This document provides an agenda and slides for a PowerShell presentation. The agenda covers PowerShell basics, file systems, users and access control, event logs, and system management. The slides introduce PowerShell, discuss cmdlets and modules, and demonstrate various administrative tasks like managing files, users, services, and the firewall using PowerShell. The presentation aims to show how PowerShell can be used for both system administration and security/blue team tasks.
4. About me
• System Analyst at a non-profit religious organization
• Founder of Michigan PowerShell User Group
• Moderator on Hey! Scripting Guys forums and judge for
Microsoft’s Scripting Games.
• Member of #misec
• Avid Gamer and huge sports fan
• Father to a future hacker (kid0) and husband to a
wonderful wife.
5. Disclaimer
• I am not an “expert”, so lets just pretend for the next
little bit that I am.
• There is a TON of sysadmin stuff in here, however it
doubles as security / blue team.
• This talk doesn’t in anyway reflect the stance of my
employer or Microsoft.
• I think I am funny and sometimes talk too fast. If you
have a problem, get over it.
8. What is PowerShell?
• In case you haven’t heard….
– It is a task automation framework, command-line shell
and a scripting language that uses and is built upon the
.NET Framework
• Installed in every Microsoft Operating System from
Windows 7 / 2008 R2 and beyond.
• Current Version is 3.0
9. Tons of support
• Integration is deep within Microsoft Product line
• Other vendors support it as well
10. What is a cmdlet?
• A cmdlet is a “lightweight command that is used in
the Windows PowerShell environment.”
• Basically it is the commands built into the
language.
• Examples:
– Get-Help
– Write-Host
– Register-ObjectEvent
11. Some basic language information
• Naming Convention
– Verb-Noun
• Get-Mailbox
• New-ADComputer
– Verbs are Defined by Microsoft (98 Total)
• Aliases Help
– Get-Childitem (ls, dir, gci)
– But, you shouldn’t use them in your scripts.
– See them all? Get-Alias
• Get-Help also “helps”
– Get-Help is your new best friend
12. Aliases for the *nix Guys
PowerShell PowerShell Alias *nix
Get-ChildItem ls, gci, dir ls
Copy-Item cp, copy cp
Get-Help man, help man
Get-Content cat, type cat
13. Get-ExecutionPolicy
• From about_execution_policies
– Windows PowerShell execution policies let you determine the
conditions under which Windows PowerShell loads
configuration files and runs scripts.
– Instead, the execution policy helps users to set basic rules
and prevents them from violating them unintentionally.
• Can set system-wide or on user basis and via Group
Policy
• Can bypass easily so this is not a security measure!!!!
14. Making Tools
• One of the best things about PowerShell.
• You can easily make tools
(functions, scripts, modules, etc…) and repackage
them and share them.
• Tons of resources on how to share and where to
share are out there.
15. Modules
• A module is a set of related Windows PowerShell
functionalities that can be dynamic or that can
persist on disk. Modules that persist on disk are
referenced, loaded, and persisted as script
modules, binary modules, or manifest modules.
Unlike snap-ins, the members of these modules
can include
cmdlets, providers, functions, variables, aliases, an
d much more.
16. Modules Cont…
• What are modules good for?
– Repackaging tools
– Sharing Scripts
• Some very cool modules out there
– PSCX
– Office 365
– NTFS Security
17. Recording your session
• PowerShell has built in logging.
• Log your commands, the output and whole kitten
kaboodle
• Start-Transcript
• Stop-Transcript
18. A few last minute notes
• Objects!
– Everything is an object unless you decide to make it text.
• Pipeline!
– Things being objects makes everything much more fun.
• Variables!
– Prefixed with $
• Special Variables!
– Some special ones including
• $_
• $true
21. File Permissions
• By far not my favorite thing to do
• A complete pain if you have to set permissions a
lot of files
• xcals and cacls.exe are nice, but we can use
PowerShell
22. File Permissions
• Built in commands for doing ACLS
– Get-ACL, Set-ACL
• However…. These cmdlets are
difficult at best to use. Actually
painful is a better word.
24. That sucks…. Kind of
• Easily put into a function. Especially if files you are
setting permissions on have the same permissions
required.
• Requires time spent in the MSDN documentation
to actually get setting permissions right.
• There is some help though. The File System
Security PowerShell Module 2.1 by Raimund
Andrée
26. Monitor File System Changes
• With a few lines of code, you can monitor to
changes in a directory.
• However, it goes away with PowerShell Session.
• Can email, write to host, log to file or event logs.
29. Show-Users
• This section will be a lot of auditing commands /
scripts / functions.
• Creating users is done everywhere.
• Lets see some info about what info we can gather
30. Local Users?
• Local Users are a pain… Lets view them all!
$computer = $env:COMPUTERNAME
$adsi = [ADSI]("WinNT://$computer,computer")
$users = $adsi.psbase.children | Where
{$_.psbase.schemaclassname -eq "User"} | Select
Name
foreach ($user in $users) {
$user.name
}
31. Local Groups?
• Local Groups are a pain… Lets view them all!
$computer = $env:COMPUTERNAME
$adsi = [ADSI]("WinNT://$computer,computer")
$groups = $adsi.psbase.children | Where
{$_.psbase.schemaclassname -eq "Group"} | Select
Name
foreach ($group in $groups) {
$group.name
}
32. Local Admins?
• Get local admins on a machine. Better yet scan all the machines!
function Get-LocalAdministrators {
param (
[string]$computer = $env:computername
)
$admins = Get-WMIObject -class win32_groupuser –computer $computer
$admins = $admins | where {$_.groupcomponent –like '*"Administrators"'}
$admins | Foreach{
$_.partcomponent –match “.+Domain=(.+),Name=(.+)$”>$nul
$matches[1].trim('"') + “” + $matches[2].trim('"')
}
}
33. Services and Users
• One of the biggest pains I find is people using
accounts for services.
• Quick way to check tons of computers using
Confirm-ServiceAccounts
Get-Content computers.txt |
Confirm-ServiceAccounts |
Select SystemName, DisplayName,
StartName
34. SIDS….
• Easily get SIDs while doing forensics.
$objUser = New-Object
System.Security.Principal.NTAccount($domain,$user)
$strSID =
$objUser.Translate([System.Security.Principal.SecurityI
dentifier])
$strSID.Value
35. Lets track some users…..
• Lets see who logged on and logged off on a
computer.
get-winevent -FilterHashTable
@{LogName='Security'; StartTime='6/27/2012
12:00:00am'; ID=@(4624,4625,4634,4647,4648)} |
select timecreated,id
36. Across the entire network.
get-winevent -FilterHashTable @{LogName='Security';
StartTime='6/27/2012 12:00:00am';
ID=@(4624,4625,4634,4647,4648)} |
select timecreated,id$eventhashtable = @{LogName='Security';
StartTime='6/27/2012 12:00:00am';
ID=@(4624,4625,4634,4647,4648)}
Get-Content computers.txt | Foreach {
Write “Retrieving logs for $_ at $(Get-Date)”
get-winevent –FilterHashTable $eventhashtable |
select timecreated,id;
}
37. User have profile on PC?
• A very rudimentary way to check to see if someone
logged on to a PC.
Get-WmiObject -Class Win32_UserProfile |
Select SID, LastUseTime, LocalPath
39. Host Files…..
• Editing hosts files is always fun.
• Merged some functions into a module that does
host file manipulation.
• REMEMBER TO RUN AS ADMINISTRATOR…..
41. Firewall fun (V3)
• You can manage the Windows Firewall using
PowerShell in Windows 7. Can do it, but takes a
little bit to get used to.
• Microsoft added Firewall Commands in Windows 8
/ Windows 2012.
• There is a new module called NetworkSecurity
42. Basic Firewall Administration
• The following command is pretty straight forward.
Allows telnet to be accessible on the local subnet.
New-NetFirewallRule -DisplayName “Allow
Inbound Telnet” -Direction Inbound -Program
%SystemRoot%System32tlntsvr.exe -
RemoteAddress LocalSubnet -Action Allow
43. Where it gets cool….
• This rule BLOCKS telnet. However, this stores the
firewall rule in a GPO so you can deploy it from the
PowerShell window.
New-NetFirewallRule -DisplayName “Block
Outbound Telnet” -Direction Outbound -Program
%SystemRoot%System32tlntsvr.exe –Protocol
TCP –LocalPort 23 -Action Block –PolicyStore
domain.contoso.comgpo_name
44. Even cooler…..
• You can manage a Windows Firewall Remotely!
• You must be admin on the remote computer. Well
hopefully you are.
• Note: A CIM session is a client-side object
representing a connection to a local or remote
computer.
$Session = New-CimSession –ComputerName Host
Remove-NetFirewallRule –DisplayName
“AllowTelnet” –CimSession $Session
46. PoshSec.com
• A project to help better utilize PowerShell in the Infosec
Space.
• Started by myself and Will Steele (@pen_test).
• Looking for guest bloggers. If you want to write an
article, let us know. team@poshsec.com
47. PowerShell Saturday in Michigan?
• I am looking to bring PowerShell Saturday to
Michigan.
• PowerShell Saturday is a day long conference on
PowerShell.
• Want to speak? Let me know. Can be anything
PowerShell related.
48. Special Thanks!
• Thank you for proofing my slides and providing
valuable feed back!
• Will (@pen_test)
• Wolfgang (@jwgoerlich)
• Scott (@sukotto_san)
• Matt (@mattifestation)
49. Contact & Downloads
• Contact:
– mwjcomputing@gmail.com
– @mwjcomputing
– http://www.mwjcomputing.com/
– http://www.michiganpowershell.com/
• Downloads related to talk
– http://www.mwjcomputing.com/resources/grrcon-2012
• Sides, Code Samples and links to scripts used in this talk.
• Note: Code isn’t completely done. I need to add help and clean
it up a tad. It does however all work. So expect updates within a
week.