I am a PowerShell noobie and know beyond next to nothing on PowerShell usage.
Not that I’m not trying to get up to speed.
- PowerShell Learning Grinds On - GSD Blog
- PowerShell Reference Post: The Train Cometh Near… - GSD blog
However it’s a slow climb up that learning mountain with my time being so tight at the moment.
In typical fashion, that hasn’t stopped my brain from chewing on the potential applications for PowerShell once I get more accomplished.
It struck me last week that PowerShell might be a useful tool (in some circumstances with knowledge aforethought of the impact using PowerShell on that system might have) for ForSec and Incident Response efforts. Having the “power” of PowerShell at our disposal once our enterprise goes Win7 on the desktops might allow expanded options where some third-party tools might be a challenge deploying.
So I hit the Google and here is what I found that looked worthy of investigation and additional reading and study.
Note: there were a number of additional websites I found that seemed -- in title at least -- to be applicable. However, I chose not to include them at this time as they seemed pretty new and the material on the (for now) didn’t seem to be that useful. If they mature and grow, then I will add them in at a later time.
Live Response Using PowerShell - PDF link - SANS Institute Reading Room paper written by Sajeev Nair - August 2013.
Incident Management with PowerShell - video ~45 min - YouTube - Presentation by Matt Johnson & J. Wolfgang Goerlich of MWJ Computing - March 2013
The Power of PowerShell Remoting - SANS Computer Forensics and Incident Response blog - Mike Pilkington
Weekend Scripter: Using PowerShell to Aid in Security Forensics - Hey, Scripting Guy! Blog - Will Steele guest blogger
Use PowerShell to Aid in Security Forensics - Hey, Scripting Guy! Blog
toolsmith: Security Investigations with PowerShell - HolisticInfoSec blog post by Russ McRee
How to find running processes and their port number - Shay Levy - (added to post 09/15/2013) - Embedded in Russ McRee’s post above was a quick reference to this post which has some juicy material for you network guys.
Script Get-NetworkStatistics - netstat -ano with filtering - (added to post 09/15/2013) - Embedded in the comments of Shay Levy’s post was a link to this one as well offered by rambling cookie monster. Whew!
The rambling cookie monster’s site is darn sharp and has these tasty crumbs we can pick up and enjoy:
Tools to Grab Locked Files - Journey Into Incident Response - Corey Harrell - Post mentions “Invoke-NinjaCopy” which is a PowerShell script. More detailed info here: Using PowerShell to Copy NTDS.dit / Registry Hives, Bypass SACL’s / DACL’s / File Locks - clymb3r
Powershell: Forensic Onliners - ldap389 blog. (added to post 09/15/2013) The post itself is great, but there is a reference to other PowerShell material near the top that you might overlook. Hit the whitepaper link below and browse to the section.
You can find a cool onliner that retrieves the events of the Account logon category in this Windows Logon Forensics whitepaper (chapter 6.4. Querying Events). The onliner fetchs the following events which occurred during the past five days:
- A Kerberos authentication ticket (TGT) was requested.
- The computer attempted to validate the credentials for an account.
Live forensics: prefetch and powershell - 8bits blog
Parsing Windows Eventlogs in Powershell - ISC Diary
- PoshSec Main Repository - GitHub - PoshSec Wiki - per that page:
- Account Monitoring
- Inventory of Authorized and Unauthorized Devices
- Network Baseline
- accounts that do not expire
- accounts that expire
- list all accounts
- disabled accounts
- locked out accounts
- passwords over expired date
- disabled account access
- DNS Logging Status
- open ports
- Publish a PowerShell module to aid people in the use of PowerShell in regards to security.
- Provide some guidance on how to use PowerShell in the information security space, on both the offensive and defensive side with blog posts and articles.
- Be a location to obtain links to others using PowerShell in the information security space.
- Getting Started with PoshSec - PoshSec Wiki.
Current Release Features
This initial project release was based on SANS CSIS 20 Controls to assist an organization securing itself against digital attacks. The purpose of this release is to "baseline" an environment given the stated controls in the CSIS. The release is focused on the following controls:
Inventory of Authorized and Unauthorized Devices
This project started by Will Steele (@pen_test) and Matt Johnson (@mwjcomputing) has several goals:
Digital Forensic Case Leads : Flame On! The most sophisticated malware since...the last one, Higher Ed data breach and PowerShell forensics - SANS Computer Forensics and Incident Response blog - (added to post 09/15/2013) - buried near the bottom are these PS gems under the “Good Reads” section:
- PowerShell to do evil: PowerSploit - A PowerShell Post-Exploitation Framework
- PowerShell to find evil:
I suspect that just because there isn’t that much (yet) material in this area, doesn’t mean that PowerShell isn’t a worthwhile supplemental tool in these areas. Powershell is primarily used for system administration tools and tasks, but I bet that with time and development, some clever out-of-the-box thinkers can expand on how it can be leveraged. Particularly if it involves collecting and parsing out registry, activity logs, and file-system data remotely from live systems.
As the Hey, Scripting Guy! Ed Wilson posted in one of the aforementioned links:
RM, the key thing to remember, whether you are doing security forensics, Exchange Server administration, Office automation, or anything between, is that Windows PowerShell is Windows PowerShell is Windows PowerShell. This means that all of the Windows PowerShell best practices still apply. One of those Windows PowerShell best practices is to preserve the object. The object-oriented nature of Windows PowerShell is one of the revolutionary features of the language, and it is a major contributor to its ease-of-use.
Note When doing any type of computer forensics, a major principle is to avoid making any changes to the system. Therefore, as a crucial first step, you should use a tool such as the Windows Sysinternals utility tool, Disk2vhd, so you can be assured of not changing things like file access times on the original system.
Therefore, in keeping with the object-oriented nature of Windows PowerShell, you want to use techniques that preserve the object for as long as possible.
So my question is this, do any of the ForSec/Incident Response readers of this blog know of any other recommended resources that would be useful to me and others in using PowerShell in these applications?
If you do, please drop a tip/recommendation or even a “sanitized to protect the guilty” case-study example in the comments.