Logo
RSS Feed

πŸ‘ˆπŸΌ Back to
πŸͺŸ Windows Artefacts

🏺 CMD and Powershell

Created: 02.06.2023

CMD

Batch script. Highly limited in functionality and caching all sorts of crap, including credentials.

PowerShell

Anatomy

Authentication cons:

  1. Traffic is encrypted
  2. Kerberos is used for authentication
  3. Credentials are not cached on the remote system (not AS).

PowerShell gives you the power of WMI, .NET and COM at once. It provides a unified interface to interact with data types such as the registry, file volumes, Active Directory etc.

❗️The output of most of the ps commands are not strings but objects that can be piped into other commands.

PowerShell has short commands. For example, Get-Command cmdlet can be shortened to gcm. Used along with wildcards, one can obfuscate a script a little: gcm 'i*e-e*' gets the list of commands satisfying this expression, which is only one: Invoke-Expression.

πŸ“š Further reading: https://devblogs.microsoft.com/scripting/weekend-scripter-using-powershell-to-aid-in-security-forensics/, https://www.ldap389.info/en/2013/06/17/powershell-forensic-onliners-regex-get-eventlog/, https://devblogs.microsoft.com/scripting/use-powershell-to-perform-offline-analysis-of-security-logs/, https://devblogs.microsoft.com/scripting/learn-the-easy-way-to-use-powershell-to-get-file-hashes/, https://devblogs.microsoft.com/scripting/use-powershell-to-compute-md5-hashes-and-find-changed-files/.

Remote

WinRM - Windows remote service for remote management. It is turned on by default on Windows Servers 2012+. The transfer protocol used is WSMAN (SOAP, HTTP and XML). Credentials are NOT cached on the remote system, which is good.

You may start a session on a remote system using Enter-PSSession (similar to SSH, but uses Kerberos for authentication).

When dealing with a large number of machines, retrieving data from each one of them using a WMI command can be time-consuming. A better option is to use Invoke-Command, which enables concurrent execution on multiple machines and moves the computation to the remote system. -AsJob option can also be used to move the process to the background if it takes too long to finish.

Logs

Windows PowerShell Event logs Operational Monitoring: %SystemRoot%\System32\winevt\Logs\Microsoft-Windows-Powershell%Operational.evtx, ID 4103, 4104 (if Windows considers it suspicious).

%SystemRoot%\System32\winevt\Logs\Microsoft-Windows-Powershell.evtx. ID 400, 800.

%userprofile%\AppData\Roaming\Microsoft\Windows\PowerShell\PSReadline\ConsoleHost - PowerShell history.

WSL

References

Expand… Something here