SlideShare a Scribd company logo

Powering up on power shell avengercon - 2018

F
Fernando Tomlinson, CISSP, MBA

This document provides information about a PowerShell presentation titled "Powering up on PowerShell". It includes the wireless network credentials to access the demo environment, a link to demo files, an agenda for the presentation topics, and a brief biography of the presenter. Some of the topics to be covered in the presentation include moving around the file system and registry, hashing, data storage techniques, custom event logging, WinRM logging, port scanning, and achieving persistence through PowerShell profiles.

Technology
1 of 42
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
Powering up on PowerShell Fernando Tomlinson (@Wired_Pulse)
Powering up on PowerShell Fernando Tomlinson (@Wired_Pulse) Wireless: SSID: PoSh or PoSH-5g Pass: powershell PoSh-Hunter: HTTP://192.168.0.100 In the VM: 1. Type “resmon” 2. Checkmark “wlms.exe” 3. Right-click & Suspend
Get-ADUser –Filter {Name -eq ”Fernando Tomlinson”} • 17 years of forensics, incident response, and information technology experience with the Department of Defense • Adjunct Digital Forensics Professor at a local college • PowerShell enthusiast; developing and coding in PowerShell for 4 years • Co-developer of Under the Wire (UnderTheWire.tech) • Developer of PoSh Hunter (Posh-Hunter.com) • Other sites: • cyberfibers.com • github.com/wiredpulse PS C: >
Powering up on power shell avengercon - 2018
HTTP://192.168.0.100
• The demos used in this presentation can be found at the below link https://drive.google.com/file/d/1eNGTq5V7HqMCl dqcjDiHR_HFmySShfzF/view?usp=sharing Demos
Agenda • Overview • Moving around • Hashing • Data Storage • Custom Event Logs • WinRM Logging • Port Scanning • Persistence through Profiles • Questions
What is this PowerShell? • Introduced in 2006 • Implemented as an engine that can be embedded in a GUI or used directly as a CLI • Interactive command shell (like CMD) • Scripting language (simplified C#) • Remote management framework • Built on top of .NET Framework • Piping of full objects, not text • Functionality provided by commands: • Cmdlets (pronounced “command-lets”) • Functions • Scripts • Native commands
How does it Work? Cmdlets Scripts Functions Output Host Interface Runspace Interface HostPS C: > _ What you see…
Is this language really used?
Elevator Speech about PowerShell • Installed by default as part of OS • Can access and manage most OS components • Can access registry, files, WMI, change settings etc. • Antivirus struggles (but has gotten better) with detection • Can reflectively inject code • Doesn’t touch disk most of the time • Leaves barely any forensics evidence • Encrypted network traffic • Provide remote shell capability • Full .NET Framework access • Win32 API and native code access
Powering up on power shell avengercon - 2018
Powering up on power shell avengercon - 2018
Versions PowerShell v2 PowerShell v3 PowerShell v4 PowerShell v5 Windows 7 Default Server 2008R2 Default Windows 8 Default Windows 8.1 Default Server 2012 Default Server 2012R2 Default Windows 10 Default Server 2016 Default Server 2019 Default • A decent amount of organizations are still running Windows 7 with v2 installed! • Above OS versions can all be upgraded to v5 – Requires Windows management framework – Requires .NET framework 4.5 • PowerShell v5.1 (Windows specific) and PowerShell Core 6.2 (Cross-platform)   
Powering up on power shell avengercon - 2018
• Get-Help – Help docs on cmdlets and examples • Get-Command – Lists all commands installed including cmdlets, aliases, functions, filters, scripts, and apps • Get-Host – Lists version of PowerShell • Get-PSDrives - Alias, Variables, Functions, HKCU, HKLM • Set-Location – Changes present working directory • Get-ChildItem – Directory listing • Get-Content – Reads the contents of a file • Get-ItemProperty – Metadata/ Registry Values • Flow Control – If, For, Foreach, While Quick Primer (Jimmy Johns)
Powering up on power shell avengercon - 2018
• National Software Reference Library • https://www.nist.gov/software-quality- group/national-software-reference-library-nsrl • Identifying known bad or unknown hashes • Could be streamlined with whitelisting • Disk hashing == resource intense • Recommend running processes or tailored approach Hashes
Tailored file and process hashing. Walkthrough
Storing Data • Data -> Bytes -> Base64 -> Storage • Fileless approach • Anywhere that allows to be written to • Registry • Active Directory • Event Logs • Alternate Data Streams • There when we need it • Less likely to be found
Active Directory • Over 50 properties to use • Has size limitations • Requires applicable rights to alter • Readable by Domain Users
• Regedit allows the registry to be viewed like the file system • Keys are folders • Values are files • PowerShell views it the same way Keys (Folders) Values (Files) 22 Value Data (Properties) Registry
Storing and executing data from the Registry and Active Directory. Walkthrough
Choices, choices… • Get-WinEvent • Classic logs and Event Tracing for Windows (ETW) • Search local or remote event logs • Filtering performed at the remote server, not locally • Can query archived log files off-line (*.evtx files) • Supports the XPath query language: • Very flexible and precise query syntax • Build your XPath query in Event Viewer • Lots of XPath tutorials on the Internet • Get-EventLog • Classic logs only • Search local or remote event logs • Filtering performed locally 24
• Custom logging • Create your own custom logs • Could be used to log activity that otherwise had no way of being logged Eventlogs You said the data wasn’t logging!
Formatting event log message field and Developing custom eventlogs and messages. Walkthrough
• Protocol is Web Services – Management (WS-MAN), using HTTP (by default) or HTTPS • Implemented by the Windows Remote Management (WinRM) service • Enabled by default on Windows Server 2012 and newer; available on any computer running PowerShell 2.0 or newer • Must be enabled on any computer that will receive incoming connections Windows Remote Management (WinRM)
Powering up on power shell avengercon - 2018
The Enable-PSRemoting cmdlet performs the following operations: • Runs the Set-WSManQuickConfig cmdlet, which performs the following tasks: • Starts the WinRM service • Sets the startup type on the WinRM service to Automatic • Creates a listener to accept requests on any IP address • Enables a firewall exception for WS-Management communications • Registers the Microsoft.PowerShell and Microsoft.PowerShell.Workflow session configurations, if it they are not already registered • Registers the Microsoft.PowerShell32 session configuration on 64-bit computers, if it is not already registered • Enables all session configurations • Changes the security descriptor of all session configurations to allow remote access • Restarts the WinRM service to make the preceding changes effective. Enabling Remoting… what does it do? 29
• Channel-level encryption provided only with HTTPS connections • Application-level encryption provided with all connections • Credentials transmitted in clear-text only with the Basic authentication protocol when HTTPS is not in use Security
• Operational • On by default • Analytics and Debug • Off by default and provide very little (Not so useful) logging
Powering up on power shell avengercon - 2018
• Get-PSSession • Only returns information about the connections you have • Get-WSManInstance • Returns information about all connections to the system • IP, ID, user, idle time, and more Getting visibility
WinRM logging. Walkthrough
Port Scanning • Get-NetConnection • V5+ • Full connect scan w/ auto close • Auto pings target • Net.Sockets.Client • V2+ (.net 3.5+) • Full connect scan w/o auto close
Configure listening ports and port scanning. Walkthrough
• Search Order 1. Aliases 2. Functions 3. Cmdlets 4. Native commands Command Execution Search Order
• Each host application defines the script files it will load and the order in which it loads them • The console and ISE host applications share certain profile scripts (CurrentUserAllHosts & AllUsersAllHosts) and define other scripts that are unique to each (AllUsersCurrentHost & CurrentUserCurrentHost) • Six total: two shared (Console and ISE), two for Console, and two for ISE • List Profiles: • Even though a path is listed, profiles aren’t created by default Profile Scripts
Persistence through Profiles. Walkthrough
Powering up on power shell avengercon - 2018
• ABC (Always Be Coding) • ISE -> Get-Command -> Get-Help -> <tab> • Interactive challenged-based learning • Under the Wire (http://UnderTheWire.tech) • Posh-Hunter (https://Posh-Hunter.com) How can YOU learn more PowerShell?
Powering up on power shell avengercon - 2018

More Related Content

PPTX
Powering up on PowerShell - BSides Greenville 2019
Fernando Tomlinson, CISSP, MBA
 
PDF
Powering up on PowerShell - BSides Charleston - Nov 2018
Fernando Tomlinson, CISSP, MBA
 
PDF
CNIT 123 Ch 10: Hacking Web Servers
Sam Bowne
 
PDF
CNIT 121: 14 Investigating Applications
Sam Bowne
 
PDF
CNIT 152 10 Enterprise Service
Sam Bowne
 
PDF
CNIT 121: 12 Investigating Windows Systems (Part 2 of 3)
Sam Bowne
 
PDF
CNIT 152 13 Investigating Mac OS X Systems
Sam Bowne
 
PDF
CNIT 152: 9 Network Evidence
Sam Bowne
 
Powering up on PowerShell - BSides Greenville 2019
Fernando Tomlinson, CISSP, MBA
 
Powering up on PowerShell - BSides Charleston - Nov 2018
Fernando Tomlinson, CISSP, MBA
 
CNIT 123 Ch 10: Hacking Web Servers
Sam Bowne
 
CNIT 121: 14 Investigating Applications
Sam Bowne
 
CNIT 152 10 Enterprise Service
Sam Bowne
 
CNIT 121: 12 Investigating Windows Systems (Part 2 of 3)
Sam Bowne
 
CNIT 152 13 Investigating Mac OS X Systems
Sam Bowne
 
CNIT 152: 9 Network Evidence
Sam Bowne
 

What's hot (20)

PDF
OSDC 2016 - Unifying Logs and Metrics Data with Elastic Beats by Monica Sarbu
NETWAYS
 
PDF
CNIT 121: 10 Enterprise Services
Sam Bowne
 
PPTX
BSIDES-PR Keynote Hunting for Bad Guys
Joff Thyer
 
PDF
CNIT 152 12 Investigating Windows Systems (Part 1 of 3)
Sam Bowne
 
PDF
Attack All the Layers: What's Working during Pentests (OWASP NYC)
Scott Sutherland
 
PDF
BlueHat v17 || Disrupting the Mirai Botnet
BlueHat Security Conference
 
PPTX
BlueHat v17 || Dyre to Trickbot: An Inside Look at TLS-Encrypted Command-And-...
BlueHat Security Conference
 
PDF
CNIT 152: 9 Network Evidence
Sam Bowne
 
PDF
CNIT 152: 12 Investigating Windows Systems (Part 2 of 3)
Sam Bowne
 
PDF
CNIT 152: 13 Investigating Mac OS X Systems
Sam Bowne
 
PDF
CNIT 152: 10 Enterprise Services
Sam Bowne
 
PDF
Socially Acceptable Methods to Walk in the Front Door
Mike Felch
 
PDF
CNIT 124: Ch 8: Exploitation
Sam Bowne
 
PDF
Common technique in Bypassing Stuff in Python.
Shahriman .
 
PPTX
Secure360 - Attack All the Layers! Again!
Scott Sutherland
 
PDF
Derbycon - The Unintended Risks of Trusting Active Directory
Will Schroeder
 
PDF
CNIT 123: 6: Enumeration
Sam Bowne
 
PPTX
Extracting Forensic Information From Zeus Derivatives
Source Conference
 
PPTX
Pwning the Enterprise With PowerShell
Beau Bullock
 
PPTX
Application and Server Security
Brian Pontarelli
 
OSDC 2016 - Unifying Logs and Metrics Data with Elastic Beats by Monica Sarbu
NETWAYS
 
CNIT 121: 10 Enterprise Services
Sam Bowne
 
BSIDES-PR Keynote Hunting for Bad Guys
Joff Thyer
 
CNIT 152 12 Investigating Windows Systems (Part 1 of 3)
Sam Bowne
 
Attack All the Layers: What's Working during Pentests (OWASP NYC)
Scott Sutherland
 
BlueHat v17 || Disrupting the Mirai Botnet
BlueHat Security Conference
 
BlueHat v17 || Dyre to Trickbot: An Inside Look at TLS-Encrypted Command-And-...
BlueHat Security Conference
 
CNIT 152: 9 Network Evidence
Sam Bowne
 
CNIT 152: 12 Investigating Windows Systems (Part 2 of 3)
Sam Bowne
 
CNIT 152: 13 Investigating Mac OS X Systems
Sam Bowne
 
CNIT 152: 10 Enterprise Services
Sam Bowne
 
Socially Acceptable Methods to Walk in the Front Door
Mike Felch
 
CNIT 124: Ch 8: Exploitation
Sam Bowne
 
Common technique in Bypassing Stuff in Python.
Shahriman .
 
Secure360 - Attack All the Layers! Again!
Scott Sutherland
 
Derbycon - The Unintended Risks of Trusting Active Directory
Will Schroeder
 
CNIT 123: 6: Enumeration
Sam Bowne
 
Extracting Forensic Information From Zeus Derivatives
Source Conference
 
Pwning the Enterprise With PowerShell
Beau Bullock
 
Application and Server Security
Brian Pontarelli
 
Ad

Similar to Powering up on power shell avengercon - 2018 (20)

PDF
Who Should Use Powershell? You Should Use Powershell!
Ben Finke
 
PPTX
An Introduction to PowerShell for Security Assessments
EnclaveSecurity
 
PDF
2010 za con_jameel_haffejee
Johan Klerk
 
PPTX
PowerShell for Cyber Warriors - Bsides Knoxville 2016
Russel Van Tuyl
 
PDF
Power on, Powershell
Roo7break
 
PDF
Basic commands for powershell : Configuring Windows PowerShell and working wi...
Hitesh Mohapatra
 
PPTX
An Introduction to PowerShell for Security Assessments
EnclaveSecurity
 
PPTX
Enterprise PowerShell for Remote Security Assessments
EnclaveSecurity
 
PDF
The Dark Side of PowerShell by George Dobrea
EC-Council
 
PDF
Windows PowerShell Step by Step 3rd Edition Wilson
phelpskwasia36
 
PPTX
02Introduction to Power Shell Win Server all in one.pptx
edget1
 
PPTX
PowerShell-1
Saravanan G
 
PPTX
Incorporating PowerShell into your Arsenal with PS>Attack
jaredhaight
 
PPTX
PowerShell - Be A Cool Blue Kid
Matthew Johnson
 
PPTX
A Lap Around PowerShell 3.0
Sarah Dutkiewicz
 
PDF
Unleashing the Power: A Lap Around PowerShell 3.0
Sarah Dutkiewicz
 
PPTX
Power Shell for System Admins - By Kaustubh
Kaustubh Kumar
 
PPSX
Sunil phani's take on windows powershell
Sunil Phani
 
PPTX
Get-Help: An intro to PowerShell and how to Use it for Evil
jaredhaight
 
PDF
Ranger BSides-FINAL
Christopher Duffy, D.Sc.
 
Who Should Use Powershell? You Should Use Powershell!
Ben Finke
 
An Introduction to PowerShell for Security Assessments
EnclaveSecurity
 
2010 za con_jameel_haffejee
Johan Klerk
 
PowerShell for Cyber Warriors - Bsides Knoxville 2016
Russel Van Tuyl
 
Power on, Powershell
Roo7break
 
Basic commands for powershell : Configuring Windows PowerShell and working wi...
Hitesh Mohapatra
 
An Introduction to PowerShell for Security Assessments
EnclaveSecurity
 
Enterprise PowerShell for Remote Security Assessments
EnclaveSecurity
 
The Dark Side of PowerShell by George Dobrea
EC-Council
 
Windows PowerShell Step by Step 3rd Edition Wilson
phelpskwasia36
 
02Introduction to Power Shell Win Server all in one.pptx
edget1
 
PowerShell-1
Saravanan G
 
Incorporating PowerShell into your Arsenal with PS>Attack
jaredhaight
 
PowerShell - Be A Cool Blue Kid
Matthew Johnson
 
A Lap Around PowerShell 3.0
Sarah Dutkiewicz
 
Unleashing the Power: A Lap Around PowerShell 3.0
Sarah Dutkiewicz
 
Power Shell for System Admins - By Kaustubh
Kaustubh Kumar
 
Sunil phani's take on windows powershell
Sunil Phani
 
Get-Help: An intro to PowerShell and how to Use it for Evil
jaredhaight
 
Ranger BSides-FINAL
Christopher Duffy, D.Sc.
 
Ad

Recently uploaded (20)

PPTX
cloud_computing_Infrastucture_as_cloud_p
mainakbhattacharya20
 
PDF
Diabetes mellitus diagnosis method based random forest with bat algorithm
IAESIJAI
 
PDF
A comparative analysis of optical character recognition models for extracting...
IAESIJAI
 
PPTX
Machine Learning_overview_presentation.pptx
kondavamsidharreddy2
 
PDF
Encapsulation_ Review paper, used for researhc scholars
gurumoop
 
PDF
Accuracy of neural networks in brain wave diagnosis of schizophrenia
IAESIJAI
 
PPT
Teaching material agriculture food technology
LiaRayya
 
PDF
Building Integrated photovoltaic BIPV_UPV.pdf
SandeepSingh286037
 
PDF
A comparative study of natural language inference in Swahili using monolingua...
IAESIJAI
 
PDF
Video forgery: An extensive analysis of inter-and intra-frame manipulation al...
IAESIJAI
 
PDF
Per capita expenditure prediction using model stacking based on satellite ima...
IAESIJAI
 
PDF
Architecting across the Boundaries of two Complex Domains - Healthcare & Tech...
Peter Tan
 
PDF
Encapsulation theory and applications.pdf
gurumoop
 
PDF
Reach Out and Touch Someone: Haptics and Empathic Computing
Mark Billinghurst
 
PDF
August Patch Tuesday
Ivanti
 
PDF
Advanced methodologies resolving dimensionality complications for autism neur...
IAESIJAI
 
PPTX
Programs and apps: productivity, graphics, security and other tools
4mqw9zch22
 
PPTX
OMC Textile Division Presentation 2021.pptx
JahangirAlam816069
 
PDF
NewMind AI Weekly Chronicles - August'25-Week II
NewMind AI
 
PDF
MIND Revenue Release Quarter 2 2025 Press Release
MIND CTI
 
cloud_computing_Infrastucture_as_cloud_p
mainakbhattacharya20
 
Diabetes mellitus diagnosis method based random forest with bat algorithm
IAESIJAI
 
A comparative analysis of optical character recognition models for extracting...
IAESIJAI
 
Machine Learning_overview_presentation.pptx
kondavamsidharreddy2
 
Encapsulation_ Review paper, used for researhc scholars
gurumoop
 
Accuracy of neural networks in brain wave diagnosis of schizophrenia
IAESIJAI
 
Teaching material agriculture food technology
LiaRayya
 
Building Integrated photovoltaic BIPV_UPV.pdf
SandeepSingh286037
 
A comparative study of natural language inference in Swahili using monolingua...
IAESIJAI
 
Video forgery: An extensive analysis of inter-and intra-frame manipulation al...
IAESIJAI
 
Per capita expenditure prediction using model stacking based on satellite ima...
IAESIJAI
 
Architecting across the Boundaries of two Complex Domains - Healthcare & Tech...
Peter Tan
 
Encapsulation theory and applications.pdf
gurumoop
 
Reach Out and Touch Someone: Haptics and Empathic Computing
Mark Billinghurst
 
August Patch Tuesday
Ivanti
 
Advanced methodologies resolving dimensionality complications for autism neur...
IAESIJAI
 
Programs and apps: productivity, graphics, security and other tools
4mqw9zch22
 
OMC Textile Division Presentation 2021.pptx
JahangirAlam816069
 
NewMind AI Weekly Chronicles - August'25-Week II
NewMind AI
 
MIND Revenue Release Quarter 2 2025 Press Release
MIND CTI
 

Powering up on power shell avengercon - 2018

  • 1. Powering up on PowerShell Fernando Tomlinson (@Wired_Pulse)
  • 2. Powering up on PowerShell Fernando Tomlinson (@Wired_Pulse) Wireless: SSID: PoSh or PoSH-5g Pass: powershell PoSh-Hunter: HTTP://192.168.0.100 In the VM: 1. Type “resmon” 2. Checkmark “wlms.exe” 3. Right-click & Suspend
  • 3. Get-ADUser –Filter {Name -eq ”Fernando Tomlinson”} • 17 years of forensics, incident response, and information technology experience with the Department of Defense • Adjunct Digital Forensics Professor at a local college • PowerShell enthusiast; developing and coding in PowerShell for 4 years • Co-developer of Under the Wire (UnderTheWire.tech) • Developer of PoSh Hunter (Posh-Hunter.com) • Other sites: • cyberfibers.com • github.com/wiredpulse PS C: >
  • 6. • The demos used in this presentation can be found at the below link https://drive.google.com/file/d/1eNGTq5V7HqMCl dqcjDiHR_HFmySShfzF/view?usp=sharing Demos
  • 7. Agenda • Overview • Moving around • Hashing • Data Storage • Custom Event Logs • WinRM Logging • Port Scanning • Persistence through Profiles • Questions
  • 8. What is this PowerShell? • Introduced in 2006 • Implemented as an engine that can be embedded in a GUI or used directly as a CLI • Interactive command shell (like CMD) • Scripting language (simplified C#) • Remote management framework • Built on top of .NET Framework • Piping of full objects, not text • Functionality provided by commands: • Cmdlets (pronounced “command-lets”) • Functions • Scripts • Native commands
  • 9. How does it Work? Cmdlets Scripts Functions Output Host Interface Runspace Interface HostPS C: > _ What you see…
  • 10. Is this language really used?
  • 11. Elevator Speech about PowerShell • Installed by default as part of OS • Can access and manage most OS components • Can access registry, files, WMI, change settings etc. • Antivirus struggles (but has gotten better) with detection • Can reflectively inject code • Doesn’t touch disk most of the time • Leaves barely any forensics evidence • Encrypted network traffic • Provide remote shell capability • Full .NET Framework access • Win32 API and native code access
  • 14. Versions PowerShell v2 PowerShell v3 PowerShell v4 PowerShell v5 Windows 7 Default Server 2008R2 Default Windows 8 Default Windows 8.1 Default Server 2012 Default Server 2012R2 Default Windows 10 Default Server 2016 Default Server 2019 Default • A decent amount of organizations are still running Windows 7 with v2 installed! • Above OS versions can all be upgraded to v5 – Requires Windows management framework – Requires .NET framework 4.5 • PowerShell v5.1 (Windows specific) and PowerShell Core 6.2 (Cross-platform)   
  • 16. • Get-Help – Help docs on cmdlets and examples • Get-Command – Lists all commands installed including cmdlets, aliases, functions, filters, scripts, and apps • Get-Host – Lists version of PowerShell • Get-PSDrives - Alias, Variables, Functions, HKCU, HKLM • Set-Location – Changes present working directory • Get-ChildItem – Directory listing • Get-Content – Reads the contents of a file • Get-ItemProperty – Metadata/ Registry Values • Flow Control – If, For, Foreach, While Quick Primer (Jimmy Johns)
  • 18. • National Software Reference Library • https://www.nist.gov/software-quality- group/national-software-reference-library-nsrl • Identifying known bad or unknown hashes • Could be streamlined with whitelisting • Disk hashing == resource intense • Recommend running processes or tailored approach Hashes
  • 19. Tailored file and process hashing. Walkthrough
  • 20. Storing Data • Data -> Bytes -> Base64 -> Storage • Fileless approach • Anywhere that allows to be written to • Registry • Active Directory • Event Logs • Alternate Data Streams • There when we need it • Less likely to be found
  • 21. Active Directory • Over 50 properties to use • Has size limitations • Requires applicable rights to alter • Readable by Domain Users
  • 22. • Regedit allows the registry to be viewed like the file system • Keys are folders • Values are files • PowerShell views it the same way Keys (Folders) Values (Files) 22 Value Data (Properties) Registry
  • 23. Storing and executing data from the Registry and Active Directory. Walkthrough
  • 24. Choices, choices… • Get-WinEvent • Classic logs and Event Tracing for Windows (ETW) • Search local or remote event logs • Filtering performed at the remote server, not locally • Can query archived log files off-line (*.evtx files) • Supports the XPath query language: • Very flexible and precise query syntax • Build your XPath query in Event Viewer • Lots of XPath tutorials on the Internet • Get-EventLog • Classic logs only • Search local or remote event logs • Filtering performed locally 24
  • 25. • Custom logging • Create your own custom logs • Could be used to log activity that otherwise had no way of being logged Eventlogs You said the data wasn’t logging!
  • 26. Formatting event log message field and Developing custom eventlogs and messages. Walkthrough
  • 27. • Protocol is Web Services – Management (WS-MAN), using HTTP (by default) or HTTPS • Implemented by the Windows Remote Management (WinRM) service • Enabled by default on Windows Server 2012 and newer; available on any computer running PowerShell 2.0 or newer • Must be enabled on any computer that will receive incoming connections Windows Remote Management (WinRM)
  • 29. The Enable-PSRemoting cmdlet performs the following operations: • Runs the Set-WSManQuickConfig cmdlet, which performs the following tasks: • Starts the WinRM service • Sets the startup type on the WinRM service to Automatic • Creates a listener to accept requests on any IP address • Enables a firewall exception for WS-Management communications • Registers the Microsoft.PowerShell and Microsoft.PowerShell.Workflow session configurations, if it they are not already registered • Registers the Microsoft.PowerShell32 session configuration on 64-bit computers, if it is not already registered • Enables all session configurations • Changes the security descriptor of all session configurations to allow remote access • Restarts the WinRM service to make the preceding changes effective. Enabling Remoting… what does it do? 29
  • 30. • Channel-level encryption provided only with HTTPS connections • Application-level encryption provided with all connections • Credentials transmitted in clear-text only with the Basic authentication protocol when HTTPS is not in use Security
  • 31. • Operational • On by default • Analytics and Debug • Off by default and provide very little (Not so useful) logging
  • 33. • Get-PSSession • Only returns information about the connections you have • Get-WSManInstance • Returns information about all connections to the system • IP, ID, user, idle time, and more Getting visibility
  • 35. Port Scanning • Get-NetConnection • V5+ • Full connect scan w/ auto close • Auto pings target • Net.Sockets.Client • V2+ (.net 3.5+) • Full connect scan w/o auto close
  • 36. Configure listening ports and port scanning. Walkthrough
  • 37. • Search Order 1. Aliases 2. Functions 3. Cmdlets 4. Native commands Command Execution Search Order
  • 38. • Each host application defines the script files it will load and the order in which it loads them • The console and ISE host applications share certain profile scripts (CurrentUserAllHosts & AllUsersAllHosts) and define other scripts that are unique to each (AllUsersCurrentHost & CurrentUserCurrentHost) • Six total: two shared (Console and ISE), two for Console, and two for ISE • List Profiles: • Even though a path is listed, profiles aren’t created by default Profile Scripts
  • 41. • ABC (Always Be Coding) • ISE -> Get-Command -> Get-Help -> <tab> • Interactive challenged-based learning • Under the Wire (http://UnderTheWire.tech) • Posh-Hunter (https://Posh-Hunter.com) How can YOU learn more PowerShell?

Editor's Notes

  • #6: - Local instance of Posh-Hunter.com - Over 90 challenges Demos and a cheatsheet are on the site # Sysinternals gci hkcu:\software\sysinternals
  • #8: http://www.insomniacsecurity.com/2017/08/27/phant0m.html
  • #9: - Previously called monad - cmdlets == compiled dotnet - functions == reusable chunks of code
  • #10: PowerShell sits directly on the Microsoft .NET Framework System.Management.Automation.dll is the dll enabling all the magic Run PowerShell via hosting application A runspace is created via the .NET framework for our specific application Within the runspace, we can run cmdlets, scripts, and or functions Our output is then passed to the hosting applications interface Which brings us to what we see
  • #15: https://www.thewindowsclub.com/difference-powershell-powershell-core Microsoft Windows 7 SP1 and Windows Server 2008 R2 were the first versions of the operating system to include PowerShell (version 2.0) installed by default Versions of PowerShell have been included in every subsequent release of Windows, through PowerShell 5.0 on Windows Server 2016 and on Windows 10. https://redmondmag.com/articles/2017/07/17/windows-powershell-6.0-and-powershell-core.aspx https://4sysops.com/wiki/differences-between-powershell-versions/
  • #25: Query local or remote systems Output of the queries can then be filtered, searched, consolidated and perhaps saved to a CSV file or HTML report Filtering with get-winevent is performed at the target computer, not locally, which is much faster than downloading an entire (possibly multi-gigabyte) log and filtering it locally afterwards. We want to push the query filtering work out to the remote computer whenever possible. - XPath Queries Queries with get-winevent can be defined using a simple hashtable, an XPath query, or an XML definition of one or more XPath queries performed simultaneously. The Xpath query syntax is complex, but we can use the graphical Event Viewer application to build these queries for us. Once Event Viewer constructs the XML for the query, that XML string can simply be pasted into our scripts. DEMO: # To see a list of all local event logs: get-winevent -listlog * # To see a list of logs that begin with "s" on the remote computer named "server47": get-winevent -listlog s* -computername "server47" # To see the details of just the Security log: get-winevent -listlog security | format-list * # To show the last 20 events from the System log: get-winevent -logname system -maxevents 20 # To get the last 20 events from each of the three classic logs: $events = get-winevent -logname system -maxevents 20 $events += get-winevent -logname application -maxevents 20 $events += get-winevent -logname security -maxevents 20 $events | sort-object -property TimeCreated | format-table TimeCreated,ID,Level,Message –auto - A hash table is an array of paired items in the form " <property> = <value>" , with each pairing separated from the other pairs with a semicolon. One way to filter query results is to give the target computer a hash table of filters, such that only the events which match the properties and values in the filters will be returned. Here is an example. # To only show events with ID number 4624 from the Security log: get-winevent -filterhashtable @fLogName="Security"; ID=4624} - Note: You cannot use wildcards in -FilterHashTable query values, with the exceptions of log names and provider names. Sorry. How would you know which properties can be used in a hash table filter? Unfortunately, not every property of an event entry displayed by get-member can be used in a hash table filter (unlike filtering with where-object). The help for get-winevent gives the ugly details, but these are the properties you will most likely wish to use in filters (they are not case sensitive): • LogName • ProviderName • ID • Level • StartTime • EndTime - The "StartTime" and "EndTime" properties will take datetime objects, like those created by the get-date cmdlet. Here is an example. # To only show Security log events between five and three days ago: $Day5Ago = (get-date).AddDays(-5) $Day3Ago = (get-date).AddDays(-3) get-winevent -filterhashtable @{LogName="Security"; StartTime=$Day5Ago; EndTime=$Day3Ago} # To only show Warning events from the Application log: get-winevent -FilterHashtable @{LogName="Application"; Leve1=3} # To only show 10 recent Critical, Error and Warning events from the System log on a remote computer named "server47.testing.local": get-winevent -FilterHashtable @{liogName="SYstem"; Level=@(1,2,3)) -MaxEvents 10 -ComputerName "server47.testing.local" # To list the last 10 user accounts created (notice the "+=" in the second command): $events = get-winevent –FilterHashtable @fLogName="Security"; ID=47201 –ErrorAction SilentlyContinue $events += get-winevent –FilterHashtable @fLogName="Security"; ID=6241 –ErrorAction SilentlyContinue $events | select-object -last 10 - SilentlyContinue is used to suppress the output of nothing being returned - Other EventLog cmdlets: Clear-EventLog Write-EventLog Limit-EventLog Show-EventLog New-EventLog Remove-EventLog # To clear the System and Application logs on a remote computer named Server57: Clear-eventlog –log system,application –computername Server57 The Get-WinEvent cmdlet gets events from event logs, including classic logs, such as the System and Application logs, and the event logs that are generated by the Windows Event Log technology introduced in Windows Vista. It also gets events in log files generated by Event Tracing for Windows (ETW).
  • #26: # Writing EventLogs https://blogs.technet.microsoft.com/heyscriptingguy/2013/06/20/how-to-use-powershell-to-write-to-event-logs/
  • #28: # Writing EventLogs https://blogs.technet.microsoft.com/heyscriptingguy/2013/06/20/how-to-use-powershell-to-write-to-event-logs/
  • #30: Enable-remoting –force suppresses the user prompts. Session configurations are specifying what is actually above to the user. You can restrict cmdlets and commands
  • #31: (for example, to a nondomain computer on TrustedHosts list)
  • #32: # Writing EventLogs https://blogs.technet.microsoft.com/heyscriptingguy/2013/06/20/how-to-use-powershell-to-write-to-event-logs/
  • #34: # Writing EventLogs https://blogs.technet.microsoft.com/heyscriptingguy/2013/06/20/how-to-use-powershell-to-write-to-event-logs/
  • #36: https://sid-500.com/2017/08/01/powershell-check-open-ports-with-test-netconnection/ https://docs.microsoft.com/en-us/dotnet/api/system.net.sockets.tcplistener?view=netframework-4.7.2 https://stackoverflow.com/questions/12148666/send-and-receive-data-via-udp-in-powershell
  • #38: When you execute a command without a full path to it, PowerShell searches for that command's name by trying to match it to one of these types of items, in this order: If two commands of the same type with the same name exist, such as two functions both named ”tasklist", whichever was added most recently is what is executed because the earlier one was replaced. https://www.computerperformance.co.uk/powershell/functions/ DEMO: # Add a ping alias PS:\> ping # Returns the correct menu for ping PS:\> new-alias ping notepad PS:\> ping # spawns notepad PS:\> c:\windows\system32\ping.exe # Works as it should
  • #39: Change “CurrentUser” profile path https://stackoverflow.com/questions/5095509/is-it-possible-to-change-the-default-value-of-profile-to-a-new-value - If you are accessing the $profile variable from within the Windows PowerShell console, the AllUsersCurrentHost and the CurrentUserCurrentHost note properties refer to the Windows PowerShell console. If you access the $profile variable from within the Windows PowerShell ISE, the AllUsersCurrentHost and the CurrentUserCurrentHost note properties refer to the Windows PowerShell ISE profiles. CurrentUserCurrentHost = user logged in, the PowerShell host they are using (Console or ISE) Profiles are loaded in the order shown. So the most authoritative one is the user’s AllUsersAllHosts profile (microsoft.powershell[ise]_profile.ps1) AllUsersAllHosts AllUsersCurrentHost CurrentUserAllHost CurrentUserCurrentHost DEMO: # Test to see if profile script exists if (!(Test-Path -Path $PROFILE )) { New-Item -Type File -Path $PROFILE}