Powershell

PowerShell is a powerful tool from Microsoft designed for task automation and configuration management. It combines a command-line interface and a scripting language built on the .NET framework.
Unlike older text-based command-line tools, PowerShell is object-oriented, which means it can handle complex data types and interact with system components more effectively. Initially exclusive to Windows, PowerShell has lately expanded to support macOS and Linux, making it a versatile option for IT professionals across different operating systems.

History#

• In the early 2000s, Windows enterprise infrastructure outgrew the capabilities of legacy automation tools like cmd.exe and batch scripts. Microsoft required a modern administrative solution capable of interacting natively with advanced Windows APIs.
• Microsoft engineer Jeffrey Snover recognized a fundamental architectural divergence between operating systems: Unix relies on unstructured text files, whereas Windows relies on structured data and complex APIs. This friction made standard Unix tool-porting impractical.
• Snover designed PowerShell to leverage an object-oriented approach built on top of the .NET framework. Released in 2006, it allowed administrators to manipulate structured objects directly rather than parsing text streams, providing unparalleled Windows integration.
• To adapt to modern, heterogeneous cloud and enterprise data centers, Microsoft released PowerShell Core in 2016. This shift transformed the utility into an open-source, cross-platform engine capable of running uniformly across Windows, macOS, and Linux environments.

The traditional Command Shell’s basic commands are text-based, meaning they process and output data as plain text. Instead, when a cmdlet (pronounced command-let) is run in PowerShell, it returns objects that retain their properties and methods. This allows for more powerful and flexible data manipulation since these objects do not require additional parsing of text.

PS Syntax#

PowerShell commands are known as cmdlets. They are much more powerful than the traditional Windows commands and allow for more advanced data manipulation.
Cmdlets follow a consistent Verb-Noun naming convention. This structure makes it easy to understand what each cmdlet does. The Verb describes the action, and the Noun specifies the object on which action is performed.
For example:

• Get-Content: Retrieves (gets) the content of a file and displays it in the console.
• Set-Location: Changes (sets) the current working directory.

Basic Cmdlets#

• To list all available cmdlets, functions, aliases, and scripts that can be executed in the current PowerShell session, we can use Get-Command. It’s an essential tool for discovering what commands one can use.
• For each CommandInfo object retrieved by the cmdlet, some essential information (properties) is displayed on the console. It’s possible to filter the list of commands based on displayed property values. For example, if we want to display only the available commands of type “function”, we can use -CommandType "Function"
• Get-Help: provides detailed information about cmdlets, including usage, parameters, and examples.
• PowerShell includes aliases —which are shortcuts or alternative names for cmdlets— for many traditional Windows commands. Indispensable for users already familiar with other command-line tools, Get-Alias lists all aliases available. For example, dir is an alias for Get-ChildItem, and cd is an alias for Set-Location.

Find and Download Cmdlets#

• Another powerful feature of PowerShell is the possibility of extending its functionality by downloading additional cmdlets from online repositories.
• To search for modules (collections of cmdlets) in online repositories like the PowerShell Gallery, we can use Find-Module. Sometimes, if we don’t know the exact name of the module, it can be useful to search for modules with a similar name. We can achieve this by filtering the Name property and appending a wildcard (*) to the module’s partial name, using the following standard PowerShell syntax: Cmdlet -Property "pattern*".
• Once identified, the modules can be downloaded and installed from the repository with Install-Module, making new cmdlets contained in the module available for use.

File Management#

• Get-ChildItem lists the files and directories in a location specified with the -Path parameter, Similar to the dir command in Command Prompt (or ls in Unix-like systems). It can be used to explore directories and view their contents. If no Path is specified, the cmdlet will display the content of the current working directory.
• To navigate to a different directory, we can use the Set-Location cmdlet. It changes the current directory, bringing us to the specified path, akin to the cd command in Command Prompt.
• To create an item in PowerShell, we can use New-Item. We will need to specify the path of the item (-Path) and its type (-ItemType ["File"/"Directory"]).
  • While the traditional Windows CLI uses separate commands to create and manage different items like directories and files, PowerShell simplifies this process by providing a single set of cmdlets to handle the creation and management of both files and directories.
• Similarly, the Remove-Item cmdlet removes both directories and files, whereas in Windows CLI we have separate commands rmdir and del.
• To read and display the contents of a file, we can use the Get-Content cmdlet, which works similarly to the type command in Command Prompt (or cat in Unix-like systems).

Piping#

Piping is a technique used in command-line environments that allows the output of one command to be used as the input for another. This creates a sequence of operations where the data flows from one command to the next. Represented by the | symbol, piping is widely used in the Windows CLI, as introduced earlier in this module, as well as in Unix-based shells.
In PowerShell, piping is even more powerful because it passes objects rather than just text. These objects carry not only the data but also the properties and methods that describe and interact with the data.

• Sort-Object cmdlet is used to sort objects based on specified properties.
  To get a list of files in a directory and then sort them by size : Get-ChildItem | Sort-Object Length

• Where-Object cmdlet is used to filter objects based on specified conditions, returning only those that meet the criteria
  To list only .txt files in a directory : Get-ChildItem | Where-Object -Property "Extension" -eq ".txt"
  Comparison Operators

  • eq : “equal to”. This operator can be used to include objects from the results based on specified criteria.
  • -ne: “not equal”. This operator can be used to exclude objects from the results based on specified criteria.
  • -gt: “greater than”. This operator will filter only objects which exceed a specified value. It is important to note that this is a strict comparison, meaning that objects that are equal to the specified value will be excluded from the results.
  • -ge: “greater than or equal to”. This is the non-strict version of the previous operator. A combination of -gt and -eq.
  • -lt: “less than”. Like its counterpart, “greater than”, this is a strict operator. It will include only objects which are strictly below a certain value.
  • -le: “less than or equal to”. Just like its counterpart -ge, this is the non-strict version of the previous operator. A combination of -lt and -eq.
  • -like: Objects can also be filtered by selecting properties that match a specified pattern: eg:Where-Object -Property "Name" -like "ship*"

• Select-Object, is used to select specific properties from objects or limit the number of objects returned. It’s useful for refining the output to show only the details one needs.
  Get-ChildItem | Select-Object Name,Length

• Select-String, cmdlet searches for text patterns within files, similar to grep in Unix-based systems or findstr in Windows Command Prompt. It’s commonly used for finding specific content within log files or documents.
  Select-String -Path ".\captain-hat.txt" -Pattern "hat"

  • The Select-String cmdlet fully supports the use of regular expressions (regex(opens in new tab) ↗). This advanced feature allows for complex pattern matching within files, making it a powerful tool for searching and analysing text data.

System Information#

• The Get-ComputerInfo cmdlet retrieves comprehensive system information, including operating system information, hardware specifications, BIOS details, and more. It provides a snapshot of the entire system configuration in a single command. Its traditional counterpart systeminfo retrieves only a small set of the same details.

• Get-LocalUser lists all the local user accounts on the system. The default output displays, for each user, username, account status, and description.

• Get-NetIPConfiguration provides detailed information about the network interfaces on the system, including IP addresses, DNS servers, and gateway configurations.

• Get-NetIPAddress cmdlet will show details for all IP addresses configured on the system, including those that are not currently active.

• Get-Process provides a detailed view of all currently running processes, including CPU and memory usage, making it a powerful tool for monitoring and troubleshooting.

• Get-Service allows the retrieval of information about the status of services on the machine, such as which services are running, stopped, or paused. It is used extensively in troubleshooting by system administrators, but also by forensics analysts hunting for anomalous services installed on the system.

• To monitor active network connections, Get-NetTCPConnection displays current TCP connections, giving insights into both local and remote endpoints. This cmdlet is particularly handy during an incident response or malware analysis task, as it can uncover hidden backdoors or established connections towards an attacker-controlled server.

• Get-FileHash is a useful cmdlet for generating file hashes, which is particularly valuable in incident response, threat hunting, and malware analysis, as it helps verify file integrity and detect potential tampering.

•  To view the Alternate Data Streams (ADS) attached to a file through PowerShell: Get-Item -Path "filepath" -Stream *

Scripting#

Scripting is the process of writing and executing a series of commands contained in a text file, known as a script, to automate tasks that one would generally perform manually in a shell, like PowerShell.

Invoke-Command is essential for executing commands on remote systems, making it fundamental for system administrators, security engineers and penetration testers. Invoke-Command enables efficient remote management and—combining it with scripting—automation of tasks across multiple machines. It can also be used to execute payloads or commands on target systems during an engagement by penetration testers—or attackers alike.