Skip to main content

Simple PowerShell One-Liners

In this post, I want to go over some basic recon-style commands in PowerShell, which complements a talk I gave recently at the DefCon 416 meetup. A good chunk of my demonstration consisted of various ways to accomplish simple recon and post-exploitation tasks by leveraging what is already installed throughout Windows environments.
I'm going to keep things very basic and simple just in case PowerShell is brand new to you. These "one-liners" are meant to show things you can incorporate into a script that, when placed onto a targeted machine, executed in memory, can spit the output into a file or send it back to a C2 server.

Let's begin :)

I am using a Windows 7 virtual machine running PowerShell v2, but feel free to use Win8 or higher.
Open up a PowerShell prompt (no need to run as an admin, but may be required later).


I create a folder on the desktop called "hello" with a single text file called "hello.txt" inside. Feel free to do the same and use whatever names you like.


A couple of super basic PowerShell examples. First, it's ok if you've come from the Linux world or never played with anything besides cmd.exe. PowerShell has 'aliases' for a lot of commands that you are probably familiar with. Take a look at the screenshot below:


The commands ls, dir and Get-ChildItem all return the same output. The first two (ls and dir) are actually aliases to Get-ChildItem (which is actually a PowerShell cmdlet). If you type Get-Alias, you will see the full list of current aliases known to PowerShell (and yes you can add your own!).


Another neat thing you can do from the PowerShell prompt is quickly accessing (and iterating through) environment variables. If you enter $env: at the prompt and then continue to hit the tab key, you'd notice that it cycles through all the different environment variables. By the way, a lot of PowerShell commands let you tab through available items!


We're getting closer to the point of this post. Going back to aliases for a moment: the command ps (to list processes) is an alias to the PowerShell cmdlet Get-Process. Go ahead and type either (I'm using ps).


You may notice I've highlighted the property ProcessName. Because PowerShell treats everything as an object, we can pivot on most things we see from the output. In this example I want to display the values (the processes) from that property. Just pipe the first command to another cmdlet called Select-Object and define the property.


Cool! Now for a little curve ball :)

Within PowerShell, we can also play with WMI. Remember how the command ps is just an alias to the cmdlet Get-Process? Well there's a cmdlet called Get-WmiObject (take a guess what that does :)) that we can leverage to get the same data.


All I'm demonstrating is the flexibility of using PowerShell.

Now for offensive actions: a lot of these commands we'll get into are actually just administrative tasks performed with malicious intentions. There's no hack or exploits - just running regular commands. On a side note, this tutorial doesn't tell you how to get a shell or drop an agent on a target; they are beyond the scope of the current discussion. .

We're going to look at how to accomplish the following tasks with just the PowerShell prompt:
  • Learn about users - names, local admin group, and other currently logged-in users
  • Info on local systems - OS, architecture, drives, CPU count and services
Username:


Is the current user a local admin:
(just change the SID you're looking for)


Show logged-on sessions:
(more of a short script than a one-liner)


Show system OS and architecture:



List drives:


List CPU cores:


List services:


These simple and short commands can be easily incorporated into a script and run on the target. For example, this approach is useful when I need to identify certain things on a target and match them up with something else. The above commands can be used to automate some initial tasks:
  • Get the current user and see if they're a member of local admin group (bypassUAC?)
    • check if other logged-on users are part of the local admin group
  • List all processes, and step through them to look for known names of virtualization and defensive/analysis tools 
    • are we being analyzed in a VM right now?
  • Get the OS version specifics
    • match the info to known exploits
    • may affect agents and things you want to drop and run on targets
    • if Win8, pull down "evil_thing_for_win8".mal and run it
    • if x86, use 32-bit version of "evil thing"
  • Get drives and shares
    • copy self to writable drives and shares
Hope this post gives you some basic ideas on how to use PowerShell in your scripts or right from the console to do basic triage on targets.

Popular posts from this blog

Leveraging WEF and the HELK

In an effort to have some more content on this blog (wow life gets busy sometimes!) I thought I'd write up this post on how to configure Windows Event Forwarding and the awesome project, HELK.

On a bit of a side-note, this post coincides with an event we run up here in Toronto, Canada called the Canadian Collegiate Cyber Exercise (C3X). This year we are running the first real iteration (although we executed a pilot version last year which you can see here: https://www.youtube.com/watch?v=oycYKQzzHoU) and part of the design will be providing the students with HELK.
OK back on track. I'll admit that when I first learned about Windows Event Forwarding it seemed a little daunting. A few of the posts I first read seemed confusing and a lot of moving parts. To the newcomer, Windows Event Logs can also be fairly intimidating which is why projects such as HELK are so fantastic to be openly and freely distributed.
So why leverage WEF? Well, at a very basic level (and this whole post wi…

C3X2018 Genesis Review

What a year this has been. C3X2018 "Genesis" just wrapped up on October 24th and I couldn't be happier (and happy that it's over because I forgot what real sleep feels like).
For those of you who have no idea what I'm talking about, the Canadian Collegiate Cyber Exercise or C3X is an event that Ben Wells (@1StealthMove) and myself started working on in 2016, and brought  into reality in 2017 with a beta run of the event. You can watch the trailer from last year here:


So why did we create  C3X at all? Sadly, Canada doesn't have too many red vs. blue, cyber war game type events (at least to my knowledge) and as far as RedBlack is concerned, that's a shame. We have a lot of CTF's and the like, but there's no shortage of those already. We've also come to learn that many students do not get the required and needed exposure of  learning about defending Windows environments, ActiveDirectory and being able to put what they've learned in school to th…

We Break So We Can Build Better

Hello again friends!

Today I'm writing this post to shed a little preview light on how our team that builds C3X (Canadian Collegiate Cyber Exercise) will be approaching the design for the 2019 competition.

We are doing a lot of different and fun things this year which means all of us are very excited and at the same time have a beast of a project ahead of us.

I'm also going to discuss areas where you can help out and be a part of this wonderful event.

C3X Overview Entering its third year, the C3X is a competition that puts student teams from various Canadian colleges and universities who are enrolled in cyber security programs a chance to defend a controlled environment against a team of offensive security professionals. That's the short and sweet version but there is so much more.
Ben Wells (@1StealthMove) and I created this in 2016 and saw the first event happen in 2017. Why did we do this? Canada isn't exactly overflowing with combative challenges. Sure we have plen…