Powershell Simplified — Part 2
In the first part, we discussed about how to get started with Windows Powershell. In this part, let’s move ahead with our simplification process of Powershell.
Invoke-WmiMethod is used to execute a wmi method. Let’s look at an example below:-
We will be using ClearEventlog method of class win32_nteventlogfile.
We have used Get-Wmiobject to get logs and then used ClearEventLog method to clear the logs. It may be useful for an attacker for clearing the tracks.
Running scripts-
Signing scripts-
Any of the trusted Certificate Authority can be used. Download the certificate and install it.
Variables in Powershell-
Strings & Numbers:-
Strings in powershell is nothing but an object
Arrays in powershell:-
While executing ps script, if we want to get step-by-step information, use verbose, debug
Powershell scripting-
In the above command, what if we want to execute the same command only computer name will change. Let’s execute this via scripting.
Here, while running the command, localhost is default parameter, so if you don’t specify any parameter while executing the script, localhost will be used in the command. Else specify parameter
Sessions:-
Instead of creating a remote connection which ends, we can create session, which we can reuse again and again.
Implicit Remoting:-
Consider a scenario where you have a system where you are not supported/restricted to run some modules of powershell like ActiveDirectory. For Example — WinxP. In that case, we can use implicit remoting.
So what we can do is
We can createsession to server which will be used to import module -> Import module in that server -> Import session which also imports the modules of the server -> Use cmdlets of that module using the module of the server of which session we have created.
Let’s start with simple ps file
In this case, we need to output the result in a file but this script is returning multiple objects in its output.
In the above case, output is coming from 3 different place. Win32_os, win32_bios, win32_logicaldisk
We need only one type of output. So, lets create custom object. i.e $obj
Write-object returns object to pipeline which can further be used for other purposes.
Switch in powershell:-
If constructs:-
Foreach:-
Other examples of functions (Advanced Functions):-
In the above example, we have created advanced function, which will be similar to commands which are available in powershell. We can directly use this script as command Get-ComputerInfo in powershell command line.
Breakpoints:-
Write-debug:-
Default debug preference is SilentlyContinue, but specific to our script, we can state our debug preference.
In short, powershell is very strong utility in windows which can be used in both offensive as well as defensive purpose. It totally depends on the scripter !
Enjoy Powershelling !!
References:
Learn Powershell Scripting in a Month of Lunches — Don Jones and Jeffery Hicks