Skip to content

Files

Latest commit

SecurityinbitsSecurityinbits
Update PowerShell.md
Jan 8, 2024
7d48106 · Jan 8, 2024

History

History
150 lines (126 loc) · 6.17 KB

PowerShell.md

File metadata and controls

150 lines (126 loc) · 6.17 KB

PowerShell Cheat Sheet for Blue Team

I will recommend reading this PowerShell Commands for Incident Response article to get a better understanding of the commands discussed below.

Basics

To check PS version

$PSVersionTable

Calculated properties using Hashtable

Calculated properties that require a Hashtable with a Name/label and an Expression key can be used with Select-Object . The name key is the property name and the Expression key is a scriptblock that will be executed as Select-Object receives input.

@{ Name = ''; Expression = {}}

Using E/Expression we are calculating the MD5 & SHA256 of each file returned by Get-ChildItem as shown below in the gather file hashes section.

Commands

Make sure you are running the PowerShell with admin privilege otherwise some of the cmdlets will not work properly

Process

Get all process with standard column

Get-Process

Get Id, ProcessName, Path, Company, StartTime with Select-Object cmdlet

Get-Process ProcName | Select-Object Id, ProcessName, Path, Company, StartTime | Format-Table

Get-Process cmdlet doesn’t support the process command line so use Get-WmiObject command for Windows PowerShell 5.1

Get-WmiObject -Class Win32_Process -Filter "name='process.exe'" | Select-Object ProcessId, ProcessName, CommandLine

But Get-Wmiobject is deprecated so use Get-CimInstance for PowerShell 7

Get-CimInstance -Class Win32_Process | Format-Table -Property ProcessId, ProcessName, CommandLine -Autosize

Update: This cmd works fie for PowerShell 7

Get-Process ProcName | Select-Object Id, ProcessName, CommandLine, Path

Terminate Process

Get-Process ProcName | Stop-Process

Registry

Get-ItemProperty cmdlet can be used for listing registry entries

Get-ItemProperty 'HKCU:\Software\Microsoft\Windows\CurrentVersion\Run' -Name 'IMAP Service'

Remove-ItemProperty can be used for removing persistence registry entries created by malware. This example is from NanoCore RAT.

Get-ItemProperty 'HKCU:\Software\Microsoft\Windows\CurrentVersion\Run' | Remove-ItemProperty -Name 'IMAP Service'

File

We can Get-ChildItem cmdlet to list the directory it’s like dir cmd. This cmdlet can be used in file system directory, registry hive, or a certificate store. -Recurse – Used to recursive list all the sub-dir -Filter – You can use the parameter to filter the path and it supports * and ? wildcards e.g *.dat, *.exe

Get-ChildItem -Path $Env:APPDATA -Force -Recurse -Filter run.dat

-Force – It is used to list hidden or system files. Some malware use the hidden attribute for their files, so always use this parameter

Instead of Get-ChildItem, we can Test-Path to check if the dir or file exists or not

Test-Path -Path $Env:APPDATA\*\run.dat

Create new directory

New-Item -ItemType Directory -Path C:\Users\admin\IoCs

Copy directory recursively

Copy-Item C:\Users\admin\AppData\Roaming\0319B08F-2B65-4192-B2D2-1E2F62087064\ -Destination C:\Users\admin\IoCs\ -Recurse

Delete the complete dir recursively

Remove-Item -Path $env:APPDATA\0319B08F-2B65-4192-B2D2-1E2F62087064\ -Recurse -Force

Remove the copy of the NanoCore malware

Remove-Item -Path $env:TEMP\RAVBg64.exe -Force

Gather file hashes

Get-FileHash cmdlet can be used to get the hash using a different algorithm e.g. MD5. SHA1 , SHA256 etc. By default, the Get-FileHash cmdlet uses the SHA256 algorithm, although any hash algorithm that is supported by the target operating system can be used.

SHA256

Get-FileHash -Path 'C:\Users\admin\AppData\Roaming\0319B08F-2B65-4192-B2D2-1E2F62087064\IMAP Service\imapsv.exe'

MD5

Get-FileHash -Algorithm MD5 -Path 'C:\Users\admin\AppData\Roaming\0319B08F-2B65-4192-B2D2-1E2F62087064\IMAP Service\imapsv.exe'

Command for collecting the file hashes in the directory with MD5, SHA256, Name & FullName and exporting the result in the file using Export-Csv Using E/Expression we are calculating the MD5 & SHA256 of each file returned by Get-ChildItem

Get-ChildItem -Path C:\Users\admin\AppData\Roaming\0319B08F-2B65-4192-B2D2-1E2F62087064\ -Force -Recurse -File |
Select-Object @{Name='MD5';E={(Get-FileHash -Algorithm MD5 $_).Hash}}, 
@{N='SHA256';E={(Get-FileHash -Algorithm SHA256 $_).Hash}},Name, FullName |
Export-Csv -NoTypeInformation -Path FileHashes.csv

-NoTypeInformation is used to remove this line from csv "#TYPE Selected.System.IO.FileInfo"

Useful Functions

This function can be added to PowerShell profile file e.g. Profile.ps1

Calculate hash of files

# Get md5,sha256 and file name , input support multiple string with wildcard
function hashes {
    Get-ChildItem -Path $args -Force -Recurse -File |
    Select-Object @{Name='MD5';E={(Get-FileHash -Algorithm MD5 $_).Hash}}, 
    @{N='SHA256';E={(Get-FileHash -Algorithm SHA256 $_).Hash}},Name
}
function md5 {
    Get-ChildItem -Path $args -Force -Recurse -File | 
    Select-Object @{Name='MD5';E={(Get-FileHash -Algorithm MD5 $_).Hash}}, Name
}
function sha256 {
    Get-ChildItem -Path $args -Force -Recurse -File | 
    Select-Object @{Name='SHA256';E={(Get-FileHash -Algorithm SHA256 $_).Hash}}, Name
}

References

Other good PowerShell Cheat Sheet