Lab Notes
Field notes from security operations. Practical guides, investigation techniques, and lessons learned from real incidents.
Recent Notes
Securing Your Services Part 1: A Practical Guide to Deploying CrowdSec on Dokploy
A Practical Guide to Deploying CrowdSec on Dokploy
Read More →Phishing Response Playbook: A Blue Team Guide
A practical walkthrough for handling phishing incidents, from initial report to lessons learned.
Read More →Quick Reference
Essential PowerShell Commands
PS C:\># Get recent security events
PS C:\> Get-WinEvent -FilterHashtable @{LogName='Security'; ID=4624,4625; StartTime=(Get-Date).AddHours(-24)}
PS C:\># Find processes with network connections
PS C:\> Get-NetTCPConnection | Select-Object OwningProcess, LocalAddress, LocalPort, RemoteAddress, RemotePort, State | Sort-Object OwningProcess
PS C:\># Check for suspicious scheduled tasks
PS C:\> Get-ScheduledTask | Where-Object {$_.State -eq 'Ready' -and $_.TaskPath -notlike '\Microsoft\*'}
PS C:\> Get-WinEvent -FilterHashtable @{LogName='Security'; ID=4624,4625; StartTime=(Get-Date).AddHours(-24)}
PS C:\># Find processes with network connections
PS C:\> Get-NetTCPConnection | Select-Object OwningProcess, LocalAddress, LocalPort, RemoteAddress, RemotePort, State | Sort-Object OwningProcess
PS C:\># Check for suspicious scheduled tasks
PS C:\> Get-ScheduledTask | Where-Object {$_.State -eq 'Ready' -and $_.TaskPath -notlike '\Microsoft\*'}
Useful Event IDs
| Event ID | Description |
|---|---|
4624 |
Successful logon |
4625 |
Failed logon |
4688 |
Process creation (requires auditing) |
4689 |
Process termination |
4672 |
Special privileges assigned |
7045 |
Service installed (System log) |
4104 |
PowerShell script block logging |