www.codecademy.com
Open in
urlscan Pro
2606:4700::6811:b878
Public Scan
URL:
https://www.codecademy.com/article/important-powershell-commands-for-cybersecurity-analysts
Submission: On December 17 via manual from AR — Scanned from DE
Submission: On December 17 via manual from AR — Scanned from DE
Form analysis 0 forms found in the DOM
Text Content
Skip to Content
* Codecademy Logo
* Catalog
* POPULAR COURSE TOPICS
Explore free or paid courses in topics that interest you.
Explore all courses
* Python
* JavaScript
* HTML & CSS
* SQL
* Java
* C++
* C#
* C
* PHP
* R
* IT
New
* Cybersecurity
* Cloud computing
* AI
* Web development
* Data science
* Web design
* Professional skills
New
Prepare for your IT Certification with newly launched Skill Paths.
* TOP CAREER PATHS
Choose your career. We'll teach you the skills to get job-ready.
* Full-Stack Engineer
* Back-End Engineer
* iOS Developer
* Front-End Engineer
* Computer science
* Data Scientist
Not sure where to begin?
Take our quiz →
* Resources
* DOCS
Find definitions, code syntax, and more -- or contribute your own code
documentation.
View all docs →Contribute to docs →
* C
* HTML
* Python
* C++
* Java
* React
* CSS
* JavaScript
* SQL
* Git
* PHP
* UI/UX
* LEARNING & PRACTICE TOOLS
* ARTICLES
Learn about technical concepts.
* CHEATSHEETS
Review concepts from your courses.
* CODE CHALLENGES
Test your knowledge and prep for interviews.
* PROJECTS
Practice and build your portfolio.
* VIDEOS
Watch tutorials, project walkthroughs, and more.
* WORKSPACES
Build and share projects in your browser.
* INSPIRATION & CAREER
View all blog topics →
* CAREER ADVICE
Get answers to questions about coding careers.
* LEARNING TIPS
Learn where to start and how to stay motivated.
* JOB-READINESS CHECKER
New
Analyze your compatibility with tech roles using AI.
* Community
* Visit Community
* Events
* Learner Stories
* Code Crew
* Pricing
* For Individuals
* For Students
* For Business
* Career Center
* For Business
*
* Log In
* Sign Up
* Codecademy Logo
*
* Log In
* Sign Up
* navigation menu
Article Categories Menu →
Related Topics
Bash/Shell
Cybersecurity
Top Languages & subjects
JavaScript
AI
HTML & CSS
Web development
Java
C++
SQL
Data science
Cybersecurity
C#
View all articles
IMPORTANT POWERSHELL COMMANDS FOR CYBERSECURITY ANALYSTS
Codecademy Team
Share
Contents
The basics of PowerShell commands useful for any Cybersecurity professional.
WHAT YOU’LL BE LEARNING
PowerShell is a command-line interface and scripting language for task
automation and configuration management. In this article, you will learn the
basics of PowerShell along with the commands useful for any Cybersecurity
professional.
TABLE OF CONTENTS
* Basic PowerShell commands and uses
* Files in PowerShell
* Commands to manipulate files
* Commands to import and remove modules in PowerShell
* Commands for daily security tasks
* Remote PowerShell commands
* Conclusion
BASIC POWERSHELL COMMANDS AND USES
Let’s begin by reviewing some fundamental PowerShell commands and use cases.
These commands are the building blocks to create scripts that will help automate
and review security-related tasks.
(back to table of contents)
GET-HELP
To get help or more details for the particular command, you can use the Get-Help
cmdlet with the command that you need help with. For example, if we run the
following:
Get- Help Get-Process
We will get additional help on a specific command.
You can view a list of all available help topics by typing Get-Help.
(back to top of section)
CMDLETS
We just mentioned cmdlets, but what are they? cmdlets are small, lightweight
PowerShell modules designed to run tasks in place of traditional commands.
Cmdlets will return an output as an object (or an array of objects) which also
allows you to transfer this data to other cmdlets using pipes.
Cmdlets always contain a verb and a noun separated by a dash. (For Example:
Get-DnsServer or Remove-ADGroup.
Examples of verbs you might see are:
Get: get something Set: define something Start: run something Stop: stop
something New: create something
(back to top of section)
PIPE
A pipe character | is used to pass data from one cmdlet to another. For example,
pipes can be used to sort the output of one cmdlet and redirect that output to a
file. Multiple pipes can be used in tandem to build more complex actions!
For example, to create a list of running processes on your machine, and save it
to a file, we would use the command below:
Get-Process | Out-File c:\PS\powershell.txt
Learn more in the Out-File docs.
(back to top of section)
USING POWERSHELL TO TRAVERSE DIRECTORIES
Commands for changing directories and viewing directory listings are the same as
the Linux command line and Windows command prompt. Commands such as cd, dir,
mkdir,ls, type, etc will still work.
Learn more in the Managing Current Location docs.
(back to top of section)
ALIASES
Aliases in PowerShell provide an alternative name for running a cmdlet. There
are several shorthand aliases built-in. For example, the ls command will
generate the same results as Get-ChildItem.
PS C\User\U1D256> ls
Directory: C\User\U1D256>
Mode LastWriteTime Length Name
---- ------------- ------ ----
d----- 11/5/2021 10:37AM .vscode
d-r--- 11/16/2021 8:00AM .Documents
d-r--- 12/17/2021 10:02AM .Downloads
PS C\User\U1D256> Get-ChildItem
Directory: C\User\U1D256>
Mode LastWriteTime Length Name
---- ------------- ------ ----
d----- 11/5/2021 10:37AM .vscode
d-r--- 11/16/2021 8:00AM .Documents
d-r--- 12/17/2021 10:02AM .Downloads
All aliases can be viewed by running the alias command, and specific aliases can
be viewed by specifying them; for example, alias cd. In the screenshot below we
see that the alias for cd is Set-Location.
PS C\User\U1D256> alias cd
Command Type Name Version Source
------------ ---- ------- ------
Alias cd -> Set-Location
(back to top of section)
FILES IN POWERSHELL
In this section, we will learn how to:
* Read a file using the Get-Content.
* Create a new file using the Set-Content command.
(back to table of contents)
READING FROM A FILE
Similar to the cat command in Linux, we can use the Get-Content cmdlet in
PowerShell to read the contents of a file. When Get-Content is run, the contents
of the file are read and the result can be stored in a variable for later use or
displayed on the screen.
For example, we can use the command Get-Content /PS/Names.txt to read the file
Names which is saved on a local C Drive in a folder named PS.
PS C:\> Get-Content /PS/Names.txt
Liam Johnson
Olivia Pope
Noah Clark
Emma Michaelson
Oliver Washington
Ava Miller
Elijah Williams
Charlotte Smith
Mohammed White
Jaris Rodriguez
> Note: By adding the -TotalCount argument, we can specify how many lines we
> would like PowerShell to read from the top.
Get-Content <PATH> -TotalCount 5
Adding -TotalCount 5 shows the top five items in the names.txt file.
PS C:\> Get-Content -TotalCount 5 /PS/Names.txt
Liam Johnson
Olivia Pope
Noah Clark
Emma Michaelson
Oliver Washington
The -Tail argument will do the same but read from the bottom of the file.
(back to top of section)
WRITING CONTENT TO A FILE
In addition to reading files, it is possible to write data to files, either by
using the Set-Content command to create and overwrite files or the Add-Content
command to append content to an existing file.
PS C:\> Set-Content - Value "Rachel Rose" -Path /PS/Names.txt
PS C:\> Get-Content /PS/Names.txt
Rachel Rose
PS C:\>
(back to top of section)
COMMANDS TO MANIPULATE FILES
In this section, you will learn how to use PowerShell to manipulate files.
(back to table of contents)
CONVERT-TO
Structured data types can be converted into different formats using PowerShell
cmdlets; for example, from .txt to .csv. Some common ConvertTo commands in
PowerShell are:
* ConvertTo-Csv
* ConvertTo-Html
* ConvertTo-Json
* ConvertTo-Xml
Here are some additional Reading on Convert commands
(back to top of section)
CONVERT-FROM
Alternatively, the Convert-From command creates objects from different formats
using variable-length strings that are generated by the ConvertTo cmdlets. Some
common Convert-From commands in PowerShell are:
* ConvertFrom-Csv
* ConvertFrom-Json
* ConvertFrom-Markdown
* `ConvertFrom-StringData
For example, the ConvertTo-Json cmdlet allows you to convert an object into a
JSON-formatted string. The properties are converted to field names, the field
values are converted to property values, and the methods are removed.
PS C:\Users> Get-Date
Thursday, December 30, 2021, 8:16:10 AM
PS C:\Users> Get-Date | ConverTo-Json
{
"value": "\/Date(1640870187485)\/",
"DisplayHint": 2,
"DateTime": "Thursday, December 30, 2021, 8:16:27 AM"
}
PS C:\Users> Get-Date | ConverTo-Json | ConvertFrom-Json
value DisplayHint DateTime
----- ----------- --------
12/30/2021 1:16:41 PM 2 Thursday, December 30, 2021, 8:16:41 AM
(back to top of section)
CREATING FILES AND FOLDERS
We create items in PowerShell using the New-Item command.
Example: This command creates the new folder C:\temp\Test Folder
New-Item -Path 'C:\temp\Test Folder' -ItemType Directory
Example: This command creates the new empty file C:\temp\New Folder\file.txt
New-Item -Path 'C:\temp\Test Folder\file.txt' -ItemType File
(back to top of section)
COMMANDS TO IMPORT AND REMOVE MODULES IN POWERSHELL
In this section, you will learn how to use PowerShell Modules. Modules provide
the capability to group like functions together. There are a number of built-in
modules and additional modules can be installed or will appear on top of other
modules.
In PowerShell, a module is considered a package that contains various functions,
workflows, and variables that can operate as a small program.
For additional information, check out the Microsoft Documentation on modules.
(back to table of contents)
POWERSHELL GALLERY
The PowerShell Gallery is a repository for sharing useful PowerShell scripts and
modules, some items are created by Microsoft and some are created by the
PowerShell community.
Browse the PowerShell Gallery for modules you’ll want to install here.
(back to top of section)
VIEWING MODULES
Using the Get-Module cmdlet will list currently loaded modules on a computer.
Using the -ListAvailable option with this command will also allow you to view
all modules that are available for use but not yet imported on the computer.
The -ListAvailable option can also be used when a specific module has been
provided to list all the available functions for that module.
(back to top of section)
IMPORTING MODULES
Modules need to be imported to your local PowerShell session before the cmdlets
and functions from that module can be used. Modules can be loaded into the
current PowerShell session by using the Import-Module cmdlet and specifying the
module either by name (-Name) or by path (-Path).
Example: If you needed to import the PKI PowerShell module, which is used in
digital certificates to protect sensitive public key infrastructure data, you
would use this comment:
Import-Module -Name PKI
(back to top of section)
INSTALLING MODULES
If a module is not listed as available, then the module can be installed from a
repository, such as the PowerShell Gallery, or from another repository using the
-InstallModule cmdlet.
(back to top of section)
REMOVING MODULES
When you need to remove a module, the commands that the module added are deleted
from the session. This is useful when creating your own modules as you may need
to remove and re-import a module when you make changes to it.
Example: We would remove the PKI module using the command:
Remove-Module -Name PKI
(back to top of section)
COMMANDS FOR DAILY SECURITY TASKS
In this section, you will learn some of the most common PowerShell security
commands that are used by every Cybersecurity professional today. You should be
familiar with these common commands used for troubleshooting well-known
cyberattacks in the industry today.
(back to table of contents)
GET-EXECUTIONPOLICY AND SET-EXECUTIONPOLICY
You can create and execute PowerShell scripts, however, Microsoft has disabled
scripting by default in an effort to prevent malicious code from executing in a
PowerShell environment. You can use the Get-ExecutionPolicy to check which
execution policy is enforced prior to running a script and then use the
Set-ExecutionPolicy command to change the level of security if needed.
There are four levels of security associated with the Set-ExecutionPolicy
command:
* Unrestricted: This removes all restrictions from the execution policy.
* Restricted: This is the default execution policy and only allows commands to
be entered interactively. PowerShell scripts are not allowed to run.
* All Signed: If the execution policy is set to All Signed, scripts will be
allowed to run if they are signed by a trusted publisher.
* Remote Signed: If the execution policy is set to Remote Signed, PowerShell
scripts that have been created locally will be allowed to run. Scripts
created remotely will be allowed to run if they are signed by a trusted
publisher.
(back to top of section)
GET-SERVICE
This command provides a list of every service that is currently installed on
your system.
If you suspect a particular service is worth checking out for security reasons,
we can append the –Name argument, and this will allow you to see the state of
the service on the machine.
PS C:\Users\U1D256> Get-Service
Status Name Display Name
------ ---- ------------
Running BFE Base Filtering System
Stopped BITS Background Intelligent Transfer Ser...
Running camsvc Capability Access Manager Service
...
(back to top of section)
GET-PROCESS
Unlike the Get-Service command in PowerShell, which displays a list of the
different system services, the Get-Process command can display a list of every
process the system currently runs. This command can also be used to query
processes running on a remote machine or server.
PS C:\Users\U1D256> Get-Process
Handles NPM(K) PM(K) WS(K) CPU(s) Id SI ProcessName
------- ------ ----- ----- ------ -- -- -----------
3071 138 359840 354688 25248 0 A180AG
1001 52 52820 65824 1,557.13 8732 1 A180RS
...
(back to top of section)
STOP-PROCESS
This is the complementary command to Get-Process. If you suspect that a
malicious or unwanted process is running on your local machine or remote server,
running Stop-Process -Name or Stop-Process -Id will terminate the running
process.
For example, if you wanted to find the owner of a running process on a machine,
try this script:
PS C:\Users\U1D256> Get-Process pwsh -IncludeUserName
Handles WS(K) CPU(s) Id UserName ProcessName
------- ----- ------ -- -------- -----------
782 132080 2.08 2188 DOMAIN01\user01 pwsh
(back to top of section)
GET-EVENTLOG
Being able to read logs from the local machine is important. Event logs are an
important part of fault diagnosis or incident response.
PowerShell can be used to parse your computer’s event logs using the
Get-EventLog command. By default, it will query the local machine; however, it
can also be used to query logs from remote connections.
For additional reading, check out the Microsoft document on Get-EventLog.
(back to top of section)
GET-ADUSER
The Get-ADUser cmdlet gets a specified user object or performs a search to get
multiple user objects. This cmdlet retrieves a default set of user object
properties. To retrieve additional properties use the -Properties parameter.
Security teams such as Identity Access Management Teams and Identity Governance
Teams heavily leverage this command.
Example: This command gets all of the properties of the user with the SAM
account name Nicole Scott.
PS C:\Users\U1D256>Get-ADUser -Identity NicoleScott -Properties *
Surname : Scott
Name : Nicole Scott
UserPrincipalName :
GivenName : Nicole
Enabled : False
SamAccountName : NicoleScott
ObjectClass : user
SID : S-1-5-21-2889043008-4136710315-2444824263-3544
ObjectGUID : e1418d64-096c-4cb0-b903-ebb66562d99d
DistinguishedName : CN=Nicole Scott,OU=NorthAmerica,OU=Sales,OU=UserAccounts,DC=FABRIKAM,DC=COM
(back to top of section)
DNS LOOKUPS
DNS attacks remain one of the top attacks that Cybersecurity professionals will
have to troubleshoot today. The DNS service is a well known attack vector for
hackers today.
We can look up the DNS entry for a host using the command:
Resolve-DnsName -Name "Hostname"
By appending the -server switch, followed by a DNS server’s IP address, we can
perform a DNS resolve request against a specific server to verify resolution is
working properly.
The Get-DnsClient cmdlet lets you check the DNS client information for a device.
It indicates what DNS servers are being used by the device to perform address
resolutions as configured on multiple adapters.
The Set-DnsClientServerAddress cmdlet allows for specified DNS servers to be
added to the network configuration.
Here are some additional DNS PowerShell Commands
(back to top of section)
PING DEVICES LOCALLY OR REMOTELY
The Test-NetConnection cmdlet allows us to test network connectivity on the LAN
and WAN.
For example, the command Test-NetConnection -ComputerName "Hostname or IP"
performs a ping which determines if network connectivity between the local
device and the target computer or domain exists.
This is a useful command for a security professional executing a DDoS attack.
(back to top of section)
GET-NETIPCONFIGURATION
The Get-NetIPConfiguration cmdlet gets network configurations, including usable
interfaces, IP addresses, and DNS servers. This is helpful for any cybersecurity
professional who needs to troubleshoot and identify any rogue IP addresses on
the network.
(back to top of section)
TESTING NETWORK CONNECTION
The Test-NetConnection cmdlet shows diagnostic information for a connection. It
supports ping tests, TCP tests, route tracing, and route selection diagnostics.
Depending on the parameters, the output can include the DNS lookup results, a
list of IP interfaces, IPsec rules, route/source address selection results,
and/or confirmation of connection establishment.
Port security attacks are very prevalent today. If we want to verify if a port
is open on our machine or server we could run this command:
Test-NetConnection -ComputerName 127.0.0.1 -Port 4000
(back to top of section)
REMOTE POWERSHELL COMMANDS
Windows PowerShell remoting lets you run any Windows PowerShell command on one
or more remote computers. You can establish persistent connections, start
interactive sessions, and run scripts on remote computers. The remote computer
must be configured for remote management.
Read more about remove PowerShell commands here.
(back to table of contents)
START A SESSION
To start an interactive session with a single remote computer, use the
Enter-PSSession cmdlet. For example, to start an interactive session with the
Server01 remote computer, use the following command:
Enter-PSSession Server01
To end the interactive session, use the following command:
Exit-PSSession
(back to top of section)
RUN A SCRIPT
To run a script on remote computers, use the -FilePath parameter from the
Invoke-Command cmdlet. The script must be accessible by your local computer. The
results are returned to your local computer.
Example: The following command runs the GetActiveAccounts.ps1 script on the
remote computers, Server11, and Server12.
Invoke-Command -ComputerName Server11, Server12 -FilePath c:\Scripts\GetActiveAccounts.ps1
(back to top of section)
CONCLUSION
In this article, we reviewed some of the most important PowerShell commands and
applicable use cases. Creating PowerShell scripts and running commands are a
powerful way to automate daily security analyst tasks. You should continue to
research and practice working with PowerShell to improve your skillset.
(back to table of contents)
AUTHOR
Checker Dense
Codecademy Team
'The Codecademy Team, composed of experienced educators and tech experts, is
dedicated to making tech skills accessible to all. We empower learners worldwide
with expert-reviewed content that develops and enhances the technical skills
needed to advance and succeed in their careers.'
Meet the full team
Share
RELATED ARTICLES
* Article
COMMAND LINE INTERFACE
Getting started with the command line
* Article
LIST OF COMMAND LINE COMMANDS
Glossary of commonly used commands.
LEARN MORE ON CODECADEMY
* Skill path
CYBERSECURITY ANALYST INTERVIEW PREP
Master interview strategies for an entry-level Cybersecurity Analyst
interview with this Skill Path.
Checker Dense
Includes 8 Courses
Checker Dense
With Certificate
Checker Dense
Intermediate
2 hours
* Skill path
CODE FOUNDATIONS
Start your programming journey with an introduction to the world of code and
basic concepts.
Checker Dense
Includes 5 Courses
Checker Dense
With Certificate
Checker Dense
Beginner Friendly
4 hours
Contents
* What You'll Be Learning
* Basic PowerShell commands and uses
* Files in PowerShell
* Commands to manipulate files
* Commands to import and remove modules in PowerShell
* Commands for daily security tasks
* Remote PowerShell commands
* Conclusion
COMPANY
* About
* Careers
* Affiliates
* *
*
*
*
*
RESOURCES
* Articles
* Blog
* Cheatsheets
* Code challenges
* Docs
* Projects
* Videos
* Workspaces
SUPPORT
* Help center
RESOURCES
* Articles
* Blog
* Cheatsheets
* Code challenges
* Docs
* Projects
* Videos
* Workspaces
SUPPORT
* Help center
PLANS
* For individuals
* For students
* For business
* Discounts
COMMUNITY
* Visit community
* Code Crew
* Events
* Learner stories
Codecademy from Skillsoft
Codecademy from Skillsoft
SUBJECTS
* AI
* Cloud computing
* Code foundations
* Computer science
* Cybersecurity
* Data analytics
* Data science
* Data visualization
* Developer tools
* DevOps
* Game development
* IT
* Machine learning
* Math
* Mobile development
* Web design
* Web development
LANGUAGES
* Bash
* C
* C++
* C#
* Go
* HTML & CSS
* Java
* JavaScript
* Kotlin
* PHP
* Python
* R
* Ruby
* SQL
* Swift
CAREER BUILDING
* Career paths
* Career center
* Interview prep
* Professional certification
* Compare to bootcamps
* —
* Full catalog
* Beta content
* Roadmap
MOBILE
*
*
MOBILE
*
*
* Privacy Policy
* Cookie Policy
* Do Not Sell My Personal Information
* Terms
Made with ❤️in NYC © 2024 Codecademy
Our website uses cookies and similar technologies to personalize your experience
and advertising, offer sign-on options, and to analyze our traffic. See our
Cookie Policy for more info.
Cookies Settings Accept
PRIVACY PREFERENCE CENTER
When you visit any website, it may store or retrieve information on your
browser, mostly in the form of cookies. This information might be about you,
your preferences or your device and is mostly used to make the site work as you
expect it to. The information does not usually directly identify you, but it can
give you a more personalized web experience. Because we respect your right to
privacy, you can choose not to allow some types of cookies. Click on the
different category headings to find out more and change our default settings.
However, blocking some types of cookies may impact your experience of the site
and the services we are able to offer.
More information
Allow All
MANAGE CONSENT PREFERENCES
STRICTLY NECESSARY COOKIES
Always Active
Strictly Necessary Cookies
These cookies are necessary for the website to function and cannot be switched
off in our systems. They are usually only set in response to actions made by you
which amount to a request for services, such as setting your privacy
preferences, logging in or filling in forms. You can set your browser to block
or alert you about these cookies, but some parts of the site will not then work.
These cookies do not store any personally identifiable information.
FUNCTIONAL COOKIES
Functional Cookies
These cookies enable the website to provide enhanced functionality and
personalisation. They may be set by us or by third party providers whose
services we have added to our pages. If you do not allow these cookies then some
or all of these services may not function properly.
TARGETING COOKIES
Targeting Cookies
These cookies may be set through our site by our advertising partners. They may
be used by those companies to build a profile of your interests and show you
relevant adverts on other sites. They do not store directly personal
information, but are based on uniquely identifying your browser and internet
device. If you do not allow these cookies, you will experience less targeted
advertising.
PERFORMANCE COOKIES
Performance Cookies
These cookies allow us to count visits and traffic sources so we can measure and
improve the performance of our site. They help us to know which pages are the
most and least popular and see how visitors move around the site. All
information these cookies collect is aggregated and therefore anonymous. If you
do not allow these cookies we will not know when you have visited our site, and
will not be able to monitor its performance.
Reject All Confirm My Choices
Back Button
Back
PERFORMANCE COOKIES
Vendor Search Search Icon Filter Icon
Clear Filters
Information storage and access
Apply
Consent Leg.Interest
All Consent Allowed
Select All Vendors
Select All Vendors
All Consent Allowed
Reject All Confirm My Choices