














Study with the several resources on Docsity
Earn points by helping other students or get them with a premium plan
Prepare for your exams
Study with the several resources on Docsity
Earn points to download
Earn points by helping other students or get them with a premium plan
A comprehensive overview of windows command line and powershell commands, including their syntax, usage, and examples. It covers a wide range of topics, from basic commands to advanced scripting techniques. Particularly useful for students and professionals who need to learn about windows system administration and scripting.
Typology: Exams
1 / 22
This page cannot be seen from the preview
Don't miss anything!















net local group Windows Command Line command allows you to add, display and modify local groups. net user Windows Command Line command allows administrators to manage user accounts. wmic user account list brief Windows Management Instrumentation command-line command that lists user accounts on the local machine. task list /v Windows Command Line command displays a list of currently running processes on either a local or remote machine. (Displays verbose task information.) wmic process list brief Windows Management Instrumentation command-line command that lists processes available for management. sc queryex Windows Command Line utility and subsequent command to query extended statuses for services. tasklist /svc Windows Command Line command to display services hosted in each process. wmic service list brief Windows Management Instrumentation command-line command for service application management. ipconfig /all Windows Command Line command to display all network configuration information. wmic nicconfig list full Windows Management Instrumentation command-line command to view all network adapter management information.
arp - a Windows Command Line command to display Layer 2 information about hosts on the Local Network. netstat - anbo Windows Command Line command to display current TCP/IP network connections, ports, executables involved, owning process IDs, and IP addresses. systeminfo Windows Command Line tool to display operating system configuration information for a local or remote machine. wmic computersystem list brief Windows Management Instrumentation command-line command to display all computer system management information. wmic ntdomain Windows Management Instrumentation command-line command to display NT domain management information. wmic environment list brief Windows Management Instrumentation command-line command to display system environment settings. set Windows Command Line command to view all current environment variables. where Windows Command Line command to find executables within the PATH environment variable. echo Windows Command Line command to echo input to stdout. dir Windows Command Line command to view contents of a directory. type Windows Command Line command to output contents of a file to stdout. findstr Windows Command Line command to find a specific string within a specific path or file.
class A general term for grouped objects. CIM Common Information Model for Windows. Cross-platform, cross-compatibility. WMIC Windows Management Instrumentation Command-Line (Windows Specific) multi-threading A technique that allows a single set of code to be used by several processors at different stages of execution. namespace Windows Management Instrumentation is organized into namespaces (folders that correlate products/technology) format-table or format-list Powershell cmdlet to override default cmdlet output. Usually pip cmdlet output into these cmdlets. psinfo SysInternals tool to show basic system info for a local or remote Windows NT/2000 system. pslist SysInternals tool to list processes on a local or remote Windows NT/2000 system. procmon SysInternals GUI based tool to view, monitor, and filter processes running on a machine. autoruns SysInternals tool to show what programs are configures to run during system bootup or login. handle SysInternals utility to display information about open handles for any process in the system. (See which programs have a file open or to see the object types and names of all the handles of a program.) logonsessions SysInternals tools to list the currently active logon sessions.
psloggedon SysInternals tool that displays the locally logged on users and users logged on via resources for either the local computer, or a remote one. tcpview A Windows program that will show detailed listings of all TCP and UDP endpoints on the system. script Allows for completion of repetitive tasks by the command line. dir /ah Windows Command Line command to show hidden files in a directory. net use Windows Command Line tool to map a remote drive. get-help
LSASS (Local Security Authority Subsystem Service) Responsible for enforcing the security policy on the system. Verifies users logging on, handles password changes, and creates access tokens. Writes to the Windows Security Log. Userinit.exe Loads user profile, runs startup programs, starts explorer.exe VBR (Volume Boot Record) In Windows 7+, loaded by the MBR, is a boot loader to start the bootmgr. bootmgr Replaces NTLDR, reads Boot Configuration Data and displays the operating system choice screen. Calls winload.exe for a fresh boot or winresume.exe if waking from hibernation. winload.exe Loads NTOSKRNL.exe, load dependencies, loads device drives, occurs after the bootmgr on a fresh restart/boot. EFI/UEFI (Extensible/Unified Extensbile Firmware Interface) Software interface between the operating system and platform firmware. Replaces the Basic Input/Output System (BIOS) Firmware. HAL.dll (Hardware Abstraction Layer) Provides services primarily tot he Windows executive and kernel and kernel mode device drivers. Device drivers for devices in kernel mode directly call routines in the HAL to access I/O ports and registers for their devices. Service Control Manager (SCM) Starts, stops, and interacts with Windows service processes. Started at system boot, it maintains the database of installed services, enumerates installed services, and allows remote procedure call (RPC) so that service configuration and service control programs can manipulate services on remote machines. wininit.exe Starts Service Control Manager (SCM), Local Security Authority Subsystem (LSASS), Local Session Manager (LSM). Local Security Authority (LSA) Applications can use this service to authenticate and log users on to the local system.
Security Account Manager (SAM) Authenticates locally on Windows for local logon. Domain Controller (DC) Authenticates domain logon for users. new/created process Process state in which initial execution of the process and its threads begin. running process Process state in which the process is currently being executed. ready process Process state in which the process is ready to execute when given the opportunity. waiting process Process state in which the process can't continue execution until some event occurs (like an I/O read/write) terminated/exit process Process state in which the process is being terminated due to a halt or abort. page A distinct chunk of memory allocated to a process. overcommitted This occurs on an operating system when processes/threads attempt to use more physical memory than available page fault This occurs when a thread references an invalid page in the page table. thread Basic unit to which the OS allocates processor time. handle Pointer to an object representing a system resource such as a file or thread. Tracked in the Object Manager, allows each process to access the resource these objects represent. Allows Windows to track access control lists (ACLs) for resources.
trojan Malware hidden within another legitimate program. malicious mobile code Transmitted from remote host to local host, executed without user instruction. blended attack Multiple infection/transmission methods used together. backdoor Malicious program that allows illegitimate access to a machine. remote access tool (RAT) Malicious program that provides remote command and control of a machine. rootkit Malicious program to hide and remain persistent on a remote machine. keylogger Records keyboard usage of a machine. botnet client Application to allow an attacker remote administration/command and control of a botnet. spyware Monitors the behavior of a user. adware Paid for ads to infect users as they visit a website. ransomware Blocks access to local machine resources, usually encrypts files and demands payment from the victim. bot herder Person in control of a botnet. botnet A network of infected machines of a botnet.
zombie Individual machine within a botnet. static analysis Examining malware without executing it. dynamic analysis Examining malware while it is running. situational awareness A method of gaining an understanding of the current operating environment on the target machine. situational awareness targets Running Processes Active Users Network Configuration Network Communications Logging Scheduled Jobs Aliases registry Hierarchical database of critical system configuration. Configuration and control mechanism for the Windows Operation system. Contains system-wide and per-user settings. registry hive A group of keys, subkeys, and values in the registry that has a set of supporting files that contain backups of its data. HKEY_CURRENT_USER (HKCU) Hive Key that contains the current user's settings. HKEY_USERS (HKU) Hive Key that contains all accounts on a machine, the root key contains the ntuser.dat hives for ALL users. HKEY_CLASSES_ROOT (HKCR) Hive Key contains file association and COM objects, backwards compatibility, and file extension information.
firewall Block network traffic based on an established set of rules. wf.msc GUI control panel utility to modify windows firewall settings. netsh advfirewall Windows Command Line command to configure Windows firewall settings. Get/Set-NetFireWallRule Powershell cmdlet to get/set Windows Firewall settings. mpssvc.dll Windows Firewall .dll hosted in HKLM\SYSTEM\CurrentControlSet\services\MpsSvc Windows Firewall Components Private Public Work/Domain Components of an NTFS File Each file in this type of format contains these: Security Identifiers (SIDs) Discretionary Access Control List (DACL) System Access Control List (SACL) icacls Windows Command Line command to view and configure access control lists (ACLs) for a file. Get-Acl Powershell cmdlet to get the access control list (ACL) information for a file. accesschk SysInternals tool to check an access control list (ACL) for a file. Windows Resource Protection Previously Windows File Protection (WFP), protects system files and resources. Protected Resources can only be modified by the Windows Module Installer service (trustedinstaller.exe)
User Account Control (UAC) Limits the privileges of user run applications to prevent the modification of system files, resources, or settings. Requesting elevated privileges requires explicit acknowledgment from the user. Information Assurance (IA) Includes the protection of the integrity, availability, authenticity, non- repudiation, and confidentiality of user data. host-based security product Security product that runs on the local machine, OS dependent, version dependent, system firewalls, process monitoring, kernel calls, directory monitoring, application whitelisting, etc. network security products Monitors network traffic, can be inline or passive, Intrusion Detection Systems, Intrusion Prevention Systems, Web/Application Proxy signature based detection Detection based on a database of previously identified attack signatures. heuristic based detection Detection based on developing a baseline of the system, then looks for anomalous activity, potential to catch 0-day attacks. Security Reference Monitor Receives the system audit policy from the LSASS. This monitor generates auditing messages when an object is accessed and sends the messages to LSASS. LSASS logs these transactions in the Event Logger. application event log Event log that contains events logged by applications. security event log Event log that contains events such as valid and invalid logon attempts, as well as events related to resource use such as creating, opening or deleting files or other objects. system event log Event log that contains events logged by system components such as the failure of a driver or other system component to load during startup.
arp Windows Command Line command to view MAC addressing info. netstat Windows Command Line command to view network statistics. socket One endpoint of a two-way communication link between two programs running on a network. endpoint Consists of an IP address and a port number. stream socket Uses TCP, provides a bidirectional, reliable, sequenced, and unduplicated flow of data with no record boundaries. datagram socket Socket that uses UDP. raw socket Socket that has access to the underlying transport provider. No protocol, just raw communication, poses a security threat. host name resolution 1. Name on localhost?
active directory logical structure domains organizational units trees and forest physical structure sites domain controllers member servers gpresult Displays the Resultant Set of Policy (RSoP) information for a remote user and computer. DS Tools A set of command line tools that began shipping natively with Windows Server 2003 to manage Group Policy Objects. DSADD Add specific types of objects to the directory. DSGET Display the selected properties of a specific object in the directory. DSMOD Modify existing objects in the directory. DSQUERY Query the directory according to specific criteria. P.I.C.I.E.R. 1. Preparation
Disk and other Storage Media 4th in the order of volatility. Remote Logging and Monitoring Data that is Relevant to the System in Question 5th in the order of volatility. Physical Configuration, Network Topology 6th in the order of volatility. Archival Media 7th in the order of volatility. enumeration Acquiring forensically relevant information of a local machine. Used in the process of baselining. baseline Establishing what is considered normal on a local machine. Enumeration can accomplish this. Operational Notes Highly detailed notes that will feed into your report depending whether the report is an executive summary or a technical summary. Includes time stamps, programs/tools used, outputs. Executive Summary High-level summary of the report. Body The report itself. Introduction, Methods, Findings, Conclusion Technical Summary Low-level summary of all technical intricacies in a report. MDMP Process Receipt of Mission Mission Analysis COA Development COA Analysis COA Comparison
COA Approval Conduct Mission AAR/ Lessons Learned Parent process to explorer.exe userinit.exe Ensures the hardware is operational POST Bootmgr: reads BCD and calls winload.exe/winresume.exe or .efi Security Accounts Manager (SAM) Validates local logon. explorer.exe Last phase in the boot process Hypervisor Component that creates and runs virtual machines. Potential data at rest issues in Cloud environments. A potential risk of virtualization. schtasks Windows Command Line command that will display scheduled tasks. sigcheck Sysinternal tool that shows file version, timestamp, manifest, and digital signature details. SACL Defines which secure object interaction will be audited and logged. mailslot One-way interprocess communication using SMB over UDP 138. SMB Version 3 - introduced with Server 2012 This version of SMB uses AES for encryption.