A great starting point for anyone analyzing a system is the running processes. Taking the time to not only retrieve the command line execution of the process but also the parent process will enable you to find outliers. Taking it a step further, retrieving the hashes of the binary of each process expand your aperture substantially. Especially when you are able to group and stack those hashes against those from other machines. With that in mind, I’ve written a simple little script that will get the hashes of all running processes.
foreach ($proc in get-process)
Get-FileHash $proc.path -Algorithm SHA1 -ErrorAction stop
#error handling... log contains names of processes where there was no path listed or we lack the rights
$proc.name | out-file c:\proc_hash_error.log -Append