Tag: PowerShell

Sep 07

Investigating PowerShell Attacks

PowerShell is a compelling method for attackers (and pentesters) since code is run in memory and there is no reason to touch disk (unlike executables, batch files, and vbscripts). Projects like PowerSploit and POSHSec prove that PowerShell is the future of attacks. PowerShell Magazine has a great article on Investigating PowerShell Attacks: Prior articles by …

Continue reading

Sep 02

PowerShell: Using Active Directory .Net methods in PowerShell Part 2

Powershell has the incredible ability to run some .Net methods natively.  Some of this data can also be gathered using AD commandlets. Read Part 1 for others. Here are a few of my favorites. Get a Computer’s Site: [System.DirectoryServices.ActiveDirectory.ActiveDirectorySite]::GetComputerSite()   Get a User’s Domain: [System.DirectoryServices.ActiveDirectory.Domain]::GetCurrentDomain().Name   Get a Computer’s Domain:  [System.DirectoryServices.ActiveDirectory.Domain]::GetComputerDomain().Name List Active Directory FSMOs: …

Continue reading

Sep 01

PowerShell Parameters

One of the most useful features in Powershell is Parameters. Microsoft has some excellent documentation on Powershell Parameters Some of my favorites: Default Parameter [Switch]$Enabled = $True Mandatory Parameter [parameter(Mandatory=$true)] [String]$Name Validate Parameter Options in  a set [ValidateSet(“TCP”, “UDP”)] [string]$NewPortType Validate Parameter Options in a range (case INsensitive) [ValidateRange(1,65535)] [string]$NewPortNumber Add Parameter Aliases [alias(“PortScope”,”Scope”)] [string] …

Continue reading

Aug 15

Removing an Orphan (inactive) Active Directory Domain

Removing an Orphan (inactive) Active Directory Domain One of my customers has a forest with several domains, one of which hasn’t been used in a while (call it domain “RedShirt”). The 2 Domain Controllers in the domain, “RedShirt” both tombstoned. Yes, I know, how does that happen? ALWAYS monitor your environment. Since the domain hasn’t …

Continue reading

Aug 06

PowerShell: One-liners to Get You Started

Some of the scenarios covered in the blog post: The server rebooted recently – who did it and when exactly? Is there an easy way to see if KB2862152 is installed? I need to backup all of the GPOs in the domain every day What are the IP settings on my system(s)? What are the …

Continue reading

Jul 23

PowerShell: Get all Active Directory Sites based on Domain

Get all Active Directory Sites based on Domain.   $DomainSiteFilter = “DomainA” Write-Output “Get AD Site List `r” $ADSites = [System.DirectoryServices.ActiveDirectory.Forest]::GetCurrentForest().Sites [int]$ADSitesCount = $ADSites.Count Write-Output “There are $ADSitesCount AD Sites in the forest `r” $DomainADSites = $ADSites | where {$_.Domains -like “*$DomainSiteFilter*”} | sort-object name [int]$DomainADSitesCount = $DomainADSites.Count Write-Output “There are $DomainADSitesCount AD Sites matching …

Continue reading

Jul 16

PowerShell: Determine PowerShell Version

$PSVersionTable.PSVersion If the variable doesn’t exist, then the system is running version 1.0.

Jul 09

PowerShell: Using Active Directory .Net methods in PowerShell Part 1

There are times you don’t have access to the Active Directory PowerShell cmdlets. One of the great things about PowerShell is the ability to use .Net in PowerShell scripts. For more, check out Part 2. Here are some alternatives to using Get-ADForest & Get-Domain:   # Get Active Directory Forest Information $ADForestInfo = [System.DirectoryServices.ActiveDirectory.Forest]::GetCurrentForest() $ADForestInfo.Name …

Continue reading

Jun 24

PowerShell: Using a HashTable to Identify Active Directory Schema & Exchange Version

It’s easy to get the Active Directory schema version as well as the installed Exchange (schema) version by using the Active Directory PowerShell cmdlet, Get-ADObject. This script leverages a built-out HashTable to perform a lookup against the version numbers. ################################### # Create Schema Version Hashtable # 20140606-14 ################################### Write-Verbose “Create Schema Version HashTable `r ” …

Continue reading

Jun 20

PowerShell: Identifying Cloned Computers by CMID or SID

Here’s the PowerShell command for identifying the computer SID by finding local accounts: Get-WmiObject -class Win32_UserAccount This command shows the Information for the first account in the list which should be local: (Get-WmiObject -class Win32_UserAccount)[0] Here’s a PowerShell command to run on each of the servers. If the result is the same, they have the …

Continue reading