PowerShell for Security Operations
The commands defenders use during investigations and triage. Organized by ATT&CK tactic.
25+ PowerShell commands across 9 ATT&CK tactics — discovery, persistence, credential access, execution, lateral movement, collection, defense evasion, exfiltration, and containment. Every command includes the full syntax, what it reveals, and what to look for during an investigation.
For the full investigation methodology using PowerShell in incident response — remote triage, evidence collection, timeline reconstruction, and containment scripting — see Practical Incident Response and Incident Triage. For endpoint-specific PowerShell workflows — Defender configuration, Intune policy, and device management — see Endpoint Security Engineering. Start the free IR modules →