PowerShell Sécurité - Référence Complète
Table des matières
1. Introduction
Vérifier la version de PowerShell
$PSVersionTable.PSVersionPolitique d'exécution
La politique d'exécution détermine quels scripts peuvent être exécutés sur le système.
# Vérifier la politique actuelle
Get-ExecutionPolicy
Get-ExecutionPolicy -List
# Définir la politique (nécessite droits administrateur)
Set-ExecutionPolicy RemoteSigned -Scope CurrentUser
# Exécuter un script en contournant temporairement la politique
powershell -ExecutionPolicy Bypass -File script.ps1Obtenir de l'aide
# Aide sur une commande
Get-Help Get-Process -Full
# Mettre à jour l'aide
Update-Help -Force
# Rechercher des commandes
Get-Command *EventLog*
Get-Command -Module ActiveDirectoryExécuter en tant qu'administrateur
# Vérifier si on est administrateur
([Security.Principal.WindowsPrincipal][Security.Principal.WindowsIdentity]::GetCurrent()).IsInRole([Security.Principal.WindowsBuiltInRole]::Administrator)
# Relancer en tant qu'administrateur
Start-Process powershell -Verb RunAs2. Gestion des logs et événements
Get-EventLog (journaux classiques)
# Lister les journaux disponibles
Get-EventLog -List
# Derniers événements du journal Sécurité
Get-EventLog -LogName Security -Newest 50
# Filtrer par EventID
Get-EventLog -LogName Security -InstanceId 4625 -Newest 100
# Filtrer par date
Get-EventLog -LogName System -After (Get-Date).AddDays(-7)
# Filtrer par source
Get-EventLog -LogName Application -Source "MSSQLSERVER" -Newest 20Get-WinEvent (journaux modernes - recommandé)
# Derniers événements de sécurité
Get-WinEvent -LogName Security -MaxEvents 50
# Filtrer avec FilterHashtable (plus performant)
Get-WinEvent -FilterHashtable @{
LogName = 'Security'
Id = 4625
StartTime = (Get-Date).AddDays(-1)
} | Select-Object TimeCreated, Message
# Filtrer par niveau (1=Critical, 2=Error, 3=Warning, 4=Information)
Get-WinEvent -FilterHashtable @{
LogName = 'System'
Level = 1,2
StartTime = (Get-Date).AddHours(-24)
}
# Recherche par mot-clé avec FilterXPath
Get-WinEvent -LogName Security -FilterXPath "*[EventData[Data[@Name='TargetUserName']='administrateur']]" -MaxEvents 20Event IDs critiques pour la sécurité
4624 - Connexion réussie
# Toutes les connexions réussies des dernières 24h
Get-WinEvent -FilterHashtable @{
LogName = 'Security'
Id = 4624
StartTime = (Get-Date).AddHours(-24)
} | ForEach-Object {
$xml = [xml]$_.ToXml()
[PSCustomObject]@{
Time = $_.TimeCreated
User = $xml.Event.EventData.Data | Where-Object {$_.Name -eq 'TargetUserName'} | Select-Object -ExpandProperty '#text'
LogonType = $xml.Event.EventData.Data | Where-Object {$_.Name -eq 'LogonType'} | Select-Object -ExpandProperty '#text'
Source = $xml.Event.EventData.Data | Where-Object {$_.Name -eq 'IpAddress'} | Select-Object -ExpandProperty '#text'
}
} | Format-Table -AutoSize4625 - Échec de connexion
# Échecs de connexion (tentatives de brute force)
Get-WinEvent -FilterHashtable @{
LogName = 'Security'
Id = 4625
StartTime = (Get-Date).AddHours(-24)
} | ForEach-Object {
$xml = [xml]$_.ToXml()
[PSCustomObject]@{
Time = $_.TimeCreated
User = $xml.Event.EventData.Data | Where-Object {$_.Name -eq 'TargetUserName'} | Select-Object -ExpandProperty '#text'
Source = $xml.Event.EventData.Data | Where-Object {$_.Name -eq 'IpAddress'} | Select-Object -ExpandProperty '#text'
Reason = $xml.Event.EventData.Data | Where-Object {$_.Name -eq 'FailureReason'} | Select-Object -ExpandProperty '#text'
}
} | Group-Object User | Sort-Object Count -Descending | Format-Table Count, Name4648 - Connexion avec identifiants explicites
Get-WinEvent -FilterHashtable @{
LogName = 'Security'
Id = 4648
StartTime = (Get-Date).AddDays(-7)
} | Select-Object TimeCreated, Message | Format-List4672 - Privilèges spéciaux attribués
Get-WinEvent -FilterHashtable @{
LogName = 'Security'
Id = 4672
StartTime = (Get-Date).AddDays(-1)
} | Select-Object TimeCreated, @{N='User';E={
([xml]$_.ToXml()).Event.EventData.Data | Where-Object {$_.Name -eq 'SubjectUserName'} | Select-Object -ExpandProperty '#text'
}} | Format-Table -AutoSize4720 - Création de compte utilisateur
Get-WinEvent -FilterHashtable @{
LogName = 'Security'
Id = 4720
StartTime = (Get-Date).AddDays(-30)
} | Select-Object TimeCreated, Message4732 - Membre ajouté à un groupe local
Get-WinEvent -FilterHashtable @{
LogName = 'Security'
Id = 4732
StartTime = (Get-Date).AddDays(-30)
} | Select-Object TimeCreated, Message1102 - Journal d'audit effacé
# CRITIQUE : quelqu'un a effacé les logs
Get-WinEvent -FilterHashtable @{
LogName = 'Security'
Id = 1102
} | Select-Object TimeCreated, Message4688 - Création de processus
Get-WinEvent -FilterHashtable @{
LogName = 'Security'
Id = 4688
StartTime = (Get-Date).AddHours(-1)
} | ForEach-Object {
$xml = [xml]$_.ToXml()
[PSCustomObject]@{
Time = $_.TimeCreated
Process = $xml.Event.EventData.Data | Where-Object {$_.Name -eq 'NewProcessName'} | Select-Object -ExpandProperty '#text'
CommandLine = $xml.Event.EventData.Data | Where-Object {$_.Name -eq 'CommandLine'} | Select-Object -ExpandProperty '#text'
User = $xml.Event.EventData.Data | Where-Object {$_.Name -eq 'SubjectUserName'} | Select-Object -ExpandProperty '#text'
}
} | Format-Table -AutoSize -Wrap7045 - Service installé
Get-WinEvent -FilterHashtable @{
LogName = 'System'
Id = 7045
} | Select-Object TimeCreated, @{N='ServiceName';E={
([xml]$_.ToXml()).Event.EventData.Data | Where-Object {$_.Name -eq 'ServiceName'} | Select-Object -ExpandProperty '#text'
}}, @{N='ImagePath';E={
([xml]$_.ToXml()).Event.EventData.Data | Where-Object {$_.Name -eq 'ImagePath'} | Select-Object -ExpandProperty '#text'
}} | Format-Table -AutoSize -Wrap3. Analyse des processus et services
Lister les processus
# Tous les processus avec détails
Get-Process | Sort-Object CPU -Descending | Select-Object -First 20 Id, ProcessName, CPU, WorkingSet, Path
# Processus avec ligne de commande complète
Get-CimInstance Win32_Process | Select-Object ProcessId, Name, CommandLine, ParentProcessId | Format-Table -AutoSize -Wrap
# Processus par nom
Get-Process -Name "powershell" | Select-Object Id, ProcessName, StartTime, PathDétection de processus suspects
# Processus lancés depuis des répertoires temporaires
Get-CimInstance Win32_Process | Where-Object {
$_.ExecutablePath -match '(\\Temp\\|\\tmp\\|\\AppData\\Local\\Temp\\)'
} | Select-Object ProcessId, Name, ExecutablePath, CommandLine
# Processus lancés depuis des emplacements inhabituels
Get-CimInstance Win32_Process | Where-Object {
$_.ExecutablePath -and
$_.ExecutablePath -notmatch '(C:\\Windows|C:\\Program Files|C:\\Program Files \(x86\))'
} | Select-Object ProcessId, Name, ExecutablePath
# Processus PowerShell encodés (souvent utilisé par les malwares)
Get-CimInstance Win32_Process | Where-Object {
$_.CommandLine -match '(-enc|-EncodedCommand|-e )'
} | Select-Object ProcessId, Name, CommandLine
# Processus sans fichier exécutable sur le disque
Get-Process | Where-Object {
$_.Path -and !(Test-Path $_.Path)
} | Select-Object Id, ProcessName, PathAnalyse des services
# Tous les services en cours d'exécution
Get-Service | Where-Object {$_.Status -eq 'Running'} | Sort-Object DisplayName
# Services en démarrage automatique
Get-CimInstance Win32_Service | Where-Object {$_.StartMode -eq 'Auto'} |
Select-Object Name, DisplayName, State, PathName | Format-Table -AutoSize -Wrap
# Services avec des chemins non standard
Get-CimInstance Win32_Service | Where-Object {
$_.PathName -and
$_.PathName -notmatch '(C:\\Windows|C:\\Program Files)'
} | Select-Object Name, State, StartMode, PathName | Format-Table -AutoSize -Wrap
# Services non signés
Get-CimInstance Win32_Service | Where-Object {$_.PathName} | ForEach-Object {
$path = $_.PathName -replace '"', '' -replace ' /.*$| -.*$', ''
if (Test-Path $path) {
$sig = Get-AuthenticodeSignature $path
if ($sig.Status -ne 'Valid') {
[PSCustomObject]@{
Name = $_.Name
Path = $path
SignatureStatus = $sig.Status
}
}
}
} | Format-Table -AutoSizeArbre de processus parent-enfant
# Voir les processus enfants d'un processus spécifique
$parentPid = (Get-Process -Name "explorer").Id
Get-CimInstance Win32_Process | Where-Object {$_.ParentProcessId -eq $parentPid} |
Select-Object ProcessId, Name, CommandLine4. Analyse réseau
Connexions TCP actives
# Toutes les connexions TCP établies
Get-NetTCPConnection -State Established |
Select-Object LocalAddress, LocalPort, RemoteAddress, RemotePort, OwningProcess,
@{N='Process';E={(Get-Process -Id $_.OwningProcess -ErrorAction SilentlyContinue).ProcessName}} |
Sort-Object RemoteAddress | Format-Table -AutoSize
# Connexions sur des ports distants inhabituels
Get-NetTCPConnection -State Established | Where-Object {
$_.RemotePort -notin @(80, 443, 53, 22, 25, 587, 993, 995, 3389) -and
$_.RemoteAddress -notmatch '(127\.0\.0\.1|::1|0\.0\.0\.0)'
} | Select-Object LocalPort, RemoteAddress, RemotePort,
@{N='Process';E={(Get-Process -Id $_.OwningProcess -ErrorAction SilentlyContinue).ProcessName}} |
Format-Table -AutoSizeConnexions en écoute
# Ports en écoute
Get-NetTCPConnection -State Listen |
Select-Object LocalAddress, LocalPort,
@{N='Process';E={(Get-Process -Id $_.OwningProcess -ErrorAction SilentlyContinue).ProcessName}} |
Sort-Object LocalPort | Format-Table -AutoSizePoints d'écoute UDP
Get-NetUDPEndpoint |
Select-Object LocalAddress, LocalPort,
@{N='Process';E={(Get-Process -Id $_.OwningProcess -ErrorAction SilentlyContinue).ProcessName}} |
Sort-Object LocalPort | Format-Table -AutoSizeTest de connectivité
# Tester la connexion à un hôte et un port
Test-NetConnection -ComputerName 192.168.1.1 -Port 443
# Tester avec traceroute
Test-NetConnection -ComputerName 8.8.8.8 -TraceRoute
# Résolution DNS
Resolve-DnsName exemple.com
Resolve-DnsName exemple.com -Type MX
Resolve-DnsName exemple.com -Type TXT
Resolve-DnsName exemple.com -Server 8.8.8.8Cache DNS local
# Afficher le cache DNS
Get-DnsClientCache | Select-Object Entry, RecordName, Data |
Sort-Object Entry | Format-Table -AutoSize
# Vider le cache DNS
Clear-DnsClientCacheÉquivalents netstat
# Toutes les connexions avec PID
Get-NetTCPConnection | Select-Object State, LocalAddress, LocalPort, RemoteAddress, RemotePort, OwningProcess |
Format-Table -AutoSize
# Résumé par état
Get-NetTCPConnection | Group-Object State | Select-Object Count, Name | Sort-Object Count -DescendingDétection de connexions suspectes
# Connexions vers des adresses IP publiques non habituelles
Get-NetTCPConnection -State Established | Where-Object {
$_.RemoteAddress -notmatch '(^10\.|^172\.(1[6-9]|2[0-9]|3[01])\.|^192\.168\.|^127\.|^::1|^0\.)'
} | Select-Object RemoteAddress, RemotePort,
@{N='Process';E={(Get-Process -Id $_.OwningProcess -ErrorAction SilentlyContinue).ProcessName}},
@{N='DNS';E={
try { [System.Net.Dns]::GetHostEntry($_.RemoteAddress).HostName } catch { 'N/A' }
}} | Format-Table -AutoSize -Wrap5. Analyse du système de fichiers
Rechercher des fichiers récents
# Fichiers modifiés dans les dernières 24 heures
Get-ChildItem -Path C:\ -Recurse -ErrorAction SilentlyContinue |
Where-Object {$_.LastWriteTime -gt (Get-Date).AddHours(-24)} |
Select-Object FullName, LastWriteTime, Length |
Sort-Object LastWriteTime -Descending | Select-Object -First 50
# Exécutables récents dans les dossiers utilisateurs
Get-ChildItem -Path C:\Users -Include *.exe,*.dll,*.ps1,*.bat,*.vbs,*.cmd -Recurse -ErrorAction SilentlyContinue |
Where-Object {$_.CreationTime -gt (Get-Date).AddDays(-7)} |
Select-Object FullName, CreationTime, LengthFichiers cachés et système
# Fichiers cachés
Get-ChildItem -Path C:\Users -Hidden -Recurse -ErrorAction SilentlyContinue |
Where-Object {!$_.PSIsContainer} |
Select-Object FullName, Attributes, LastWriteTime | Select-Object -First 50
# Fichiers système dans des emplacements inhabituels
Get-ChildItem -Path C:\Users -System -Recurse -ErrorAction SilentlyContinue |
Select-Object FullName, Attributes, LastWriteTimeAlternate Data Streams (ADS)
# Détecter les flux alternatifs (technique de dissimulation)
Get-ChildItem -Path C:\Users -Recurse -ErrorAction SilentlyContinue |
ForEach-Object { Get-Item $_.FullName -Stream * -ErrorAction SilentlyContinue } |
Where-Object {$_.Stream -ne ':$DATA'} |
Select-Object FileName, Stream, Length
# Lire le contenu d'un ADS
Get-Content -Path "C:\fichier.txt" -Stream "hidden_stream"Hachage de fichiers
# Hash SHA256
Get-FileHash -Path C:\suspect.exe -Algorithm SHA256
# Hash MD5
Get-FileHash -Path C:\suspect.exe -Algorithm MD5
# Hasher tous les exécutables d'un dossier
Get-ChildItem -Path C:\Temp -Include *.exe,*.dll -Recurse -ErrorAction SilentlyContinue |
ForEach-Object {
[PSCustomObject]@{
File = $_.FullName
SHA256 = (Get-FileHash $_.FullName -Algorithm SHA256).Hash
Size = $_.Length
}
} | Format-Table -AutoSize -WrapPermissions et signatures
# Vérifier les ACL d'un fichier ou dossier
Get-Acl C:\Windows\System32\config | Format-List
# Vérifier la signature numérique d'un exécutable
Get-AuthenticodeSignature C:\Windows\System32\cmd.exe
# Trouver les exécutables non signés dans un dossier
Get-ChildItem -Path C:\Program Files -Include *.exe,*.dll -Recurse -ErrorAction SilentlyContinue |
Where-Object {
(Get-AuthenticodeSignature $_.FullName).Status -ne 'Valid'
} | Select-Object FullName, @{N='SigStatus';E={(Get-AuthenticodeSignature $_.FullName).Status}}6. Active Directory
Nécessite le module RSAT Active Directory. Installation :
# Windows 10/11
Add-WindowsCapability -Online -Name Rsat.ActiveDirectory.DS-LDS.Tools~~~~0.0.1.0
# Windows Server
Install-WindowsFeature RSAT-AD-PowerShell
# Vérifier le module
Get-Module -ListAvailable ActiveDirectory
Import-Module ActiveDirectoryRecherche d'utilisateurs
# Tous les utilisateurs activés
Get-ADUser -Filter {Enabled -eq $true} -Properties LastLogonDate, PasswordLastSet |
Select-Object Name, SamAccountName, LastLogonDate, PasswordLastSet |
Sort-Object LastLogonDate | Format-Table -AutoSize
# Comptes désactivés
Get-ADUser -Filter {Enabled -eq $false} |
Select-Object Name, SamAccountName, DistinguishedName
# Comptes qui ne se sont jamais connectés
Get-ADUser -Filter {LastLogonDate -notlike "*"} -Properties LastLogonDate |
Select-Object Name, SamAccountName, Created
# Mots de passe expirés
Get-ADUser -Filter {Enabled -eq $true -and PasswordExpired -eq $true} -Properties PasswordExpired |
Select-Object Name, SamAccountName
# Mots de passe n'expirant jamais
Get-ADUser -Filter {PasswordNeverExpires -eq $true -and Enabled -eq $true} -Properties PasswordNeverExpires |
Select-Object Name, SamAccountNameGroupes privilégiés
# Membres du groupe Domain Admins
Get-ADGroupMember -Identity "Domain Admins" -Recursive |
Select-Object Name, SamAccountName, ObjectClass
# Membres du groupe Enterprise Admins
Get-ADGroupMember -Identity "Enterprise Admins" -Recursive |
Select-Object Name, SamAccountName
# Membres du groupe Schema Admins
Get-ADGroupMember -Identity "Schema Admins" -Recursive |
Select-Object Name, SamAccountName
# Tous les groupes privilégiés et leurs membres
@("Domain Admins", "Enterprise Admins", "Schema Admins", "Administrators", "Account Operators", "Backup Operators") | ForEach-Object {
$group = $_
Get-ADGroupMember -Identity $group -Recursive -ErrorAction SilentlyContinue | ForEach-Object {
[PSCustomObject]@{
Group = $group
Member = $_.Name
Type = $_.ObjectClass
}
}
} | Format-Table -AutoSizeOrdinateurs du domaine
# Tous les ordinateurs
Get-ADComputer -Filter * -Properties OperatingSystem, LastLogonDate |
Select-Object Name, OperatingSystem, LastLogonDate |
Sort-Object LastLogonDate -Descending | Format-Table -AutoSize
# Ordinateurs inactifs (plus de 90 jours)
$threshold = (Get-Date).AddDays(-90)
Get-ADComputer -Filter {LastLogonDate -lt $threshold} -Properties LastLogonDate |
Select-Object Name, LastLogonDateChangements récents
# Utilisateurs créés récemment
Get-ADUser -Filter {Created -gt $((Get-Date).AddDays(-30))} -Properties Created |
Select-Object Name, SamAccountName, Created | Sort-Object Created -Descending
# Métadonnées de réplication d'un objet
Get-ADReplicationMetadata -Object "CN=Administrateur,CN=Users,DC=domaine,DC=local" -Server DC01 |
Select-Object AttributeName, LastOriginatingChangeTime | Sort-Object LastOriginatingChangeTime -Descending7. Investigation malware
Tâches planifiées
# Toutes les tâches planifiées
Get-ScheduledTask | Where-Object {$_.State -ne 'Disabled'} |
Select-Object TaskName, TaskPath, State |
Format-Table -AutoSize
# Détails des actions des tâches (chercher des commandes suspectes)
Get-ScheduledTask | Where-Object {$_.State -ne 'Disabled'} | ForEach-Object {
$task = $_
$task.Actions | ForEach-Object {
[PSCustomObject]@{
TaskName = $task.TaskName
Execute = $_.Execute
Arguments = $_.Arguments
}
}
} | Format-Table -AutoSize -Wrap
# Tâches créées récemment
Get-ScheduledTask | Get-ScheduledTaskInfo -ErrorAction SilentlyContinue |
Where-Object {$_.NextRunTime -or $_.LastRunTime -gt (Get-Date).AddDays(-7)} |
Select-Object TaskName, LastRunTime, NextRunTimeÉléments de démarrage
# Programmes au démarrage (WMI)
Get-CimInstance Win32_StartupCommand |
Select-Object Name, Command, Location, User |
Format-Table -AutoSize -WrapClés de registre Run
# HKLM Run
Get-ItemProperty -Path "HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" -ErrorAction SilentlyContinue
# HKLM RunOnce
Get-ItemProperty -Path "HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce" -ErrorAction SilentlyContinue
# HKCU Run
Get-ItemProperty -Path "HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" -ErrorAction SilentlyContinue
# HKCU RunOnce
Get-ItemProperty -Path "HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce" -ErrorAction SilentlyContinue
# Run 32 bits sur système 64 bits
Get-ItemProperty -Path "HKLM:\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run" -ErrorAction SilentlyContinue
# Toutes les clés Run en une commande
$runKeys = @(
"HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Run",
"HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce",
"HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\Run",
"HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce",
"HKLM:\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run"
)
foreach ($key in $runKeys) {
Write-Output "--- $key ---"
Get-ItemProperty -Path $key -ErrorAction SilentlyContinue |
Select-Object * -ExcludeProperty PS* | Format-List
}Abonnements WMI (persistence avancée)
# Vérifier les Event Filters WMI
Get-CimInstance -Namespace root\subscription -ClassName __EventFilter |
Select-Object Name, Query | Format-List
# Vérifier les Event Consumers
Get-CimInstance -Namespace root\subscription -ClassName CommandLineEventConsumer |
Select-Object Name, CommandLineTemplate | Format-List
Get-CimInstance -Namespace root\subscription -ClassName ActiveScriptEventConsumer |
Select-Object Name, ScriptText | Format-List
# Vérifier les liaisons Filter-Consumer
Get-CimInstance -Namespace root\subscription -ClassName __FilterToConsumerBinding |
Select-Object Filter, Consumer | Format-ListVérification des services (binPath)
# Services avec des chemins suspects
Get-CimInstance Win32_Service | Where-Object {
$_.PathName -match '(cmd\.exe|powershell|\\Temp\\|\\AppData\\|\.bat|\.vbs|\.js)'
} | Select-Object Name, DisplayName, State, PathName | Format-Table -AutoSize -Wrap
# Services dont le chemin contient des espaces non quotés (vulnérabilité unquoted service path)
Get-CimInstance Win32_Service | Where-Object {
$_.PathName -and
$_.PathName -notmatch '^"' -and
$_.PathName -match '.* .*\.exe'
} | Select-Object Name, PathName | Format-Table -AutoSize -WrapIndicateurs de DLL Hijacking
# DLL récentes dans les dossiers système
Get-ChildItem -Path C:\Windows\System32 -Filter *.dll -ErrorAction SilentlyContinue |
Where-Object {$_.CreationTime -gt (Get-Date).AddDays(-7)} |
Select-Object FullName, CreationTime, @{N='Signed';E={
(Get-AuthenticodeSignature $_.FullName).Status
}}
# DLL dans les répertoires PATH des utilisateurs
$env:PATH -split ';' | Where-Object {$_ -match 'Users'} | ForEach-Object {
Get-ChildItem -Path $_ -Filter *.dll -ErrorAction SilentlyContinue
} | Select-Object FullName, CreationTime, Length8. Hardening et audit
Partages réseau
# Lister tous les partages
Get-SmbShare | Select-Object Name, Path, Description | Format-Table -AutoSize
# Permissions des partages
Get-SmbShare | ForEach-Object {
$share = $_.Name
Get-SmbShareAccess -Name $share | ForEach-Object {
[PSCustomObject]@{
Share = $share
Account = $_.AccountName
AccessRight = $_.AccessRight
AccessControlType = $_.AccessControlType
}
}
} | Format-Table -AutoSize
# Sessions SMB actives
Get-SmbSession | Select-Object ClientComputerName, ClientUserName, NumOpens | Format-Table -AutoSizeStratégies de groupe (GPO)
# Lister toutes les GPO du domaine
Get-GPO -All | Select-Object DisplayName, GpoStatus, CreationTime, ModificationTime |
Sort-Object ModificationTime -Descending | Format-Table -AutoSize
# Rapport d'une GPO spécifique en HTML
Get-GPOReport -Name "Default Domain Policy" -ReportType Html -Path C:\Temp\gpo_report.html
# Résultat des stratégies appliquées (RSoP)
Get-GPResultantSetOfPolicy -ReportType Html -Path C:\Temp\rsop.htmlWindows Defender
# Statut de Windows Defender
Get-MpComputerStatus | Select-Object AntivirusEnabled, RealTimeProtectionEnabled,
AntivirusSignatureLastUpdated, FullScanEndTime, QuickScanEndTime
# Menaces détectées
Get-MpThreatDetection | Select-Object ThreatID, @{N='Threat';E={
(Get-MpThreat -ThreatID $_.ThreatID).ThreatName
}}, InitialDetectionTime, ProcessName, Resources | Format-Table -AutoSize -Wrap
# Historique des menaces
Get-MpThreat | Select-Object ThreatName, SeverityID, IsActive, DidThreatExecute |
Format-Table -AutoSize
# Exclusions configurées (vérifier qu'elles sont légitimes)
Get-MpPreference | Select-Object -ExpandProperty ExclusionPath
Get-MpPreference | Select-Object -ExpandProperty ExclusionProcess
Get-MpPreference | Select-Object -ExpandProperty ExclusionExtension
# Lancer un scan rapide
Start-MpScan -ScanType QuickScan
# Mettre à jour les signatures
Update-MpSignatureBitLocker
# Statut BitLocker de tous les volumes
Get-BitLockerVolume | Select-Object MountPoint, VolumeStatus, ProtectionStatus,
EncryptionMethod, EncryptionPercentage | Format-Table -AutoSize
# Détails d'un volume spécifique
Get-BitLockerVolume -MountPoint "C:" | Select-Object *Pare-feu Windows
# Profils du pare-feu
Get-NetFirewallProfile | Select-Object Name, Enabled, DefaultInboundAction, DefaultOutboundAction
# Règles actives en entrée
Get-NetFirewallRule -Direction Inbound -Enabled True |
Select-Object DisplayName, Action, Protocol,
@{N='LocalPort';E={($_ | Get-NetFirewallPortFilter).LocalPort}} |
Sort-Object DisplayName | Format-Table -AutoSize
# Règles autorisant tout le trafic entrant (potentiellement dangereux)
Get-NetFirewallRule -Direction Inbound -Enabled True -Action Allow |
Where-Object {($_ | Get-NetFirewallPortFilter).LocalPort -eq 'Any'} |
Select-Object DisplayName, Profile | Format-Table -AutoSize
# Règles ajoutées récemment
Get-NetFirewallRule | Where-Object {
$_.CreationClassName -and $_.Status -eq 'The rule was parsed successfully from the store.'
} | Select-Object DisplayName, Direction, Action, Enabled | Format-Table -AutoSize9. Scripts utiles complets
Script de vérification rapide de la sécurité
# === QUICK SECURITY HEALTH CHECK ===
Write-Host "=== SECURITY HEALTH CHECK ===" -ForegroundColor Cyan
Write-Host "Date : $(Get-Date)" -ForegroundColor Cyan
Write-Host "Machine : $env:COMPUTERNAME" -ForegroundColor Cyan
Write-Host ""
# 1. Vérifier Windows Defender
Write-Host "[+] Windows Defender" -ForegroundColor Yellow
$defender = Get-MpComputerStatus -ErrorAction SilentlyContinue
if ($defender) {
Write-Host " Antivirus actif : $($defender.AntivirusEnabled)"
Write-Host " Protection temps réel: $($defender.RealTimeProtectionEnabled)"
Write-Host " Signatures à jour : $($defender.AntivirusSignatureLastUpdated)"
} else {
Write-Host " Windows Defender non disponible" -ForegroundColor Red
}
Write-Host ""
# 2. Vérifier le pare-feu
Write-Host "[+] Pare-feu Windows" -ForegroundColor Yellow
Get-NetFirewallProfile | ForEach-Object {
Write-Host " $($_.Name) : Enabled=$($_.Enabled) InBound=$($_.DefaultInboundAction)"
}
Write-Host ""
# 3. Vérifier BitLocker
Write-Host "[+] BitLocker" -ForegroundColor Yellow
Get-BitLockerVolume -ErrorAction SilentlyContinue | ForEach-Object {
Write-Host " $($_.MountPoint) : $($_.ProtectionStatus) ($($_.VolumeStatus))"
}
Write-Host ""
# 4. Échecs de connexion récents
Write-Host "[+] Échecs de connexion (24h)" -ForegroundColor Yellow
$fails = Get-WinEvent -FilterHashtable @{LogName='Security';Id=4625;StartTime=(Get-Date).AddHours(-24)} -ErrorAction SilentlyContinue
Write-Host " Nombre d'échecs : $($fails.Count)"
Write-Host ""
# 5. Comptes administrateurs locaux
Write-Host "[+] Administrateurs locaux" -ForegroundColor Yellow
Get-LocalGroupMember -Group "Administrateurs" -ErrorAction SilentlyContinue | ForEach-Object {
Write-Host " $($_.Name) ($($_.ObjectClass))"
}
Write-Host ""
# 6. Ports en écoute
Write-Host "[+] Ports en écoute" -ForegroundColor Yellow
Get-NetTCPConnection -State Listen | Select-Object LocalPort,
@{N='Process';E={(Get-Process -Id $_.OwningProcess -ErrorAction SilentlyContinue).ProcessName}} |
Sort-Object LocalPort -Unique | ForEach-Object {
Write-Host " Port $($_.LocalPort) - $($_.Process)"
}
Write-Host ""
# 7. Services suspects
Write-Host "[+] Services non signés en exécution" -ForegroundColor Yellow
Get-CimInstance Win32_Service | Where-Object {$_.State -eq 'Running' -and $_.PathName} | ForEach-Object {
$path = $_.PathName -replace '"', '' -replace ' /.*$| -.*$', '' -replace ' $', ''
if ((Test-Path $path) -and (Get-AuthenticodeSignature $path -ErrorAction SilentlyContinue).Status -ne 'Valid') {
Write-Host " $($_.Name) : $path" -ForegroundColor Red
}
} 2>$null
Write-Host ""
# 8. Logs effaces
Write-Host "[+] Vérification effacement de logs" -ForegroundColor Yellow
$cleared = Get-WinEvent -FilterHashtable @{LogName='Security';Id=1102} -ErrorAction SilentlyContinue
if ($cleared) {
Write-Host " ALERTE : Logs effaces $($cleared.Count) fois !" -ForegroundColor Red
$cleared | Select-Object TimeCreated | ForEach-Object { Write-Host " $($_.TimeCreated)" }
} else {
Write-Host " Aucun effacement détecté" -ForegroundColor Green
}
Write-Host ""
Write-Host "=== FIN DU CHECK ===" -ForegroundColor CyanScript de collecte de données pour réponse à incident
# === INCIDENT RESPONSE DATA COLLECTION ===
$outputDir = "C:\IR_$(Get-Date -Format 'yyyyMMdd_HHmmss')"
New-Item -ItemType Directory -Path $outputDir -Force | Out-Null
Write-Host "Collecte IR dans : $outputDir" -ForegroundColor Cyan
# Informations système
Write-Host "[1/10] Informations système..." -ForegroundColor Yellow
Get-ComputerInfo | Out-File "$outputDir\system_info.txt"
# Processus en cours
Write-Host "[2/10] Processus..." -ForegroundColor Yellow
Get-CimInstance Win32_Process |
Select-Object ProcessId, Name, ParentProcessId, ExecutablePath, CommandLine, CreationDate |
Export-Csv "$outputDir\processes.csv" -NoTypeInformation
# Connexions réseau
Write-Host "[3/10] Connexions réseau..." -ForegroundColor Yellow
Get-NetTCPConnection |
Select-Object State, LocalAddress, LocalPort, RemoteAddress, RemotePort, OwningProcess,
@{N='Process';E={(Get-Process -Id $_.OwningProcess -ErrorAction SilentlyContinue).ProcessName}} |
Export-Csv "$outputDir\network_connections.csv" -NoTypeInformation
# Services
Write-Host "[4/10] Services..." -ForegroundColor Yellow
Get-CimInstance Win32_Service |
Select-Object Name, DisplayName, State, StartMode, PathName |
Export-Csv "$outputDir\services.csv" -NoTypeInformation
# Tâches planifiées
Write-Host "[5/10] Tâches planifiées..." -ForegroundColor Yellow
Get-ScheduledTask | ForEach-Object {
$task = $_
[PSCustomObject]@{
Name = $task.TaskName
Path = $task.TaskPath
State = $task.State
Actions = ($task.Actions | ForEach-Object { "$($_.Execute) $($_.Arguments)" }) -join '; '
}
} | Export-Csv "$outputDir\scheduled_tasks.csv" -NoTypeInformation
# Clés de registre Run
Write-Host "[6/10] Clés de registre Run..." -ForegroundColor Yellow
$runKeys = @(
"HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Run",
"HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce",
"HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\Run",
"HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce"
)
$runEntries = foreach ($key in $runKeys) {
$props = Get-ItemProperty -Path $key -ErrorAction SilentlyContinue
if ($props) {
$props.PSObject.Properties | Where-Object {$_.Name -notmatch '^PS'} | ForEach-Object {
[PSCustomObject]@{Key=$key; Name=$_.Name; Value=$_.Value}
}
}
}
$runEntries | Export-Csv "$outputDir\run_keys.csv" -NoTypeInformation
# Événements de sécurité critiques (24h)
Write-Host "[7/10] Événements de sécurité (24h)..." -ForegroundColor Yellow
$criticalIds = @(4624, 4625, 4648, 4672, 4720, 4732, 1102, 4688, 7045)
foreach ($id in $criticalIds) {
Get-WinEvent -FilterHashtable @{LogName='Security';Id=$id;StartTime=(Get-Date).AddHours(-24)} -ErrorAction SilentlyContinue |
Select-Object TimeCreated, Id, Message |
Out-File "$outputDir\events_$id.txt" -Append
}
# Utilisateurs locaux
Write-Host "[8/10] Utilisateurs locaux..." -ForegroundColor Yellow
Get-LocalUser | Select-Object Name, Enabled, LastLogon, PasswordLastSet, PasswordRequired |
Export-Csv "$outputDir\local_users.csv" -NoTypeInformation
# Abonnements WMI
Write-Host "[9/10] Abonnements WMI..." -ForegroundColor Yellow
Get-CimInstance -Namespace root\subscription -ClassName __EventFilter -ErrorAction SilentlyContinue |
Select-Object Name, Query | Out-File "$outputDir\wmi_filters.txt"
Get-CimInstance -Namespace root\subscription -ClassName CommandLineEventConsumer -ErrorAction SilentlyContinue |
Select-Object Name, CommandLineTemplate | Out-File "$outputDir\wmi_consumers.txt"
# Cache DNS
Write-Host "[10/10] Cache DNS..." -ForegroundColor Yellow
Get-DnsClientCache | Export-Csv "$outputDir\dns_cache.csv" -NoTypeInformation
Write-Host ""
Write-Host "Collecte terminée. Données dans : $outputDir" -ForegroundColor Green
Write-Host "Fichiers créés :" -ForegroundColor Green
Get-ChildItem $outputDir | ForEach-Object { Write-Host " $($_.Name) ($([math]::Round($_.Length/1KB, 1)) KB)" }Script d'audit d'activité utilisateur
# === USER ACTIVITY AUDIT ===
param(
[string]$Username = $env:USERNAME,
[int]$DaysBack = 7
)
$startDate = (Get-Date).AddDays(-$DaysBack)
Write-Host "=== AUDIT ACTIVITE UTILISATEUR ===" -ForegroundColor Cyan
Write-Host "Utilisateur : $Username" -ForegroundColor Cyan
Write-Host "Période : $DaysBack derniers jours" -ForegroundColor Cyan
Write-Host ""
# 1. Connexions réussies
Write-Host "[+] Connexions réussies" -ForegroundColor Yellow
Get-WinEvent -FilterHashtable @{
LogName = 'Security'
Id = 4624
StartTime = $startDate
} -ErrorAction SilentlyContinue | ForEach-Object {
$xml = [xml]$_.ToXml()
$user = $xml.Event.EventData.Data | Where-Object {$_.Name -eq 'TargetUserName'} | Select-Object -ExpandProperty '#text'
if ($user -eq $Username) {
[PSCustomObject]@{
Time = $_.TimeCreated
LogonType = $xml.Event.EventData.Data | Where-Object {$_.Name -eq 'LogonType'} | Select-Object -ExpandProperty '#text'
Source = $xml.Event.EventData.Data | Where-Object {$_.Name -eq 'IpAddress'} | Select-Object -ExpandProperty '#text'
}
}
} | Format-Table -AutoSize
Write-Host ""
# 2. Échecs de connexion
Write-Host "[+] Échecs de connexion" -ForegroundColor Yellow
$failures = Get-WinEvent -FilterHashtable @{
LogName = 'Security'
Id = 4625
StartTime = $startDate
} -ErrorAction SilentlyContinue | ForEach-Object {
$xml = [xml]$_.ToXml()
$user = $xml.Event.EventData.Data | Where-Object {$_.Name -eq 'TargetUserName'} | Select-Object -ExpandProperty '#text'
if ($user -eq $Username) { $_ }
}
Write-Host " Nombre d'échecs : $($failures.Count)"
Write-Host ""
# 3. Processus lancés par l'utilisateur
Write-Host "[+] Processus actifs" -ForegroundColor Yellow
Get-CimInstance Win32_Process | Where-Object {
$owner = Invoke-CimMethod -InputObject $_ -MethodName GetOwner -ErrorAction SilentlyContinue
$owner.User -eq $Username
} | Select-Object ProcessId, Name, CreationDate, CommandLine |
Format-Table -AutoSize -Wrap
Write-Host ""
# 4. Fichiers récemment modifiés par l'utilisateur
Write-Host "[+] Fichiers récemment modifiés (profil utilisateur)" -ForegroundColor Yellow
$userProfile = "C:\Users\$Username"
if (Test-Path $userProfile) {
Get-ChildItem -Path $userProfile -Recurse -ErrorAction SilentlyContinue |
Where-Object {!$_.PSIsContainer -and $_.LastWriteTime -gt $startDate} |
Sort-Object LastWriteTime -Descending |
Select-Object FullName, LastWriteTime, Length -First 30 |
Format-Table -AutoSize
}
Write-Host ""
# 5. Historique PowerShell
Write-Host "[+] Historique PowerShell" -ForegroundColor Yellow
$historyPath = "C:\Users\$Username\AppData\Roaming\Microsoft\Windows\PowerShell\PSReadLine\ConsoleHost_history.txt"
if (Test-Path $historyPath) {
Write-Host " Dernières commandes :"
Get-Content $historyPath -Tail 30 | ForEach-Object { Write-Host " $_" }
} else {
Write-Host " Fichier historique non trouvé"
}
Write-Host ""
# 6. Connexions réseau de l'utilisateur
Write-Host "[+] Connexions réseau actives (processus utilisateur)" -ForegroundColor Yellow
$userProcesses = Get-CimInstance Win32_Process | Where-Object {
$owner = Invoke-CimMethod -InputObject $_ -MethodName GetOwner -ErrorAction SilentlyContinue
$owner.User -eq $Username
} | Select-Object -ExpandProperty ProcessId
Get-NetTCPConnection -State Established -ErrorAction SilentlyContinue | Where-Object {
$_.OwningProcess -in $userProcesses
} | Select-Object RemoteAddress, RemotePort,
@{N='Process';E={(Get-Process -Id $_.OwningProcess -ErrorAction SilentlyContinue).ProcessName}} |
Format-Table -AutoSize
Write-Host "=== FIN DE L'AUDIT ===" -ForegroundColor Cyan