Scripts: The big concern *Execution policy Script Signing *Profiles (and back doors) *Security Feature Path

Required Filename extension Create test.vbs file on desktop Edit:- wscript.echo:"Hello"

NO Integrity No Identity Command Hijacking Double click to run

PS:set-execution Plicy Digital Signature Path for digital Signature

ty y Hijacking ck to run

Execution Policy Right \--Restricted -No script will run (default) Production :All Signed--Should have signature Test :Remote Signed -- Local computer Without signature --Remote -should havesignature X:Unrestricted--All Scripts can Run

ecution Plicy

nature gital Signature

C A
Cert
If this script turns out to be malicious then we can use this certificate information to derive information that we wrote the script and act accordingly

If you ar opening the powershell first time it will place you to administrator' folder My Document > Windowspowershell > profile.ps1 So whatever you have added in profile.ps1 it will be executed at he start of opening powershell

IDENTIFICATIO N

Command Hijacking e.g.lets say you have test.ps1 located in C:\demo\test.ps1 while running this script if you are at C:\ demo> test --the script wont work. To run the script you need to give full path of the script or in above case ./test will execute the script

Using shell for file and C: CD \ cd folder management dir cd HKCU dir \ls Ipconfig ping Command recurse -filter "*.dll" cp test.ps1 tst.ps1 >> a cd .. cd cd "program file" Command line tricks ,tips and gotches F7 lists all commands executes earlier

Command line tricks ,tips and gotches Quotes and escape sequences Cd program file Cd "program file" cd 'program file' Tab completion will put quotation mark Escaping character space as special character Wild Character ? * bcoz these are not ligle character in file name Transcript start-transcript trance.txt stop-transcript

commandlets,snap-ins,aliases & help Alises & commandlets dir = get-childitem get-childitem -resurse -filter "*.dll" get-eventlog security -newest 20 get-command get-command *service* gcm -noun service gcm -verb new help dir help dir -example help-dir -detailed help-dir -full help Powershell Snapins (to extend the functionality of shell) Pssnapins Get-pssnapin add-pssnapins quest.activeroles.admanagement

Basic Command-lets for Processes, services, and eventlogs Processes help *process *; get-command *process*;help stop-process get-process kill 568 -whatif kill -name svchost -whatif Take an example of calc Services get-command *service* gcm -noun service You can start, stop, supend, Set & New services get-service= gsv gsv -include "b*" get-credential Eventlogs get-command -noun *event* (gel) gel system -newest 10 what is common parameter "need to find" gsv | formatlist * gel | formatlist* What PS can & cant do Remoting is not allowed / Cmdlets WMI .Net framework its own Arch Non remoting Remoting Easy to understand Complicated Built in help No Built in help

Retriving Management Information form remote computers Desktop Management taskforce (DMTF) Common Information Module (CIM v2) Web based ent management (IIS v5) Windows management information Wmi explorer.exe from www.scriptinganswers.com help gwmi gwmi win32_service gwmi win32_service | format list gwmi win32_service -filter "name like 'b%" gwmi win32_operatingsystem gwmi win32_operatingsystem -comp "nydc2k8","localhost" gwmi win32_operatingsystem -comp (type c:\temp\servers.txt) WMI Security MMC > Add/remove snapin > Wmi control (local)> right click >properties>security> only Administrator have the permission for executing remote command gwmi win32_services -comp localhost -cred "administrator" WMI Filtering gwmi win32_process -filter "name like 's%' " gwmi win32_service -filter "name='bits' " gwmi win32_operatingsystem -filter "buildnumber>6000"

WMI

CIM

Provider Exch

Introduction to WMI Exploring Wmi WMI from Local Machine Remote Wmi Alternate credentials Filtering Wmi objects

WMI

WMI

Class CIM
Dick Drive CPU A Records Web IIS Operating system

Provider Exch

Provider SQL Instance

Using variables,Objects & Members new-variable -name var -value 5 $var2 =10 $var2 ,$age, $year,$counter $counter =$counter + 10 $name= "Nugget2" or $name = 'nugget2' $object ="hello" $object.length $object.toupper() $number =100 $number.length $number.toupper() [string]$var ="Hello" $var.toupper() $var=5 $var.toupper() Three Data type $S- string ,$i=5 ,$d= get-date [string]$S ="hello" [int]$i= 5 [datetime]$d =get-date $d | get-member $D.day $d.year $d.toshortdatestring() $d.tolongdatestring() $d.addmonths(2) $S | get-member $s.length $s.tolower() $s.replace("i","o") wmi win32_operatingsystem | gm $procs =get-processes $procs[0] , $procs[1] for last process $procs[-1] $procs[0] | gm $proc[0].kill get-credential $cred = get-credential gwmi win32_operatingsystem -comp nugget5 -cred $cred

what are variables crating, populating and displaying

Introducing object Simple Object Viewing object members Objects in variables Removing variables Example :credntial storage

Understanding The Pipeline get-service get-service |where-object { $_.stastus -eq "running" } get-service |where-object { $_.stastus -eq "stopped" } | set-service -startuptype Dissabled -whatif get-service |where-object { $_.stastus -eq "stopped" } | start-service -whatif get-process | stop-process -whatif get-service | out-file C:\services.txt ps | out-printer hplaserhet4 write-output "hello" Write-Host "Hello" Write-Host "Hello" fore yellow write-output "Hello" | where-object { $_.Length -gt 100 } write-Host "Hello" | where-object { $_.Length -gt 100 }

Why Pipeline Visualizing the Pipeline service in the pipeline Processes in the pipeline Piping to file or printer Write-output Write-host

Mathematical & Comparison Opreator 5+5; 10-1; 10*10; 100/10 5+ (5*10); 100 % 10; 5 *(5*5) 5 -eq 5; 10 -eq 5; $var=5; 10 -gt 5; 10 -gt $var; 10 -lt $var; "Hello" -eq "Hello" (10 -gt $var) -and (10 -lt $var2) (10 -gt $var) -or (10 -lt $var2) (10 -gt $var) -and -not (10 -lt $var2) not (10 -gt $var)-and -not (10 -lt $var2) "Hello" -ceq "Hello" "Hello" -ceq "HELLO" "Hello" -ne "HELLO" Parsing Mode Write-host 5+5 Write-host (5+5) Write-host (5+5) -fore green Write-host ($var -eq 10) -fore red Write-host $var -eq 10 -fore red

Basic math operator Advanced math Basic and advanced comparison case sensitivity parsing mode Command Expression

Sorting,measuring ,selecting & Filtering Objects in the Pipeline ps | sort-object vm ps | sort-object vm -descending ps |sort.name vm gsv|sort status gsv |measure-object ps | measure-object ps | measure-object -property pm -sum -min -max - average gsv | measure-object | measur-object -property Displayname -line -word -character gsv | select-object displayname,depandantservices ps | select -last 10 ps| sort vm -desc |select -first 10 | out-file C:\tip.txt gsv | where-object {$_.status -eq "running" } | sort displayname gsv | where-object {$_.status -eq "running" } | sort displayname | -first 10 ps | select Vm ps | select Vm, name ps | where{$_.vm -gt 100} ps | where{$_.vm -gt 100MB} WorkFlow Powershell ps ps | sort pm ps | sort pm -desc |select -first 10

Sorting Measuring Selecting Properties Selecting a subset Filtering Powershelklworkflow

is assignment oerator

Working Wilth Collection of object in Pipeline ps (collection of object) gsv gsv | where {$_.status -eq "stopped"} gsv | where {$_.status -eq "stopped"} | start-service -whatif dir *.mp3 -recurse | del gc computrs.txt | foreach-object { gwmi win32_operatingsystem -comp $_ }

gc computrs.txt | foreach-object { gwmi win32_operatingsystem -comp $_ | foreach {$ _. R gc computrs.txt | % {gwmi win32_service -comp $_ -filter "name='MSSQLSERVER' | % {$_.change(,,,,,,,,,,,"P@ssw0rd") } }

Object collection Working with group Working with individual E.g for each object & wmi

in Pipeline In powershell Everythingis object

em -comp $_ }

ingsystem -comp $_ | foreach {$ _. Reboot() } } Grou of services

ame='MSSQLSERVER' |

Get Content

Server 2

S e rv e r
1

W MI WMI WMI LOG OFF

Server 3

roerties

Methods

powershell erythingis object

of services

LOG OFF

Methods

Understanding and using formating subsystem gsv | out-default gsv | fw gsv |fw displayname gsv | fw name -col 4 Format-List gsv | fl status,displayname ,name gsv | fl * gsv |fl name,displayname,status -groupby status gsv | sort status | fl name,displayname,status -groupby status Format-table gsv | ft name,status gsv | ft name,status -auto gsv | ft * gsv | ft * -auto gsv | ft * -auto -wrap gsv | sort status | ft displayname -groupby status ps | ft name,id,vm,pm ps | sort vm -desc | ft name,id,vm,pm -auto

gwmi win32_logicaldisk gwmi win32_logicaldisk -filter "drivetype=3" gwmi win32_logicaldisk -filter "drivetype=3" |select deviceid,freespace,size gwmi win32_logicaldisk -filter "drivetype=3" |ft deviceid,freespace,size -auto gwmi win32_logicaldisk -filter "drivetype=3" |ft deviceid, @{ Label="size(G)"; Expression={$_.size / 1gb}}, @{Label="freespace(M)";Expression= {$_.freespace/ 1mb}} gwmi win32_logicaldisk -filter "drivetype=3" |ft deviceid, @{ Label="size(G)"; Expression={($_.size / 1gb) -as [int]}}, @{Label="freespace(M)";Expression= {($_.freespace/ 1mb) -as [int] }} gwmi win32_logicaldisk -filter "drivetype=3" |ft deviceid, @{ Label="size(G)"; Expression={($_.size / 1gb) -as [int]}}, @{Label="freespace(M)";Expression= {($_.freespace/ 1mb) -as [int] }} -auto

How Obj.becomes text Text in console window The formtting subsystem Format-Wide Format-list format-table

custom column in tables

g subsystem

espace,size ace,size -auto bel="size(G)"; Expression={$_.size /

bel="size(G)"; Expression={($_.size /

[int] }} bel="size(G)"; Expression={($_.size /

[int] }} -auto

Exporting ,Importing ,Comparing & Converting Object ps | export-csv C:\proc.txt Lets say we have Csv file at c:\provision1.csv $imported = import-csv c:\provision1.csv $imported $imported | ft $imported[0].country $imported[0].'first name' $imported[0].fax $imported | foreach-object {$_.'first name'.toupper() } gsv | select -first2 | export-clixml c:\services.xml import-clixml c:\services.xml import-clixml c:\services.xml | sort vm -desc | select -first 10 | fl name,id ps | export-clixml c:\baseline.xml diff (ps) (import-clixml c:\services.xml ) -property name gsv | export-clixml c:\services.xml diff (gsv) (export-clixml c:\services.xml) -prop status gel security -newest 20 | export-clixml c:\eventlogs.xml $event = import-clixml c:\eventlogs.xml $event $event | ft source,timewritten,index get-wmiobject win32_service | where{$_.startmode -eq "auto" -and $_.state -ne "running" get-wmiobject win32_service | where{$_.startmode -eq "auto" -and $_.state -ne "running" | convertto-html| out-file c:\badservice.html get-wmiobject win32_service | where{$_.startmode -eq "auto" -and $_.state -ne "running" | select startmode,state,name | convertto-html| out-file c:\badservice.html

Exporting to csv Importing to csv Cli xml import/export Comparing collections convert to HTML

Windows Powershell Script For (i=0;$i -lt 100; $i++) { write-host $i }

$computer = "localhost" -query "select * from win32_pingstatus WHERE $result = get-wmiobject Address = '$computer' " if ($result.statuscode -eq 0) { Write-host "$computer is Pingable" } Else {"$computer is not pingable" } Parameterized script param (= get-wmiobject -query "select * from win32_pingstatus WHERE $result $computer = "localhost" ) Address if ($result.statuscode -eq 0) { = '$computer' " Write-host "$computer is Pingable" } Else {"$computer is not pingable" }

Script ,Ad-hocsame ! Script security review A Basic script Parameterizing a script

Windows Powershell Scripting Language

Modularization :scriptblocks and Functions

Creating Fuctions that work in the Pipeline

Creating functions that produce custom Objects

Introduction to regular Expression

The purpose of Debugging

Introduction to Regular Expression

Creating a Practical Administrative Tool in Windows Powershell