Investigate Windows

Windos Version

winver

Welcher Benutzer hat sich zuletzt angemeldet?

reg query HKLM\Software\Microsoft\Windows\CurrentVersion\Authentication\LogonUI

Wer hat lokale Adminrechte

net localgroup Administrators

Export Sheduled Tasks

schtasks /query /fo list /v > export-tasks.txt

Export Security Logs

wevtutil qe Security /f:text > slogs.txt

Check Hostfile

type C:\Windows\System32\drivers\etc\hosts

Beliebte Posts aus diesem Blog

Shutdown / Lastlogon Analyse

Wer hat das System heruntergefahren: Get-EventLog - LogName system - Source user32 - Newest 1 | fl * Logons der letzten 7 Tage: $filter = @ {     LogName       = 'System'     ProviderName = 'Microsoft-Windows-Winlogon'     StartTime     = ( Get-Date ). AddDays ( -7 ) } $logs = Get-WinEvent - FilterHashtable $filter $res = @ () ForEach ( $log in $logs ) {     if ( $log . Id -eq 7001 ) { $type = "Logon" }     elseif ( $log . Id -eq 7002 ) { $type = "Logoff" }     else { Continue }     # Check if Properties[1] exists before accessing     if ( $log . Properties . Count -gt 1 ) {         try {             $user = ( New-Object System.Security.Principal.SecurityIdentifier $log . Properties [ 1 ]. Value ). Translate ([ System.Security.Principal.NTAccount ])         } catch { ...
Mehr anzeigen