Windows PowerShell Remoting: Host Based Investigation and Containment Techniques

In this blog post I will detail how to perform various incident response techniques using native Windows PowerShell functionality. Each method I explain will be able to be executed remotely to allow for efficient investigation and containment of an individual host. For PowerShell response on mass, I recommend familiarising yourself with the Kansa framework.

If you follow my github, you may also notice that many of the techniques listed below are built into my remote powershell triage tool, B2Response, which allows you to perform these actions with ease. Please give it a go and provide feedback!

The techniques which I will cover include:
1) Issuing remote command/shell
2) Retrieving/downloading files
3) Checking for running processes
4) Query registry keys
5) PCAP collection
6) Blocking a domain
7) Blocking an IP
8) Quarantining a host


All of the techniques listed below utilise PowerShell to remotely manage computers within your IT environment. In order for these techniques to work, you must have your environment configured to permit PowerShell remoting and you must be running the commands from a user who has privileges to execute remote PowerShell commands. For more information on how to set this up, please read this article.

Let's get started!

Initial Setup - Establish a Remote Session!

Throughout this blog post, I will be describing how to execute various PowerShell remoting commands. Whilst it is possible to issue these commands individually, I prefer to establish a PowerShell session first, and then refer to this session in subsequent commands.

The reason I prefer to establish a session first is that I use the -NoMachineProfile session option, which restricts creation of a user profile on the remote host. By establishing this session once and then referring to that session for each subsequent command, it reduces the chance that I will forget to include this session option and expose myself on the target machine.
What would I need to prevent profile creation on the remote host?
Preventing creating of your user profile on the remote host will save you lots of potential headache when investigating alerts in a corporate environment. Imagine that you have to investigate your senior executes for suspicious activity. If that senior executive then sees your user profile on his PC, he may think you were snooping on his computer. Save yourself the hassle and setup your session with stealth!

To establish the initial session on the remote host, use the following command (replacing 'remotehost' with the remote host computer name):

$s1 = New-PSsession -ComputerName remotehost -SessionOption (New-PSSessionOption -NoMachineProfile) -ErrorAction Stop

We can now refer to the $s1 variable for subsequent commands and they will be executed through this session.

1) Issuing Remote Commands & Remote Shell

When researching security products, I found it quite surprising that very few products supported remote command execution on the host. When I asked vendors about it, most vendors stated that it was coming very soon on their feature road map, as it was a highly requested feature.

Remote command execution can be very useful for enumerating the current state of the host, and can be achieved very easily with PowerShell. Many commands throughout this blog post are simply applications of the following remote command execution techniques.

PowerShell Prompt
To access the PowerShell session and enter manual commands on the remote host, enter the following command.
Enter-PSSession -Session $s1

Individual PowerShell Command
To execute a single PowerShell command (or command block) on a remote host, enter the following command.
Invoke-Command -ScriptBlock {Get-Process} -Session $s1

PowerShell Script Execution
To execute a PowerShell script on a remote host, enter the following command.
Invoke-Command -file file.ps1 -Session $s1

2) Downloading Files

Sometimes we may want to download a file from a remote host to our local machine in order to perform further analysis. To download a file, execute the following command:

Copy-Item -Path "C:\Users\bob\Downloads\maliciousdoc.docx" -Destination "D:\triage_files" -FromSession $s1I

In this command we are copying the file "C:\Users\bob\Downloads\maliciousdoc.docx' on the remote host to our local D:\triagefiles folder.

A limitation to this method is that you will not able able to download files which are protected (such as registry hives). In order to download these files, you will need to use a third party tool such as RawCopy, which can be remotely executed with ease using B2Response.

3) Check Running Processes

To check running processes, we can remotely execute Get-Process using the following command.
Invoke-Command -ScriptBlock { Get-Process} -Session $s1

4) Query Registry Keys

Querying registry keys can be a useful way to identify the presence of malware on a system. One common registry key I will use as an example is the HKLM\Software\Microsoft\Windows\CurrentVersion\Run key.

What is HKLM\Software\Microsoft\Windows\CurrentVersion\Run ?
This registry key contains a list of programs and their arguments which get executed every time Windows boots. As a result, many malware will add an entry to this registry key so that the malware runs on each boot.
To view the contents of this registry key on our remote host, use the following command

Invoke-Command -ScriptBlock {Get-ItemProperty -Path HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Run} -Session $s1

This is useful if you know which  key you need to look in, however there are many other registry keys malware may use to persist on a system. As a good starting point, I would recommend running autorunsc to check multiple locations. B2Response can execute this tool remotely using PowerShell with ease.

5) Packet Capture

Thanks to some fantastic work by nospaceships, it is incredibly easy to capture network traffic into a wireshark compatible PCAP file with PowerShell. This capture method works by using raw sockets to capture IP packets on a specified network interface.
What are raw sockets?
A TCP/IP raw sockets is a type of socket which provides access to the underlying transport provider. In this scenario, it provides access to the specific network interface which allows us to capture the network traffic to a .pcap file.
Implementation of this packet capture method requires two stages.

Stage 1) Identify the network interface to capture on
Executing the following command will list the available network interfaces.

Invoke-Command -ScriptBlock {ipconfig} -Session $s1

In this example, we will be capturing on the wireless interface, which was listed in the output of the ipconfig command.

We need to note down the IPv4 address for stage 2, which in this case is

Stage 2) Run the pcap script
The following script will download nospaceships raw-socket-sniffer script, execute it and save the pcap to 'capture.pcap' in the current working directory of the remote host.

Ensure that you replace the -InterfaceIP parameter with the IP address identified in stage 1, or your pcap may be empty.

Invoke-Command -ScriptBlock {
$url = ""
Invoke-WebRequest -Uri $url `
        -OutFile "raw-socket-sniffer.ps1"
PowerShell.exe -ExecutionPolicy bypass .\raw-socket-sniffer.ps1 `
        -InterfaceIp "" `
        -CaptureFile "capture.cap"
        } -Session $s1

Because we ran the session with the -NoMachineProfile option, the raw-socket-sniffer.ps1 and capture.cap should be located under C:\Windows\System32.

You can now use the 'Download file' instructions from this blog post to download the capture.pcap to your local system for analysis in WireShark.

6) Blocking a Domain

In this example we will be redirecting malicious traffic destined for to the localhost, which effectively blocks network connections to this domain. To do this we will edit the Windows hosts file.
What is the Windows hosts file?
The Windows hosts file is located at C:\Windows\System32\drivers\etc\hosts on Win 7+ and Server 2003+ systems and contains mappings of IP addresses to host names. We can use this to redirect traffic destined for a specific domain to a specific IP address. The file has no extension, but is a normal text file that can be edited with notepad.
What is localhost?
Localhost is a networking term which refers to the current computer. In this scenario, we will be redirecting malicious traffic to localhost, where it will fail to be received, as there is no service listening for the traffic (unless you are running a web server).
Shouldn't we be blocking/sinkholing on the network layer?
Absolutely. Automated domain sinkholing at a network layer is a fantastic control. There are however many scenarios where network sinkholing may not reach all devices in your environment. I've seen many environments where remote devices aren't configured for full tunnel back to on premise firewalls, so the host goes straight out to the internet (bypassing a firewall sinkhole). 
So let's open C:\Windows\System32\drivers\etc\hosts in your favourite text editor (I will use Notepad++) as Administrator and append the following line:

Save the file.

Now when we visit in a browser we cannot reach this location, because traffic is being redirected to the localhost, which isn't hosting a web server.

Lets automate this with PowerShell. Copy the following code into Notepad++ and save it as blockdomains.ps1

Add-Content C:\Windows\System32\drivers\etc\hosts "`n127.0.0.1"

Note: The `n adds a new line to the file.

Once this script is executed on a host, it will perform the same modification that we manually made to the hosts file. To block multiple domains, simply add additional Add-Content commands to the blockdomains.ps1.

To execute this script on our remote PC, use the script execution command we learnt earlier:
Invoke-Command -file blockdomains.ps1 -Session $s1

7) Blocking an IP

The reasons unknown to me, the Windows firewall is often overlooked as an effective host based firewall.
What is a host based firewall?
A host based firewall is a software firewall that runs on an individual computer which defines what inbound and outbound network connections are allowed to/from that computer.
If you have identified connections to a malicious IP on a host, you can use the Windows firewall to block connections to this IP.

In order to block connections to a specific IP address ( in this example) on a remote host, use the following command:
Invoke-Command -ScriptBlock {New-NetFirewallRule -DisplayName "Block_Malicious_IP" -Direction Outbound LocalPort Any -Protocol TCP -Action Block -RemoteAddress}  -Session $s1

To unblock this IP address, run the following command:
Invoke-Command -ScriptBlock {Remove-NetFirewallRule -DisplayName "Block_Malicious_IP"} -Session $s1

8) Quarantining a Host

Expanding on the Windows firewall's ability to block individual network connections, we can also apply firewall rules to block all outbound network connections, effectively quarantining the infected PC.
What does it mean to quarantine a PC, and why would we do it?
Quarantining a PC is the act of segregating the device at a network level, as to limit the capability for the compromised of that device to spread to, or access, other computing resources within the IT environment.
We can use the following PowerShell command to create a new Windows firewall rule called 'InfoSec_Quarantine' on a remote PC which we would like to quarantine.

Apply Quarantine:
Invoke-Command -ScriptBlock {New-NetFirewallRule -DisplayName InfoSec_Quarantine -Direction Outbound -Enabled True -LocalPort Any -RemoteAddress Any -Action Block} -Session $s1

Once applied, this computer will not be able to initiate any outbound connections to either internal or external (including internet) resources. Don't be surprised if you don't receive feedback from this command, or further commands, as the PC cannot send traffic outbound anymore!

If you would like to roll back this quarantine action, you can simply issue this command to the same device to remove the quarantine firewall rule. This should work, as the host can still receive inbound connections and process the command.

Remove Quarantine:
Invoke-Command -ScriptBlock {Remove-NetFirewallRule -DisplayName InfoSec_Quarantine} -Session $s1


I hope this post has helped some of you get started with PowerShell incident response techniques. If you have additional tasks you would like to perform with PowerShell, give them a go, and feel free to email me at if you would like some help, or if you would like me to cover other topics in a future blog post.


  1. This information was very helpful. Thanks for sharing. Firewall Errors Tech Support Number


  2. Thanks for sharing this information with us and it was a nice blog.
    DevOps Training
    DevOps Online Training

  3. I just want to thank you for sharing your information and your site or blog this is simple but nice Information I’ve ever seen i like it i learn something today. PowerShell

  4. Hey, What's up, I'm Shivani. I'm an application developer living in Noida, INDIA. I am a fan of technology. I'm also interested in programming and web development. You can download my app with a click on the link. Best astrologer
    Astro guru online
    Best astrologer
    Talk to astrologer
    Best astrologer
    Online pandit
    Online astrologer in delhi NCR


  5. I am reading your post from the beginning, it was so interesting to read & I feel thanks to you for posting such a good blog, keep updates regularly.I want to share about Mulesoft training .

  6. Red Hat Certified Engineer is a professional who has expertise in handling the Red Hat Enterprise Linux System. The Certified Engineer takes care of various tasks such as setting kernel runtime parameters, handling various types of system logging and providing certain kinds of network operability. The professionals must have the ability to install networking services and security on servers running Red Hat Enterprise Linux.

    Red Hat Certified Engineer

  7. Nice Blog!
    Facing error while using QuickBooks get instant solution with our QuickBooks experts.Dial +1-(855)533-6333 Quickbooks Customer Service Phone Number

  8. Nice Blog !
    Are you confronting annoying technical defects in QuickBooks while working on it? If yes, here is the solution!! Just reach out to our Customer Service Number For QuickBooks 1-888-927-O94O, and acquire favourable support.

  9. I just loved your article on the beginners guide to starting a blog.If somebody take this blog article seriously in their life,
    he/she can earn his living by doing blogging.thank you for thizs article. pega online training

  10. Great Post, thanks for sharing such an amazing blog with us. Visit Ogen Infosystem for creative website design and PPC Services in Delhi, India.
    Website Designing Company in India


  11. Hi
    I visited your blog you have shared amazing information, i really like the information provided by you, You have done a great work. I hope you will share some more information regarding full movies online. I appreciate your work.
    Powershell Classes

  12. Thanks for Sharing This Article.It is very so much valuable content. I hope these Commenting lists will help to my website
    top mulesoft online training

  13. Hi
    I visited your blog you have shared amazing information, i really like the information provided by you, You have done a great work. I hope you will share some more information regarding full movies online. I appreciate your work.
    Powershell Classes

  14. Thank you for your articles that you have shared with us. Hopefully you can give the article a good benefit to us. Microsoft Business Central Administración, Configuración y Gestión

  15. Thanks for Such a nice article, Please keep sharing article like this.
    Webocity is best website designing company in delhi , Best Website development company in Delhi, We Offer Best Digital Marketing services in Delhi.

  16. Really i appreciate the effort you made to share the knowledge. This is really a great stuff for sharing. Keep it up . Thanks for sharing. free calling app
    Talk to strangers

  17. Hi
    I visited your blog you have shared amazing information, i really like the information provided by you, You have done a great work. I hope you will share some more information regarding full movies online. I appreciate your work.
    Blockchain Course in Bangalore

  18. Hоw dо ореn-ѕоurсе рrоduсtіvіtу ѕuіtеѕ compare tо MS Office - аnd dоеѕ іt mаkе ѕеnѕе fоr уоur оrgаnіzаtіоn tо сhооѕе frее соmmunіtу software rаthеr thаn Microsoft's commercially licensed оffеrіng?

  19. In such scenarios while getting stuck with any sort of technical or non-technical grievances in QuickBooks, simply call us on our QuickBooks Support Phone Number California +1(844)233-3033, and acquire exceptional accounting services from our executives. Our experts are skilled enough to answer all of the error codes users ask for.
    QuickBooks Desktop Support +1(844)233-3033
    QuickBooks Enterprise Support +1(844)233-3033
    Quickbooks 24/7 Customer service +1(844)233-3033
    Quickbooks Payroll Support +1(844)233-3033
    QuickBooks Technical Support +1(844)233-3033
    QuickBooks POS Support +1(844)233-3033

  20. Do you need help with issues you are facing in QuickBooks? If so!! Then connect with our experts at Quickbooks Customer Service Phone Number USA | Canada +1-855-929-0120. and eliminate the obstacles to your workflow. They are available 24/7 with value for money services!!

    QuickBooks Support Phone Number +1-855-929-0120
    Quickbooks Customer Service Phone Number | Quickbooks Support +1-855-929-0120

  21. Appslure Technologies is the fastest growing Best Mobile App Development Company in USA. our team builds user-friendly Mobile applications with Customer satisfaction.

  22. Thanks for sharing a great article.
    You are providing wonderful information, it is very useful to us.
    Keep posting like this informative articles.
    Thank you.

    Get to know about 1377x

  23. Nice article, Thanks for your valuable information.
    DevOps Training
    DevOps Online Training

  24. Very nice blog, Thanks for sharing great article.
    You are providing wonderful information, it is very useful to us.
    Keep posting like this informative articles.
    Thank you.

    Get to know about yts.

  25. A DHCP Engineer (dynamic host client protocol) is an IT professional usually involved in the maintenance of the connectivity of network for an organization. Engineers play a vital role to implement and supervise the computer networks that support in-house voice, data, videos and wireless network services with a dynamic IP address.

  26. Thanks for writing case study-based content such wonderful informative content.

    Always ensure that the b2b data provided by data providers should follow a certain standard and high quality required to enhance your business ROI. You can choose the best method to make sure that this quality by researching the origin from where you
    are fetching the information. It must be a reputable and trustworthy source.

  27. toptan iç giyim tercih etmenizin sebebi kaliteyi ucuza satın alabilmektir. Ürünler yine orjinaldir ve size sorun yaşatmaz. Yine de bilinen tekstil markalarını tercih etmelisiniz.

    Digitürk başvuru güncel adresine hoşgeldiniz. Hemen başvuru yaparsanız anında kurulum yapmaktayız.

    tutku iç giyim Türkiye'nin önde gelen iç giyim markalarından birisi olmasının yanı sıra en çok satan markalardan birisidir. Ürünleri hem çok kalitelidir hem de pamuk kullanımı daha fazladır.

    nbb sütyen hem kaliteli hem de uygun fiyatlı sütyenler üretmektedir. Sütyene ek olarak sütyen takımı ve jartiyer gibi ürünleri de mevcuttur. Özellikle Avrupa ve Orta Doğu'da çokça tercih edilmektedir.

    yeni inci sütyen kaliteyi ucuz olarak sizlere ulaştırmaktadır. Çok çeşitli sütyen varyantları mevcuttur. iç giyime damga vuran markalardan biridir ve genellikle Avrupa'da ismi sıklıkla duyulur.

    iç giyim ürünlerine her zaman dikkat etmemiz gerekmektedir. Üretimde kullanılan malzemelerin kullanım oranları, kumaşın esnekliği, çekmezlik testi gibi birçok unsuru aynı anda değerlendirerek seçim yapmalıyız.

    iç giyim bayanların erkeklere göre daha dikkatli oldukları bir alandır. Erkeklere göre daha özenli ve daha seçici davranırlar. Biliyorlar ki iç giyimde kullandıkları şeyler kafalarındaki ve ruhlarındaki özellikleri dışa vururlar.

  28. Astonishing post! Thank you for creating such a wonderful collection of content
    Download and install or reinstall office setup on a PC or Mac.
    Steps to Install Office Setup using · Go to for Office Setup · Sign In to your Microsoft Office Account · Find your Office

  29. Astonishing post! Thank you for creating such a wonderful collection of content
    Go to for Office Setup. Sign In to your Microsoft Office Account.Find your Office Product Key.Enter your Microsoft Office Product Key.
    Officecom is a way where you can save you file in OneDrive and you can share and update online. is best Installation Guide.The security package offered by this brand is incredibly easy
    to setup and install.

  30. very good post keep writing this kind of is gps tool
    which enable you to manage your Garmin GPS device from your computer.
    How to download and install hp drivers from You can download hp assistance to auto update drivers without any hadic
    If you cannot download or install Norton on your device, read following steps for installing Norton in your PC. Go to the Norton Web link that is and then click install button.
    pest control near me professional not just has the most up to date as well as most effective items,
    however additionally the education and understanding to finish the job right.

  31. Our group is able and qualified to help with resolving your errors. Call us at QuickBooks Support Phone Number and get the best solution you need. Our one of expert will help your call and give you the right support you need. Call us at our QuickBooks Support Phone Number - QuickBooks Customer Number USA +1-888-897-4360 today and get the best solution.

  32. While DIY detox methods will not provide drastic results, there are several professionally designed marijuana detox remedies and kits available online. Many detox kits also require drinking a lot of water to help dilute urine, but that is paired alongside several curated herbal supplements and nutrients, like creatinine, to mask intended dilution. When providing urine samples, the drug testing administrator will check for diluted urine. Insufficient nutrients in pee could indicate marijuana use and an attempt to hydrate to help pass the test. Instructions to use this kit are quite simple. Unbox the content of the ‘Quickest’ kit.

  33. Very Nice blog, Thanks for sharing a great article.


  34. Thanks. for sharing.
    Office furniture Dubai a private work desk attributes a delicately inlaid parquetry of premium. The leading contains a collection of office furniture in Dubai


Post a Comment

Popular posts from this blog

Touch Screen Lexicon Forensics (TextHarvester/WaitList.dat)

LSASS.DMP... Attacker or Admin?