PoSh Cheatsheet
PowerShell Cheatsheet for Incident Response
During September we competed in PoSh-Hunter, a jeopardy style CTF to test our PowerShell skills in triage (and host enumeration). The flags were mostly the output of a command relating to one of the following 8 challenges:
- Encryption\Cipher
- Filesystem
- Registry
- Logs\ Tasks
- Enterprise Services
- DNS
- Data Manipulation
- Q\A
Rules of engagement
- Download the PoSh Hunter VM and log in using the credentials provided
- Use the PoSh Hunter VM to answer the challenges (minus the Q/A general PowerShell knowledge questions)
- The point value for questions varies based on difficulty
Disclaimer
We don’t want to spoil the CTF since it is still active, so we decided to make a (non-exhaustive) list of commands that were used during the game, and will definitely be useful in your infosec career. Blue teams take notice!
Enough chit-chat. Let’s jump straight to the cheatsheet!
PowerShell commands cheetsheet
One cool feature of PowerShell is that its commands are case insensitive. It doesn’t matter if you type Get-ChildItem
or get-childitem
or even get-childiTem
Be sure to swap out any user_input_name
with your actual input.
Action | PowerShell |
---|---|
Find PowerShell version | $psversiontable |
Get ps profile list | $PROFILE |
Get hostname | $env:computername |
Find Bios info | Get-WmiObject -Class Win32_BIOS |
Check if a file exists | Test-Path file1 |
Print the first column of a file | Get-Content file | %{ $_.Split(‘,’)[1 ]; } |
Find 3356th and 6002nd word of a file | (Get-Content file ).split()[3356,6002] |
Display hidden files inside a directory | Get-ChildItem -force |
List files with Alternate Data Streams on C:\ drive. [only for NTFS partitions] | Get-Item -path C:\ -Stream * |
Check the contents of ADS | Get-Content -path path/file_name -Stream stream_name |
Search files based on their MD5 hash | Get-ChildItem | Get-FileHash -a md5 | Where-Object hash -eq MD5_hash_value |
List running services | Get-Service | Where-Object {$_.Status -eq “Running”} |
List scheduled tasks | Get-ScheduledTask |
More info on specific task | Get-ScheduledTaskInfo task_name |
List mounted drives | Get-PSDrive |
List connections along with their PID, and ports | netstat -nabo |
Find file path of a process | Get-Process proccess_name -FileVersionInfo |
Find total Active Directory users | Get-ADUser -filter * | MeasureObject |
Find disabled Active Directory accounts | dsquery user -disabled |
Find number of GPOs | (Get-GPO -All).count |
Find certificate issuer | Get-ChildItem -path cert: -Recurse | Select-String “issuer_name” | Select-String “Issuer” |
Find anything that starts with ‘reserve’ | Select-String -Pattern ‘^reserve’ |
Find the total number of expired certs | Get-ChildItem cert:\ -Recurse | Where-Object {$_ -is [System.Security.Cryptography.X509Certificates.X509Certificate2] -and $_.NotAfter -lt (Get-Date)} | Measure-Object |
Find DNS sinkhole | Get-DnsServerZone | Where-Object { $_.IsReverseLookupZone -eq $false }).ZoneName |
Count SAM account names that end with s | Get-ADUSer -Filter ‘SamAccountName -like “*s”’ |
Find registered (user) info | Get-ItemProperty Registry::HKEY_LOCAL_MACHINE |
Find startup execution from shell | Get-ItemProperty Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall |
Find installed programs | Get-ItemProperty Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall |
Compare the content of 2 files | Compare-Object -ReferenceObject (Get-Content file1 ) -DifferenceObject(Get-Content file2 ) |
For the sake of completeness, here is a small list of the most common bash commands with their PowerShell equivalents.
Bash | PowerShell |
---|---|
cd | cd or Set-Location |
ls | ls or Get-ChildItem |
pwd | pwd or Get-Location |
cat | cat or Get-Content |
man | man or Get-Help |
grep | Select-String |
cp | cp |
rm | Remove-Item |
wget | Invoke-WebRequest |
ping | Test-Connection |
wc | Measure-Object |
Verdict:
Emerging victors
When first visiting the PoSh-Hunter site you are greeted by the following message:Are Your PowerShell Skills Strong Enough to Survive?
Well PoSh-Hunter Team we salute you!
We completed ALL challenges and made it to the top. Although we weren’t the first team to submit all flags (we started later that other teams) , we ranked 6th out of 152 teams that competed. Only the first 9 teams managed to get all flags and beat the game.
Takeaways
Overall it’s a great CTF to hone your skills in PowerShell whether you are a seasoned Incident Responder, or just started your infosec
journey. Of course you don’t have to be a scripting master or know all commands by heart. Most of the commands’ names are self-explanatory and human readable (but sometimes too long).
If you don’t have enough experience with the command line, you might find challenging combining pipes to filter your results. Don’t worry, Google (or DuckDuckGo if you are use a tinfoil) is your friend.
If you have trouble with Active Directory, you can use the built-in management tools that come with GUI. The big picture of playing such CTFs is to become better at finding evil inside a system. How you decide to use your tool arsenal, is your choice.
november
"Remember if you can't find a way, make your own!"