PowerShell Cheatsheet for Incident Response

During September we competed in PoSh-Hunter, a jeopardy style CTF to test our PowerShell skills in triage (and host enumeration). The flags were mostly the output of a command relating to one of the following 8 challenges:

  • Encryption\Cipher
  • Filesystem
  • Registry
  • Logs\ Tasks
  • Enterprise Services
  • DNS
  • Data Manipulation
  • Q\A

Rules of engagement

  • Download the PoSh Hunter VM and log in using the credentials provided
  • Use the PoSh Hunter VM to answer the challenges (minus the Q/A general PowerShell knowledge questions)
  • The point value for questions varies based on difficulty

Disclaimer

We don’t want to spoil the CTF since it is still active, so we decided to make a (non-exhaustive) list of commands that were used during the game, and will definitely be useful in your infosec career. Blue teams take notice!

Enough chit-chat. Let’s jump straight to the cheatsheet!

PowerShell commands cheetsheet

One cool feature of PowerShell is that its commands are case insensitive. It doesn’t matter if you type Get-ChildItem or get-childitem or even get-childiTem

Be sure to swap out any user_input_name with your actual input.

ActionPowerShell
Find PowerShell version$psversiontable
Get ps profile list$PROFILE
Get hostname$env:computername
Find Bios infoGet-WmiObject -Class Win32_BIOS
Check if a file existsTest-Path file1
Print the first column of a fileGet-Content file | %{ $_.Split(‘,’)[1]; }
Find 3356th and 6002nd word of a file(Get-Content file).split()[3356,6002]
Display hidden files inside a directoryGet-ChildItem -force
List files with Alternate Data Streams on C:\ drive. [only for NTFS partitions]Get-Item -path C:\ -Stream *
Check the contents of ADSGet-Content -path path/file_name -Stream stream_name
Search files based on their MD5 hashGet-ChildItem | Get-FileHash -a md5 | Where-Object hash -eq MD5_hash_value
List running servicesGet-Service | Where-Object {$_.Status -eq “Running”}
List scheduled tasksGet-ScheduledTask
More info on specific taskGet-ScheduledTaskInfo task_name
List mounted drivesGet-PSDrive
List connections along with their PID, and portsnetstat -nabo
Find file path of a processGet-Process proccess_name -FileVersionInfo
Find total Active Directory usersGet-ADUser -filter * | MeasureObject
Find disabled Active Directory accountsdsquery user -disabled
Find number of GPOs(Get-GPO -All).count
Find certificate issuerGet-ChildItem -path cert: -Recurse | Select-String “issuer_name” | Select-String “Issuer”
Find anything that starts with ‘reserve’Select-String -Pattern ‘^reserve’
Find the total number of expired certsGet-ChildItem cert:\ -Recurse | Where-Object {$_ -is [System.Security.Cryptography.X509Certificates.X509Certificate2] -and $_.NotAfter -lt (Get-Date)} | Measure-Object
Find DNS sinkholeGet-DnsServerZone | Where-Object { $_.IsReverseLookupZone -eq $false }).ZoneName
Count SAM account names that end with sGet-ADUSer -Filter ‘SamAccountName -like “*s”’
Find registered (user) infoGet-ItemProperty Registry::HKEY_LOCAL_MACHINE
Find startup execution from shellGet-ItemProperty Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall
Find installed programsGet-ItemProperty Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall
Compare the content of 2 filesCompare-Object -ReferenceObject (Get-Content file1) -DifferenceObject(Get-Content file2)

For the sake of completeness, here is a small list of the most common bash commands with their PowerShell equivalents.

BashPowerShell
cdcd or Set-Location
lsls or Get-ChildItem
pwdpwd or Get-Location
catcat or Get-Content
manman or Get-Help
grepSelect-String
cpcp
rmRemove-Item
wgetInvoke-WebRequest
pingTest-Connection
wcMeasure-Object

Verdict:

Emerging victors

When first visiting the PoSh-Hunter site you are greeted by the following message:
Are Your PowerShell Skills Strong Enough to Survive?
Well PoSh-Hunter Team we salute you!

Ranking

We completed ALL challenges and made it to the top. Although we weren’t the first team to submit all flags (we started later that other teams) , we ranked 6th out of 152 teams that competed. Only the first 9 teams managed to get all flags and beat the game.

Takeaways

Overall it’s a great CTF to hone your skills in PowerShell whether you are a seasoned Incident Responder, or just started your infosec journey. Of course you don’t have to be a scripting master or know all commands by heart. Most of the commands’ names are self-explanatory and human readable (but sometimes too long).
If you don’t have enough experience with the command line, you might find challenging combining pipes to filter your results. Don’t worry, Google (or DuckDuckGo if you are use a tinfoil) is your friend.
If you have trouble with Active Directory, you can use the built-in management tools that come with GUI. The big picture of playing such CTFs is to become better at finding evil inside a system. How you decide to use your tool arsenal, is your choice.


november "Remember if you can't find a way, make your own!"