ForumsResourcesPowerShell security scripts collection for Windows hardening

PowerShell security scripts collection for Windows hardening

BugBounty_Leo 6/17/2025 USER

Sharing some PowerShell scripts I use regularly for Windows security auditing:

Find accounts with password never expires

Get-ADUser -Filter {PasswordNeverExpires -eq $true} -Properties PasswordNeverExpires |
Select-Object Name, SamAccountName, PasswordNeverExpires

Find admin accounts that logged in recently

Get-WinEvent -FilterHashtable @{LogName='Security';ID=4624} -MaxEvents 1000 |
Where-Object { $_.Properties[8].Value -match 'admin' } |
Select-Object TimeCreated, @{N='User';E={$_.Properties[5].Value}}

Check SMB signing status

Get-SmbServerConfiguration | Select-Object RequireSecuritySignature, EnableSecuritySignature

Audit local admin group across domain computers

$computers = Get-ADComputer -Filter {OperatingSystem -like "*Windows*"} | Select -ExpandProperty Name
foreach ($pc in $computers) {
    try {
        $admins = Invoke-Command -ComputerName $pc -ScriptBlock {
            Get-LocalGroupMember -Group "Administrators"
        } -ErrorAction Stop
        Write-Host "$pc : $($admins.Name -join ', ')"
    } catch { Write-Host "$pc : UNREACHABLE" -ForegroundColor Red }
}

Feel free to add yours below!

CI
CISO_Michelle6/18/2025

Great collection. Here's one for finding services running as domain accounts:

Get-WmiObject Win32_Service | Where-Object { $_.StartName -like "*\\*" -and $_.StartName -notlike "*LocalSystem*" } | Select Name, StartName, State

Services running as domain users are often over-privileged and a prime target.

IC
ICS_Security_Tom6/19/2025

For LAPS (Local Admin Password Solution) audit:

Get-ADComputer -Filter * -Properties ms-Mcs-AdmPwd,ms-Mcs-AdmPwdExpirationTime | Where-Object { $_."ms-Mcs-AdmPwd" -eq $null } | Select Name

Shows computers where LAPS isn't deployed yet.

MD
MDR_Analyst_Chris6/20/2025

Don't forget to check your PowerShell execution policy and logging. If Constrained Language Mode and Script Block Logging aren't enabled, attackers can use PowerShell against you freely.

Verified Access Required

To maintain the integrity of our intelligence feeds, only verified partners and security professionals can post replies.

Request Access

Thread Stats

Created6/17/2025
Last Active6/19/2025
Replies3
Views7,368

Similar Threads