Lab) CMD and PowerShell Solution Flashcards
Q1
Question 1 - Processes) To export a list of running processes from a Command Prompt into a text file, open a cmd session on the Desktop (or move into the desktop using “cd Desktop”) and run “tasklist > tasklist.txt”. Open this in Sublime Text and use the Find feature on the top menu to look for instances of cmd.exe. How many are there in total?
After moving the CMD session to our Desktop (cd Desktop) and running the stated command (tasklist > tasklist.exe) we will right-click the created text file, Open With, and select Sublime Text.
Using CTRL+F and searching for “cmd.exe” shows 4 results (technically one of these is ours, which we used to get a list of running processes, so either 3 or 4 is a correct answer).
Q2
Question 2 - Users) How many accounts in total are present on the system?
Using the command net users we can get a list of all local users on the system.
Q3
Question 3 - Users) How many of these accounts are in the administrators localgroup?
Using the net localgroup administrators command we can list all local accounts that have administrative privileges.
Q4
Question 4 - Users) What is the name of the suspicious administrator account?
Looking at the above screenshot, we can see there is an account with the name ‘ServiceeAccount’, which appears to be trying to imitate an account that could exist on the system for legitimate purposes.
Q5
Question 5 - Users) What are the names of the local accounts that are able to connect to the system using RDP? (List them in alphabetical order)
Using the net localgroup “Remote Desktop Users” command we can see that only one account is able to RDP, the suspicious account from the previous question.
Q6
Question 6 - PowerShell Users) Run the command to get detailed information about the suspicious account identified earlier. When was it last logged in?
Using the command Get-LocalUser -Name ServiceeAccount | Select * we can retrieve all properties relating to this local account. Highlighted we can see the last login timestamp.
Q7
Question 7 - PowerShell Services) Run the command to list services on the system. What is the display name of the service starting with “Amazon”?
Running the command Get-Service | Where Status -eq “Running” | Out-GridView will open a new window. From here, we can see that the service we’ve been asked to find is at the top of the alphabetical list.
Q8
Question 8 - PowerShell Scheduled Tasks) Get a list of all Scheduled Tasks. What is the TaskName of the entry beginning with ‘P’ that is in a Ready state?
Using the command Get-ScheduledTask | Where State -eq “Ready” we can see only Scheduled Tasks that are in the state we’re looking for. The first item shown is the task we’re looking for.
Q9
Question 9 - PowerShell Scheduled Tasks) Run the command “Get-ScheduledTask -TaskName ‘TaskNameFromLastQuestionHere’ | Select *”. Look at the Triggers property, what is it?
Running the provided command we can see that the Trigger property is set to when a user logs into the system.