Triage Analysis and Response Using WMIC and PowerShell

Making sure your IP$,$ Mask, and gateway are already on the Windows$10$ VM note page. Using

this DNS number $(172\mathrm{.}28\mathrm{.}102\mathrm{.}11)$

$-$ Setup your Win$10$ VM network as follows and answer the questions as you go:

From the search bar, type View Network Connection and click on it:

Right Click on the Ethernet$0$ and choose properties:

Step$1$: start PowerShell$-$ in the search bar, type PowerShell, right click, and run it as admin, click yes

Part$1$: PowerShell

Q$1(2$p$)$: Display and list all aliases. :

Q$2(3$p$)$: Display and list only inbound Windows Firewall rules. You can use the same cmdlet, but

you$$ll need to read its help to discover the necessary parameter and its allowable values. Include

your screenshot here $($one page is enough$)$: $($Hint: Get$-$NetFirewallRule $-$Direction Inbound$)$

Q$3(4$p$)$: Create a new directory called C:$\backslash$mcyLab$2-1$ and inside this directory create a file with

the name mytest$1.$txt $.($Hint: New$-$Item$)$

Q$4(8$p$)$: Display and list all of the $25$ newest entries from the Security event log $($you can use a different

log$,$ such as System or Application, if your Security log is empty$).$

Sort the list with the oldest entries appearing first, and with entries made at the same time

sorted by their index.

Display the index, time, and source for each entry.

Put this information into a text file $($a plain$-$text file$).$

You may be tempted to use Select$-$Object and its $-$first or $-$last parameters to achieve this; don$$t$.$

There$$s a better way.

Also, avoid using Get$-$WinEvent, cmdlet is available for this particular task.

Q$5(3$p$)$: Display and list a six$-$column$-$wide list of all directories in the root of the C: drive.

Q$6(6$p$)$: Display and list all dll files under C:$\backslash$Windows$\backslash$System$32$ that are larger than $9$ MB$.$ Include your

Q$7(10$p$)$: Make a one$-$to$-$one connection with a remote computer $($or with localhost if you have

only one computer$).$ Launch Notepad.exe. What happens?

Q$8(8$p$)$: Using Invoke$-$Command, retrieve a list of services that aren$$t started from one or two

remote computers $($it$$s OK to use localhost twice if you have only one computer$).$ Format the

results as a wide list.

Part$2$: Accessing WMI$/$MI$/$CIM with PowerShell

Q$1(5$p$)$: Using CIM cmdlets, create a table that shows a computer name, operating system build

number, operating system description $($caption$),$ and BIOS serial number.

Q$2(5$p$)$: Query a list of hotfixes using cmdlet. $($Microsoft formally refers to these as quick$-$fix

engineering.$)$ Is the list different from that returned by the WMI?

Q$3(5$p$)$: Create a CSV file that contains all services, including only the service name and status.

Have running services listed before stopped services.

Q$4(3$p$)$: list of all executable files $*.$exe on your computer. Start in the C:$\backslash$ folder.

Q$5(3$p$)$: Run a command that will display the users$$ folder permissions on C:$\backslash$users$.$