Monday, July 29, 2013

PowerShell Intro

Before covering how Incident Responders can leverage Windows PowerShell, I thought it would be appropriate to provide a small introduction for those who are not familiar with all the cool things that can be done through PowerShell.

What is PowerShell:
Windows PowerShell is Microsoft's answer to our cries for a better scripting environment and command shell.  Scripting in PowerShell is much more intuitive than batch, and although PowerShell does have some Microsoft centric quirks it more closely resembles other interpreted languages like Python.  Microsoft has made the entire .NET framework available through PowerShell, which allows a great deal of flexibility to those who want to take on development.  Through PowerShell, Microsoft without a doubt opened many doors for Forensicators and Incident Responders.

PowerShell introduces two features which make scripting significantly more easy.  The first feature is tab completion, those readers familiar with unix will understand how nice tab completion can be.  If you do not know the exact command syntax all you have to do is press tab and PowerShell will do the work for you.  The second, and in my opinion most important, feature is the object oriented nature of PowerShell.  PowerShell commands (Cmdlets) return .NET objects, which can be manipulated to display the desired results.  These new features alone make scripting in PowerShell easier and more logical than batch or VB scripting.

PowerShell History:
To better understand Windows PowerShell's origins refer to Jeffrey Snover's Monad Manifesto. The manifesto describes Monad platform, one part of which was the Monad Shell.  The Monad Shell is the brainchild which would eventually morph into PowerShell.

Availability:
PowerShell version 2.0 is available on Windows 7 and Windows Server 2008 by default.  Depending on your patching you may have version 2.0 if you are running Windows XP SP3, Windows Vista SP1, or Windows Server 2003 SP2. If you have a pre Windows 7 host that does not have PowerShell you can find the appropriate patches here.  PowerShell version 3.0 is available on Windows 8 and Windows Server 2012, and version 4.0 will be introduced with Windows 8.1 Beta and Windows Server 2012 R2.  To learn more about the additions to PowerShell in version 3.0 and 4.0 click the links embedded in their version numbers.

Environments:

PowerShell provides users two main environments, the Command Line Interface (CLI) and the Integrated Scripting Environment (ISE).

Windows PowerShell (CLI)

Windows PowerShell ISE
The CLI is your go to interface for PowerShell.  You can treat it exactly the same as the Windows Command Shell (in fact if you enter a native Windows command, PowerShell will automatically spawn a Command Shell and execute the command for you).  The CLI's utility begins to run out when you want to introduce logic or use more than one line which is why Microsoft gives us the ISE.  The ISE is enabled by default on Windows 7, but on Server 2008 you must install the Windows PowerShell Integrated Scripting Environment (ISE) feature.  The ISE provides, as the name implies, an environment that is fairly useful for writing, testing, and debugging scripts.  As seen in the picture above the ISE has three windows.  The window on the right is the script pane, where users can author scripts using some niceties like tab completion.  The bottom left window is the console pane which has practically identical use as the Windows PowerShell CLI.  The top left windows is the output pane, which is where output is written by default (PowerShell supports many different outputs such as: text, csv, html, and xml)

Cmdlet Naming Convention:
All PowerShell cmdlets follow a standard naming convention which is called the verb-noun convention.  Each cmdlet name will consist of a verb followed by a dash (-) and a singular noun.  Some example cmdlet names are Get-Process, Stop-Service, Set-Variable, and New-Object.  MSDN has a list of each approved verb and its meaning.

3 Cmdlets to Rule them All:
There are three cmdlets that will enable new users to use every other cmdlet available in Windows PowerShell.

The first cmdlet every PowerSheller should know is Get-Command.  This cmdlet returns a list of every cmdlet available in the current shell.  Get-Command can be used alone, or if you are looking for a specific type of cmdlet you can the -Verb parameter to specifically look for cmdlets that perform a certain action, and -Noun which will show all cmdlets pertaining to a specific type of object.

The second important cmdlet is Get-Help which is the equivalent of Linux's man command.  This cmdlet returns the help file which contains syntax, parameter descriptions, and usage examples.
Once you have found the cmdlet you want to use, and have determined the proper syntax it is important to understand what output you will receive.

As mentioned earlier PowerShell is object oriented, so each cmdlet will return an object with a series of properties and methods.  The cmdlet Get-Member accepts an object as a parameter, and will return the properties and methods of the object.  The most common syntax for Get-Member is Get-Process | Get-Member which will provide the output of Get-Process as the input object for Get-Member

PS Drives:
One final feature readers should be aware of is how PowerShell deals with structured system data.  PowerShell has a feature known as PSDrives through which it treats structured system data (i.e. the Windows Registry) as if it were the file system.  Additionally, PSDrives do not require single letter names, so you can name you data drive "Data" instead of "D:\".

To enumerate all PSDrives on the system use the cmdlet Get-PSDrive.  Below is some example output of the Get-PSDrive cmdlet.  As you can see there are many PSDrives available in the current PowerShell session such as the Local Machine and Current User registry hives, as well as, shell variables and aliases.  PowerShell treats all data as items, and the PSDrive concept allows administrators to learn one method that will work for files, registry, environment variables, etc.



Further Reading:
For those interested in learning a little more in depth about PowerShell basics there is an excellent book written by Don Jones called Learn Windows PowerShell 3 in a Month of Lunches. Don Jones is one of, if not the most, respected minds in regard to PowerShell, and he does an excellent job introducing this application to readers through a series of 1 hour lessons or lunches (I read it over a weekend because I was in a hurry to learn as much as possible).

- Invoke-IR - By Jared Atkinson -