTCPConnection -State Established | 
    Select-Object LocalAddress,LocalPort,RemoteAddress,RemotePort,State,
    @{Name="Process";Expression={(Get-Process -Id $_.OwningProcess).ProcessName}} |
    Where-Object {$_.RemoteAddress -notmatch "^10\.|^172\.|^192\.168\."}

This shows all established connections to addresses outside your private network. Hello, C2 detection!

For more information on process investigation, please refer to our PowerShell Quick Guide: Process Investigation.

Suspicious File Hunt

Looking for files created in the last hour? I've got you covered:

Get-ChildItem -Path C:\ -Recurse -ErrorAction SilentlyContinue | 
    Where-Object {$_.CreationTime -gt (Get-Date).AddHours(-1)} | 
    Select-Object FullName, CreationTime, Length

Or maybe you're hunting for those sneaky executables in temp folders:

Get-ChildItem -Path $env:TEMP -Include *.exe,*.dll,*.ps1 -Recurse -ErrorAction SilentlyContinue | 
    Select-Object FullName, CreationTime, Length

Service Shenanigans

Want to find services running with suspicious paths?

Get-WmiObject win32_service | 
    Where-Object {$_.PathName -like "*temp*" -or $_.PathName -like "*appdata*"} | 
    Select-Object Name, PathName, StartName

Or maybe you're looking for services with weird start types:

Get-Service | Where-Object {$_.StartType -eq "Automatic" -and $_.Status -eq "Stopped"} | 
    Select-Object Name, DisplayName, Status, StartType

Registry Recon

Check for programs set to autostart (a favorite hiding spot for malware):

Get-ItemProperty -Path 'HKLM:\Software\Microsoft\Windows\CurrentVersion\Run' |
    Select-Object * -Exclude PSPath,PSParentPath,PSChildName,PSProvider

Pro Tips

1. Always use `-ErrorAction SilentlyContinue` when searching through files or registry. Trust me, your console will thank you for not flooding it with access denied errors. 2. Need to export results? Just pipe to `Export-Csv`:

... | Export-Csv -Path "C:\investigation\findings.csv" -NoTypeInformation

3. Running into permission issues? Don't forget to run PowerShell as administrator. I know, obvious right? But we've all been there, staring at our screen wondering why a command isn't working... 🤦‍♂️

Word of Caution

Remember, these one-liners are great for quick investigation, but they're not a replacement for proper security tools and EDR solutions. Think of them as the Swiss Army knife in your toolkit - handy for quick checks, but you wouldn't want to build a house with one! Also, always test these commands in a controlled environment first. While these are read-only commands, it's always better to be safe than sorry. Nobody wants to be "that person" who accidentally brought down prod while hunting for threats.

Wrapping Up

There you have it - a collection of PowerShell one-liners that should make your threat hunting life a bit easier. Keep these in your back pocket for when you need quick answers or just want to do some basic system hygiene checks. Stay safe, and happy hunting! 🕵️‍♂️ P.S. Want to level up your PowerShell game? Check out my other PowerShell-related posts for more in-depth scripting techniques!