Once you get used to Powershell, you will want to do more and more with it. One of the keys to leveraging the power of PowerShell is filters. PowerShell commandlets all support filters (well, most of them anyway). This means you can drill down to resulting data subsets. If you run into commandlets that don’t …
Category: PowerShell
Sep 21 2014
PowerShell: Parse a Large Multi-Line Text Field Based on String Value & Extract Text
Parsing a large multi-line text field (variable) for a specific string and extract text from it: $EventMessage = @” An account was successfully logged on. Subject: Security ID: SYSTEM Account Name: METCORPWKS201$ Account Domain: METCORP Logon ID: 0x2b5 Logon Type:10 New Logon: Security ID: METCORP\Administrator Account Name: Administrator Account Domain: METCORPWKS201 Logon ID: 0bc123d Logon …
Sep 10 2014
PowerShell v5 Preview
PowerShell Magazine notes that the September 2014 preview of Windows Management Framework 5.0 (PowerShell v5) is available for download here. Here’s a list of changes as noted in this article by PowerShell Magazine: Some of these changes are: Generate Windows PowerShell cmdlets based on an OData endpoint Manage .ZIP files with new cmdlets DSC Authoring …
Sep 07 2014
Investigating PowerShell Attacks
PowerShell is a compelling method for attackers (and pentesters) since code is run in memory and there is no reason to touch disk (unlike executables, batch files, and vbscripts). Projects like PowerSploit and POSHSec prove that PowerShell is the future of attacks. PowerShell Magazine has a great article on Investigating PowerShell Attacks: Prior articles by …
Sep 05 2014
Hacking with PowerShell
Chinese hackers, aka “Deep Panda”, leverage PowerShell while compromising US think-tank computer systems. Recently, we detected breaches of these networks via the use of powershell scripts deployed by the adversary as scheduled tasks on Windows machines. The scripts are passed to the powershell interpreter through the command line to avoid placement of extraneous files on …
Sep 02 2014
PowerShell: Using Active Directory .Net methods in PowerShell Part 2
Powershell has the incredible ability to run some .Net methods natively. Some of this data can also be gathered using AD commandlets. Read Part 1 for others. Here are a few of my favorites. Get a Computer’s Site: [System.DirectoryServices.ActiveDirectory.ActiveDirectorySite]::GetComputerSite() Get a User’s Domain: [System.DirectoryServices.ActiveDirectory.Domain]::GetCurrentDomain().Name Get a Computer’s Domain: [System.DirectoryServices.ActiveDirectory.Domain]::GetComputerDomain().Name List Active Directory FSMOs: …
Sep 01 2014
PowerShell Parameters
One of the most useful features in Powershell is Parameters. Microsoft has some excellent documentation on Powershell Parameters Some of my favorites: Default Parameter [Switch]$Enabled = $True Mandatory Parameter [parameter(Mandatory=$true)] [String]$Name Validate Parameter Options in a set [ValidateSet(“TCP”, “UDP”)] [string]$NewPortType Validate Parameter Options in a range (case INsensitive) [ValidateRange(1,65535)] [string]$NewPortNumber Add Parameter Aliases [alias(“PortScope”,”Scope”)] [string] …
Aug 30 2014
PowerShell: Drop (remove) the last character from a string
Drop (remove) the last character from a string: $ComputerName = ‘DCCOMP01$’ $ComputerName = $ComputerName.Substring(0,$ComputerName.Length-1) $ComputerName Result is “DCCOMP01″. This works especially well when the last character is a special PowerShell reserved one like “$”.
Aug 06 2014
PowerShell: One-liners to Get You Started
Some of the scenarios covered in the blog post: The server rebooted recently – who did it and when exactly? Is there an easy way to see if KB2862152 is installed? I need to backup all of the GPOs in the domain every day What are the IP settings on my system(s)? What are the …
Jul 23 2014
PowerShell: Get all Active Directory Sites based on Domain
Get all Active Directory Sites based on Domain. $DomainSiteFilter = “DomainA” Write-Output “Get AD Site List `r” $ADSites = [System.DirectoryServices.ActiveDirectory.Forest]::GetCurrentForest().Sites [int]$ADSitesCount = $ADSites.Count Write-Output “There are $ADSitesCount AD Sites in the forest `r” $DomainADSites = $ADSites | where {$_.Domains -like “*$DomainSiteFilter*”} | sort-object name [int]$DomainADSitesCount = $DomainADSites.Count Write-Output “There are $DomainADSitesCount AD Sites matching …
Recent Comments