cybernovaacademy/SOC---LOGS-THREAT-HUNTING

Table of Contents

1.	Introduction to Log Analysis

2.	Log Analysis Basics: Windows Security Logs

3.	Log Analysis Basics: Windows Powershell Logs

4.	Log Analysis Basics: Network-Based Attacks on Linux

5.	Log Analysis Basics: Linux Auth Logs

6.	basics of powershell



Introduction to Linux Logs + Cheat Sheet

Linux logs are essential for system monitoring, debugging, troubleshooting, and security analysis. Understanding how to access and interpret these logs is a foundational skill for system administrators, DevOps engineers, and security analysts.

________________________________________

📂 Where Are Linux Logs Stored?

Most logs in Linux are stored in the /var/log/ directory.

________________________________________

📄 Common Log Files

Log File	Description

/var/log/syslog / messages	General system activity logs

/var/log/auth.log	Authentication logs (login, sudo, ssh)

/var/log/kern.log	Kernel messages

/var/log/dmesg	Boot-time and hardware-related messages

/var/log/faillog	Failed login attempts

/var/log/secure	Security-related logs (RHEL/CentOS)

/var/log/boot.log	System boot logs

/var/log/cron or cron.log	Cron job scheduling logs

/var/log/httpd/	Apache web server logs

/var/log/audit/	SELinux and AuditD logs

________________________________________

🧠 Linux Logs Cheat Sheet

🔍 View Logs

cat /var/log/syslog              # Display entire log

less /var/log/auth.log           # Scroll through logs

tail -f /var/log/syslog          # Live log monitoring

journalctl                       # View systemd journal logs



### 📌 过滤 Logs

```bash

grep "error" /var/log/syslog                     # Search for 'error'

journalctl -u ssh                                # Logs for SSH service

journalctl --since "1 hour ago"                  # Logs from the past hour

journalctl --since "2024-10-01" --until "2024-10-02” # Logs between two dates

🛠️ Useful Log Management Commands

dmesg | less                        # View kernel ring buffer

logrotate -d /etc/logrotate.conf   # Test log rotation

last                               # Show login history

lastb                              # Show failed login attempts

###🧾 Example: Detect Failed SSH Logins

grep "Failed password" /var/log/auth.log

🔐 Why Are Logs Important?

•	🔍 Security Monitoring – Detect brute force attacks, unauthorized logins.

•	🛠️ Troubleshooting – Identify service errors and system crashes.

•	📜 Auditing – Track user activity and system changes.







Day#1: Introduction to Log Analysis

Objective:

The objective of this lab is to introduce students to the basics of log analysis and demonstrate how logs from different systems can be collected, analyzed, and used for security monitoring. Students will learn how to generate simple logs on both Windows and Linux systems and how SOC Analysts use logs to detect security incidents.________________________________________What is a Log?

A log is a record of events in a system that captures important actions like errors, warnings, or user activities. These logs contain key information such as:

•	Timestamp

•	Event Description

•	Severity (Critical, Error, Warning, Information)

•	Source (User, Process, Service)

Logs are essential for understanding system behavior, detecting security incidents, and conducting forensic investigations.

________________________________________

Example logs

🐧Linux auth.log Example

Apr 7 10:42:15 ubuntu sshd[12345]: Failed password for invalid user admin from 192.168.1.100 port 54321 ssh2

Explanation:

•	Apr 7 10:42:15 — Timestamp

•	ubuntu — Hostname

•	sshd[12345] — Service name and process ID

•	Failed password for invalid user admin — Failed login attempt

•	from 192.168.1.100 — Source IP address

•	port 54321 — Source port

•	ssh2 — Protocol version

Log Sources on Linux:

•	System Logs: Stored in /var/log/, including files like syslog (system messages), auth.log (authentication attempts), and kern.log (kernel-related logs).

•	Application Logs: Application-specific logs like Apache (/var/log/apache2/access.log) or MySQL (/var/log/mysql/error.log).

Log Sources on Windows:

•	Event Viewer: Provides access to logs such as:

o	System Logs: Logs related to operating system events.

o	Security Logs: Logs related to login attempts, permission changes, etc.

o	Application Logs: Logs for system applications.

o	PowerShell Logs: Logs for PowerShell commands, including suspicious execution.

________________________________________

How Does a SOC Analyst Use Log Analysis?

•	Incident Detection: SOC Analysts review logs to detect unusual or unauthorized activities, such as failed login attempts or suspicious processes.

•	Forensics: Logs are used to trace back the actions taken by an attacker during or after an incident.

•	Security Monitoring: Continuous log analysis helps detect potential security threats in real-time.

•	Compliance: Logs assist in maintaining compliance with regulatory standards (e.g., GDPR, HIPAA).

________________________________________

Popular Tools for Log Analysis:

•	ELK Stack (Elasticsearch, Logstash, Kibana): A powerful suite for log collection, storage, and visualization.

•	Splunk: A leading tool for searching, analyzing, and visualizing machine-generated data.

•	Graylog: An open-source log management solution.

•	Wazuh: An open-source security monitoring platform that integrates well with ELK for log analysis and threat detection.

________________________________________

Lab Task: Simulating and Detecting Windows Powershell events

Lab Setup

Requirements:

•	Systems: Windows 10/11 or Windows Server 2019/2022, Linux (Ubuntu or CentOS)

•	Tools:

o	Windows Event Viewer

o	PowerShell (Pre-installed on Windows)

________________________________________

Preparation:

For this lab, you will need to set up log collection on both Windows and Linux systems. Follow these steps to ensure everything is ready:

On Windows:

1.	Open Group Policy Editor (gpedit.msc):

o	Navigate to Computer Configuration > Administrative Templates > Windows Components > Windows PowerShell.

o	Ensure that Module Logging, Script Block Logging, and Script Execution are enabled.

2.	Open Event Viewer:

o	Go to Applications and Services Logs → Microsoft → Windows → PowerShell → Operational.

Step 1: Simulate a Suspicious PowerShell Command

To simulate a suspicious activity, open an elevated PowerShell session and run the following command:

Get-LocalUser | Select-Object Name, Enabled

This command lists all local user accounts on the system, which could be used by attackers to enumerate users post-exploitation.

Step 2: Detect the Log in Windows Event Viewer

1.	Press Win + R, type eventvwr.msc, and press Enter.

2.	Navigate to: Applications and Services Logs → Microsoft → Windows → PowerShell → Operational.

3.	Click Filter Current Log, and filter for Event ID 4104 (which logs PowerShell script execution).

4.	Look for an entry that shows the execution of the Get-LocalUser command.

5.	Take a screenshot of the event details.

Conclusion:

•	Understanding Log Analysis: Logs are crucial for detecting, investigating, and responding to security incidents. Through the use of Windows Event Viewer and Linux log files, you can monitor system activity and identify potential security issues.

•	SOC Analyst Role: SOC Analysts use log analysis to detect threats, investigate incidents, and ensure system compliance.

Submission:

•	Windows Logs: Submit a screenshot of the log generated on the Windows machine.







Log Analysis Basics: Windows Security Logs

Objective:

The objective of this lab is to introduce students to Windows Security Logs and help them understand how to analyze logs for security-related events. Students will learn how to explore and analyze various security logs such as login attempts, user account changes, and other critical system events that could indicate potential security threats.

Lab Setup

Requirements:

•	System: Windows 10/11 or Windows Server 2019/2022

•	Tools:

o	Windows Event Viewer (pre-installed)

o	Notepad (to create custom events, if needed)

o	Administrative Privileges (to access certain security logs)

________________________________________

What are Windows Security Logs?

Windows Security Logs contain records of security-related events on the system, such as:

•	Successful and Failed Login Attempts: Track users who log in or fail to log in.

•	Account Lockouts: Occurs when a user exceeds the maximum allowed number of incorrect login attempts.

•	Audit Policies: Logs related to changes in system audit settings and configurations.

•	Group Membership Changes: Tracks changes in group memberships and user privileges.

•	Privilege Escalation: Logs events when a user gains elevated privileges.

These logs are valuable for monitoring security incidents, detecting unauthorized access, and auditing system changes.

________________________________________

Understanding Event IDs in Security Logs:

Some common Event IDs in Windows Security Logs that you will encounter include:

•	Event ID 4624: Successful Logon.

•	Event ID 4625: Failed Logon.

•	Event ID 4740: Account Lockout.

•	Event ID 4732: A user was added to a security-enabled local group.

•	Event ID 4672: Special privileges assigned to a new logon (Privilege escalation).

________________________________________

Lab Task: Explore and Analyze Windows Security Logs

Step 1: Simulate a Failed Login Attempt

1.	Create a test user name "haxuser1" on Windows machine.

2.	Simulate a failed account access using this command Open PowerShell and enter an invalid username and password. You can do this by using the following command:

net use \\127.0.0.1\IPC$ /user:haxuser1 WrongPassword

Here:

Command Part	Explanation

net use	A command used to connect to shared resources (like network shares or printers).

\\127.0.0.1\IPC$	A special hidden administrative share called IPC$ on your local machine (127.0.0.1 = localhost). IPC$ is used for inter-process communication, especially for authentication purposes.

/user:haxuser1	Specifies the username to use for authentication (in this case, haxuser1).

WrongPassword	The password you're trying to authenticate with — which is intentionally incorrect.

Or Else you can sign out with your existing account and sign in with haxuser1 account with an invalid password

Step 2: Detect the Log in Windows Event Viewer

1.	In the Event Viewer, navigate to:

Windows Logs → Security

2.	After the failed login, go back to Event Viewer.

3.	Filter the Security Logs for Event ID 4625 (Failed Logon). 4.. Look for entries that correspond to the failed login attempt.

4.	Take a screenshot of the event details, including:

o	Failed Login Attempt Details

o	User Name

o	Logon Type

o	Source Network Address

Conclusion:

•	Understanding Windows Security Logs: Windows Security Logs are essential for identifying suspicious behavior such as unauthorized login attempts, privilege escalation, and system configuration changes.

•	SOC Analyst Role: As a SOC Analyst, reviewing and analyzing these logs regularly is critical to detecting and responding to security incidents in real-time.

•	Threat Detection: By monitoring for multiple failed logins, account lockouts, and privilege escalations, SOC Analysts can quickly detect malicious activities on a network.

Submission:

•	Event ID 4624 (Successful Login): Submit a screenshot showing a successful login event from the Security logs.

•	Event ID 4625 (Failed Login): Submit a screenshot showing a failed login attempt event from the Security logs.

Log Analysis Basics: Windows PowerShell Logs

Objective:

The objective of this lab is to introduce students to Windows PowerShell Logs and help them understand how to analyze PowerShell-related events. Students will learn how to explore and analyze PowerShell logs to detect suspicious or malicious PowerShell commands that could indicate an attack or compromise.

 Setup

Requirements:

•	System: Windows 10/11 or Windows Server 2019/2022

•	Tools:

o	Windows Event Viewer (pre-installed)

o	PowerShell (Pre-installed on Windows)

o	Administrative Privileges (required for enabling logs)

________________________________________

Preparation:

Before proceeding, make sure PowerShell script block logging is enabled on your system:

1.	Press Win + R, type gpedit.msc, and press Enter to open the Group Policy Editor.

2.	Navigate to: Computer Configuration > Administrative Templates > Windows Components > Windows PowerShell

3.	Turn on Module Logging, Script Block Logging, and Script Execution.

4.	Apply the settings and close the Group Policy Editor.

________________________________________

What are Windows PowerShell Logs?

PowerShell logs contain information about PowerShell script executions, including details about the commands that were run, the processes that invoked them, and the user who executed them. These logs can be used to detect potential misuse of PowerShell, including post-exploitation techniques often used by attackers.

Key PowerShell Logs to Monitor:

•	Event ID 4104: Script block logging, capturing the PowerShell commands executed.

•	Event ID 4103: Command invocation with parameter binding (detailed command execution).

•	Event ID 4698: PowerShell Module Logging for the execution of specific modules.

•	Event ID 4101: Execution of PowerShell commands through command-line arguments.

________________________________________

Lab Task: Explore and Analyze Windows PowerShell Logs

Step 1: Generate PowerShell Logs

1.	Open PowerShell as Administrator.

2.	Run the following PowerShell command to generate a log entry:

Start-Process "notepad.exe" -ArgumentList "C:\Windows\System32\drivers\etc\hosts"

This command

•	Starts a new process using the Start-Process cmdlet.

•	Specifies "notepad.exe" as the program to launch.

•	Passes "C:\Windows\System32\drivers\etc\hosts" as an argument to Notepad.

•	As a result, Notepad opens the hosts file directly.

Step 2: Visualize the events

1.	After running the command, go back to Event Viewer and navigate to:

Applications and Services Logs → Microsoft → Windows → PowerShell → Operational

4.	Look for Event ID 4103 in the logs (this will show script block logging for the PowerShell command you executed).

5.	Take a screenshot of the event details, including:

•	PowerShell command that was executed

•	User who ran the command

•	Timestamp of the execution

Step 3: Why Is This Important for Blue Teams?

This log can be used to detect malicious PowerShell usage, such as:

•	LOLBAS (Living Off The Land Binaries) like using Start-Process or Invoke-WebRequest

•	Loading payloads or obfuscated PowerShell commands

•	Persistence via PowerShell commands in startup or tasks

Example of LOLBAS Tools These are legitimate Windows tools that attackers often abuse for stealthy malicious actions.

🛠️ Tool	📌 Path	🚩 Abuse Technique

powershell.exe	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Execute payloads, download malware, bypass AV

certutil.exe	C:\Windows\System32\certutil.exe	Download files using: certutil -urlcache -f

mshta.exe	C:\Windows\System32\mshta.exe	Execute malicious HTML apps or remote scripts

regsvr32.exe	C:\Windows\System32\regsvr32.exe	Load and execute remote/local DLLs

rundll32.exe	C:\Windows\System32\rundll32.exe	Execute DLLs or scripts to evade detection

wmic.exe	C:\Windows\System32\wbem\wmic.exe	Execute commands, gather system info

bitsadmin.exe	C:\Windows\System32\bitsadmin.exe	Download/upload files silently

msbuild.exe	C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe	Execute malicious C# code in project files

installutil.exe	C:\Windows\Microsoft.NET\Framework\v4.0.30319\installutil.exe	Run code during .NET assembly install

schtasks.exe	C:\Windows\System32\schtasks.exe	Create scheduled tasks for persistence

ℹ️ For more: lolbas-project.github.io

Conclusion:

•	PowerShell Logs: Key to spotting malicious command usage.

•	SOC Analyst Role: Review logs to detect post-exploitation actions.

•	Threat Detection: Flags abnormal activity for faster response.

Submission:

•	Event ID 4103 (PowerShell Script Execution): Submit a screenshot showing a PowerShell script execution event from the logs.













Log Analysis Basics – Network-Based Attack Detection Using UFW

________________________________________

🎯 Objective

The objective of this lab is to simulate a network-based port scan attack and demonstrate how to detect it using ufw.log logs on a Linux system. Students will learn how to launch the HTTP scan prob from Kali Linux(attacker) machine and detect these scan ataempt on Victim machine using UFW.

🛠️ Lab Setup

System Requirements

•	Attacker Machine:: Kali Linux

•	Target Machine: Ubuntu Linux

Tools Needed

•	nmap (on attacker machine)

•	ufw or iptables (on target machine)

Log Files

•	/var/log/ufw.log on Ubuntu Server– Captures system and network-related messages

________________________________________

🧠 What is a Network Port Scan?

A port scan is a technique used by attackers to probe a system for open ports and active services. Tools like nmap are commonly used to map a system’s network surface.

Why It’s Dangerous

•	Port scans are often a precursor to exploitation

•	They help attackers identify vulnerable services like open SSH, FTP, or outdated web servers

________________________________________

What is Nmap?

•	Nmap (Network Mapper) is an open-source network scanning tool.

•	Used to discover hosts and services on a network.

•	Helps in identifying open ports, running services, and OS detection.

•	Commonly used for network inventory and vulnerability scanning.

________________________________________

Nmap Popular Scan Types

•	SYN Scan (-sS): Fast and stealthy port scan.

•	TCP Connect Scan (-sT): Full TCP connection, less stealthy.

•	UDP Scan (-sU): Scans UDP ports for services.

•	Ping Scan (-sn): Checks which hosts are up, no port scan.

🔐 What is UFW?

•	UFW stands for Uncomplicated Firewall, a frontend for iptables.

•	Simplifies firewall management for Linux users.

•	Used to allow, deny, and manage traffic rules easily.

•	Logs are stored in /var/log/ufw.log.

•	Rule file /etc/ufw/before.rules

•	To check ufw status ufw status

•	To check the rule number ufw status numbered

###🧾 UFW Rule Syntax

•	Basic allow rule: ufw allow

•	Deny a port: ufw deny

•	Allow by service: ufw allow (e.g., ufw allow ssh)

•	Allow by IP: ufw allow from

•	Allow specific port from IP: ufw allow from to any port

•	Delete rule: ufw delete allow

🧪 Lab Task: Explore and Analyze Linux Syslog for Network Scans

________________________________________

⚔️ Step 1: Attack Simulation – Perform a Port Scan

⚠️ Only scan systems you own or are authorized to test.

On the Attacker Machine:

nmap -p80 TARGET-IP

🔍 Step 2: Detection and Analysis – Analyze Syslog

1.	Installing UFW firewall

2.	sudo apt install ufw

3.	sudo ufw enable

4.	sudo ufw logging on

5.	sudo ufw logging high

6.	Create a Firewall rule to drop HTTP traffic from Attack machine

7.	sudo ufw deny from 69.62.84.69 to any port 80 proto tcp

8.	Reload the firewall rules to take effect

9.	sudo ufw reload

10.	Detect the HTTP Scanning traffic

11.	sudo tail -f /var/log/ufw.log | grep "Attcker IP"

✅ Conclusion

•	ufw.log, combined with firewall logs, is powerful for detecting early-stage reconnaissance

•	Port scanning is often the first indicator of an attacker mapping your system

•	Detecting and blocking IPs performing scans is a crucial step in proactive defense

📸 Submission

Submit a screenshot of a syslog entry showing blocked network traffic due to a port scan. Include:

•	Source IP of scan

•	Targeted port

•	Timestamp

Log Analysis Basics – Linux Auth Log

________________________________________

🎯 Objective

The objective of this lab is to simulate an SSH brute force attack and demonstrate how to detect it using Linux authentication logs. Students will learn how to identify multiple failed logins attempts and analyze patterns to uncover brute force activity.

________________________________________

🛠️ Lab Setup

System Requirements

•	Attacker Machine: Kali Linux (or any Linux with hydra)

•	Target Machine: Ubuntu Linux Server

Tools Needed

•	hydra (on attacker machine)

•	openssh-server (on target machine)

•	rsyslog (default logging service)

Log Files

•	/var/log/auth.log – Authentication logs (Ubuntu/Debian)

•	/var/log/secure – (CentOS/RHEL)

________________________________________

📘 Preparation

Linux systems log every authentication event, including successful and failed SSH login attempts. Brute force attacks can be identified by analyzing patterns such as:

•	Rapid failed logins from a single IP

•	Attempts with multiple usernames

•	Login successes after a string of failures

________________________________________

🧠 What is an SSH Brute Force Attack?

A brute force attack attempts to guess a user’s SSH password by trying many combinations quickly using automated tools like Hydra.

Why It’s Dangerous

•	Successful brute force = full shell access

•	Attackers can pivot, install malware, or exfiltrate data

•	It often goes unnoticed without proper log monitoring

________________________________________

🛡️ Attack Patterns Detectable via Auth Logs

•	Multiple failed password attempts from one IP

•	Repeated login attempts to root/admin accounts

•	Success after multiple failures (brute force success)

•	Logins from unknown or foreign IPs

________________________________________

What is Hydra?

•	Hydra is a fast, open-source password-cracking tool used for brute force attacks on logins.

•	It supports 50+ protocols like SSH, FTP, HTTP, SMB, and more.

•	Common use: penetration testing and checking for weak passwords in network services.

•	Syntax: hydra -L users.txt -P passlist.txt <target_ip> <protocol>

•	Use -l/-p for single username/password or -L/-P for files.

•	Add -vV for verbose output and -t 4 to set number of threads.

🧪 Lab Task: Explore and Analyze Auth Logs for SSH Brute Force

________________________________________

⚔️ Step 1: Attack Simulation – Brute Force SSH using Hydra

⚠️ Only perform on authorized systems you own or control.

On the Attacker Machine:

hydra -l root -P /usr/share/wordlists/rockyou.txt ssh://TARGET-IP

This will attempt multiple password guesses for user root on the SSH port.

Ensure SSH is enabled on the target:

sudo systemctl status ssh

🔍 Step 2: Detection and Analysis – Analyze Auth Logs

Check for failed login attempts:

sudo grep "Failed password" /var/log/auth.log

Find usernames tried:

sudo grep "Failed password" /var/log/auth.log | awk '{print $(NF-5)}' | sort | uniq -c | sort -nr

Watch live log activity:

sudo tail -f /var/log/auth.log

🔍 What to Look For

•	20+ failed attempts from the same IP in under 5 mins

•	Attempts on sensitive users (root, admin)

•	Sudden success after multiple failures

✅ Conclusion

•	Auth logs are vital for detecting brute force login attempts

•	Multiple failures from a single IP is a strong signal of attack

•	Combine log analysis with tools like fail2ban to block repeat offenders automatically

📸 Submission

Submit a screenshot showing:

•	failed login entries from the same IP

•	Username attempted

PowerShell for Security Analysts

________________________________________

1. Introduction to PowerShell

PowerShell is a powerful command-line shell and scripting language developed by Microsoft, designed specifically for system administration. It is built on the .NET framework and is widely used for automating tasks, managing configurations, and performing administrative tasks on both Windows and Linux systems.

Why Should Security Analysts Learn PowerShell?

•	Automation and Efficiency: Automate repetitive tasks such as log analysis, system audits, and security monitoring.

•	Incident Response: Quickly collect forensic artifacts, investigate suspicious activities, and respond to incidents.

•	Threat Hunting: Identify anomalous behaviours by querying system information and event logs.

•	Red Teaming and Blue Teaming: Used by attackers for persistence and lateral movement, making it crucial for defenders to understand its capabilities.

________________________________________

2. Overview of Cmdlets, Scripts, and the PowerShell Environment

2.1 Cmdlets

•	Cmdlets (pronounced "command-lets") are the building blocks of PowerShell. They are lightweight commands that perform specific operations.

•	Syntax: Verb-Noun (e.g., Get-Process, Set-Item, New-User)

•	Example:

•	Get-Process          # Lists all running

•	Get-Service          # Displays all services on the system

Get-EventLog -LogName Security # Retrieves security event logs

2.2 Scripts

•	Scripts are text files containing a series of PowerShell commands saved with the .ps1 extension.

•	They allow automation of complex tasks by executing multiple cmdlets in sequence.

•	Example Script (Get-SystemInfo.ps1):

•	# Get System Information

•	Get-ComputerInfo

•	Get-Process | Where-Object {$_.CPU -gt 100}  # High CPU usage processes

Get-EventLog -LogName Security -Newest 10

2.3 The PowerShell Environment

•	Console and ISE: PowerShell can be executed from the traditional console or the Integrated Scripting Environment (ISE).

•	Modules: Packages containing cmdlets, functions, variables, and other resources.

•	Pipeline (|): Used to pass output from one cmdlet as input to another.

Get-Process | Where-Object {$_.CPU -gt 50} | Select-Object ProcessName, CPU

________________________________________

3. Understanding the Execution Policy

Execution Policy in PowerShell determines the conditions under which PowerShell loads configuration files and runs scripts.

Types of Execution Policies

1.	Restricted: Default setting allows no scripts to run.

2.	AllSigned: Only scripts signed by a trusted publisher can be run.

3.	RemoteSigned: Local scripts can run, but scripts downloaded from the internet must be signed.

4.	Unrestricted: Scripts are allowed to run without restrictions.

5.	Bypass: No restrictions; used for automation.

Checking and Setting Execution Policy

Get-ExecutionPolicy        # Check current execution policy

Set-ExecutionPolicy RemoteSigned   # Set to RemoteSigned

###Best Practice for Security Analysts

•	Always set the policy to RemoteSigned or AllSigned to prevent unauthorized scripts from running.

•	Use Bypass only in controlled environments, such as for incident response scripts.

4. Use Cases for Security Analysts

4.1 Incident Response

•	Collect logs and system artifacts for forensic analysis.

Get-EventLog -LogName Security -Newest 100 | Export-Csv C:\Logs\SecurityLogs.csv

4.2 Threat Hunting

•	Identify suspicious processes or unusual network activity.

Get-Process | Where-Object { $_.CPU -gt 80 }

Get-NetTCPConnection | Where-Object { $_.RemotePort -eq 4444 }

4.3 Vulnerability Assessment

•	Check for missing security patches.

Get-HotFix | Where-Object { $_.InstalledOn -lt (Get-Date).AddMonths(-6) }

4.4 Security Audits and Compliance

•	Audit user accounts and permissions.

Get-LocalUser

Get-LocalGroupMember -Group "Administrators"

4.5 Automation and Scripting

•	Automate repetitive security tasks like log cleanup or system health checks.

Get-EventLog -LogName Application -EntryType Error -Newest 50 | Out-File C:\Logs\ErrorLogs.txt

5. PowerShell Basics

5.1 Basic Commands

Get-Help Get-Process   # Display help for a cmdlet

Get-Command            # List all available cmdlets

Get-Module             # List all imported modules

5.2 Variables and Data Types

$Name = "Security Analyst"

$Number = 42

$Array = @(1, 2, 3, 4)

5.3 Loops and Conditionals

# If-Else 语句

$CPUUsage = Get-Process | Where-Object { $_.CPU -gt 80 }

If ($CPUUsage) {

    Write-Host "High CPU Usage Detected"

} Else {

    Write-Host "CPU Usage is Normal"

}



# ForEach 循环

$Processes = Get-Process

ForEach ($Process in $Processes) {

    Write-Host $Process.ProcessName

}

5.4 Functions

Function Get-HighCPU {

    Param($Threshold = 50)

    Get-Process | Where-Object { $_.CPU -gt $Threshold }

}

Get-HighCPU -Threshold 80

6. PowerShell Command Cheatsheet for Security Analysts

6.1 System Information

Get-ComputerInfo                    # System Information

Get-WmiObject Win32_OperatingSystem  # Detailed OS Information

6.2 Process and Service Monitoring

Get-Process                         # List Running Processes

Get-Service                         # List Installed Services

Stop-Process -Name "notepad"         # Stop a 

6.3 Network Information

Get-NetAdapter                      # Network Adapter Information

Get-NetTCPConnection                 # Active Network Connections

6.4 Event Log Analysis

Get-EventLog -LogName Security -Newest 100

Get-WinEvent -LogName Application -MaxEvents 50

6.5 File and Directory Management

Get-ChildItem -Path C:\Logs -Recurse # List all files in a directory

Remove-Item -Path C:\Logs\*.log       # Delete all log files

6.6 User and Permissions Auditing

Get-LocalUser                        # List all Local Users

Get-LocalGroup                       # List all Local Groups

Get-LocalGroupMember -Group "Admins” # List Admin Group Members

7. Summary

•	PowerShell is a versatile and powerful tool for Security Analysts.

•	Use cmdlets to perform system audits, incident response, and threat hunting.

•	Leverage scripts for automation of repetitive security tasks.

•	Set execution policies securely (preferably RemoteSigned).

•	Always review and understand scripts before execution to prevent malicious activities.

•	Continuously learn and update your PowerShell skills to stay ahead of attackers.