Chinese hackers, aka “Deep Panda”, leverage PowerShell while compromising US think-tank computer systems. Recently, we detected breaches of these networks via the use of powershell scripts deployed by the adversary as scheduled tasks on Windows machines. The scripts are passed to the powershell interpreter through the command line to avoid placement of extraneous files on …
Category: PowerShell
Sep 02 2014
PowerShell: Using Active Directory .Net methods in PowerShell Part 2
Powershell has the incredible ability to run some .Net methods natively. Some of this data can also be gathered using AD commandlets. Read Part 1 for others. Here are a few of my favorites. Get a Computer’s Site: [System.DirectoryServices.ActiveDirectory.ActiveDirectorySite]::GetComputerSite() Get a User’s Domain: [System.DirectoryServices.ActiveDirectory.Domain]::GetCurrentDomain().Name Get a Computer’s Domain: [System.DirectoryServices.ActiveDirectory.Domain]::GetComputerDomain().Name List Active Directory FSMOs: …
Sep 01 2014
PowerShell Parameters
One of the most useful features in Powershell is Parameters. Microsoft has some excellent documentation on Powershell Parameters Some of my favorites: Default Parameter [Switch]$Enabled = $True Mandatory Parameter [parameter(Mandatory=$true)] [String]$Name Validate Parameter Options in a set [ValidateSet(“TCP”, “UDP”)] [string]$NewPortType Validate Parameter Options in a range (case INsensitive) [ValidateRange(1,65535)] [string]$NewPortNumber Add Parameter Aliases [alias(“PortScope”,”Scope”)] [string] …
Aug 30 2014
PowerShell: Drop (remove) the last character from a string
Drop (remove) the last character from a string: $ComputerName = ‘DCCOMP01$’ $ComputerName = $ComputerName.Substring(0,$ComputerName.Length-1) $ComputerName Result is “DCCOMP01″. This works especially well when the last character is a special PowerShell reserved one like “$”.
Aug 06 2014
PowerShell: One-liners to Get You Started
Some of the scenarios covered in the blog post: The server rebooted recently – who did it and when exactly? Is there an easy way to see if KB2862152 is installed? I need to backup all of the GPOs in the domain every day What are the IP settings on my system(s)? What are the …
Jul 23 2014
PowerShell: Get all Active Directory Sites based on Domain
Get all Active Directory Sites based on Domain. $DomainSiteFilter = “DomainA” Write-Output “Get AD Site List `r” $ADSites = [System.DirectoryServices.ActiveDirectory.Forest]::GetCurrentForest().Sites [int]$ADSitesCount = $ADSites.Count Write-Output “There are $ADSitesCount AD Sites in the forest `r” $DomainADSites = $ADSites | where {$_.Domains -like “*$DomainSiteFilter*”} | sort-object name [int]$DomainADSitesCount = $DomainADSites.Count Write-Output “There are $DomainADSitesCount AD Sites matching …
Jul 16 2014
PowerShell: Determine PowerShell Version
$PSVersionTable.PSVersion If the variable doesn’t exist, then the system is running version 1.0.
Jul 02 2014
PowerShell: Get the Dates When the Active Directory Schema Was Updated
The Microsoft Scripting Guys blog has a great article on determining when schema updates were performed along with some information about the schema changes – at least enough to see if it was an Exchange update. ########################### # Get Schema Update Dates # ########################### # Code from: http://blogs.technet.com/b/heyscriptingguy/archive/2012/01/05/how-to-find-active-directory-schema-update-history-by-using-powershell.aspx write-output “Reading all schema data… …
Jun 26 2014
PowerShell: Get Active Directory Instantiation Date
The Scripting Guys blog posted a very useful script on how to determine when the Active Directory Forest was stood up. ############################# # Get AD Instantiation Date # ############################# # Code from: http://blogs.technet.com/b/heyscriptingguy/archive/2012/01/05/how-to-find-active-directory-schema-update-history-by-using-powershell.aspx write-output “Checking Active Directory Creation Date… ” `r write-output “Displaying AD partition creation information ” `r Import-Module ActiveDirectory Get-ADObject -SearchBase …
Recent Comments