Saturday, June 20, 2015

More artifacts through PowerShell - Part 1

Identify currently logged in user.

If the requirement is to get only the logged in user along with the time of login then use "whoami' or "quser".

To see the privileges assigned for the currently logged in user.

whoami /priv /fo csv | convertfrom-csv | ft -auto -wrap

To identify the user profiles created.

User profiles can be checked by looking at the below registry location using Get-ItemProperty CmdLet.

Get-ItemProperty hklm:'\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList\*' |Select-Object PSChildName, ProfileImagePath | ft -auto -wrap

To identify users and processes that were started.

There are multiple commands that can be used but the builtin command 'qprocess' is the optimal one. It is similar to tasklist, but produces better output. It shows username, session id, pid, and image name.

Another useful command is 'qwinsta'. This builtin command shows RDP sessions as well.

'quser' is another useful command; this shows the logged in users, session name, time, etc. This command is extremely useful in a server environment.

To see if the user is part of administrator group.

net localgroup administrators .This command will show all the users that are part of the group 'administrators'.

No comments: