Windows Powershell - Introduction


(Edwin Eekelaers) #1

Hello fellow community members. I’m sure some of you have heard of it and have actually used Powershell on windows based machines and some haven’t heard off it yet. Powershell is in essence a much more potent version from the CMD.exe and batch coding.
With it being much more potent then batch coding there are also some risks inherited to it.
One is that when you have sufficient rights on a machine is that you can pretty much destroy anything on that machine.
And something quite a few people do not know is that some ransomware & malware are actually using powershell code because it can interact with the machine on a much deeper level then old fashioned batch coding…
Therefor it was my humble suggestion to the community leaders to open up a powershell section in this community where the security aspect of it can be discussed.
I am considering myself still a newcomer to it since i only started learning it a year ago. In that single year i learned a lot of it from some people who actually are certified trainers.

Windows by default has a few execution policies in effect to try and protect your machine but there are soo many ways around it that I felt this is the right time to start talking about it here. By knowing this and with some expert guidance from the community leaders this could be really interesting to everybody.

Like said as it’s so potent it can be used for good intents but also for bad intent. If you have any questions about it feel free to ask. Just try to keep it within the boundaries of what this community was founded for ( To learn about security and the pitfalls of ransomware/malware and other things that may affect us ).

Perhaps @will may want to add something.

Anyhow i’m here to answer questions to the best of my abilities.

Regards,
Edwin


(Edwin Eekelaers) #2

As a mere example of the potency of powershell i’d like to add this small example.

get-childitem will retrieve all the objects lying under the starting path ( it acts a bit like dir in the cmd.exe )

So with get-childitem -path c:* it’ll show you a list of whatever is in the root folder of c:\

Modify that slightly to get-childitem -path c:* -include . -recurse it’ll then show whatever is under c:\ and then recurse all the way down as far as there is…

Still quite innocent isn’t it? Now comes the funny & dangerous bit.

get-childitem -path c:* -include . -recurse -force -erroraction silentlycontinue | remove-item

This will do a dir /s and immediately remove all items on which you have access with your credentials ( or the credentials used ) without any confirmation nor any error generation.

This in essence could be the base of malware. That is why i say it can be so dangerous.