{"id":8306,"date":"2017-07-11T08:10:08","date_gmt":"2017-07-11T16:10:08","guid":{"rendered":"http:\/\/www.palada.net\/index.php\/2017\/07\/11\/news-2080\/"},"modified":"2017-07-11T08:10:08","modified_gmt":"2017-07-11T16:10:08","slug":"news-2080","status":"publish","type":"post","link":"https:\/\/www.palada.net\/index.php\/2017\/07\/11\/news-2080\/","title":{"rendered":"Learning PowerShell: The basics"},"content":{"rendered":"

Credit to Author: Pieter Arntz| Date: Tue, 11 Jul 2017 15:00:15 +0000<\/strong><\/p>\n

I bet I went about learning PowerShell the wrong way, so I may need your help, readers of this blog. If only to organize my knowledge and use it for the fight against malware and not just to figure out how it was used in malware.<\/p>\n

The first serious look I had at PowerShell<\/a> was when I was trying to figure out what some piece of malware was doing. But the most important lessons I learned back then was that PowerShell is very versatile and that its execution policy is hardly stopping anyone from performing malicious acts on an infected computer.<\/p>\n

Both of these properties make it a powerful weapon in the hands of hackers, pen testers, and malware authors. Given the current tendency to use legitimate tools and programs in an attack, I want to learn more about it and see how we can use it to our advantage. Sort of as white hat hackers would.<\/p>\n

Bypassing the execution policy<\/h3>\n

The PowerShell execution policy is what controls how much PowerShell can do on the system at hand. The possible settings can be found in this Technet article about Using the Set-ExecutionPolicy Cmdlet<\/a>, where \u201cRestricted\u201d is the default setting.<\/p>\n

\"Restricted?\"<\/p>\n

But one of the first things I noticed was how trivial it is to bypass this restriction. The easiest way to run your PowerShell program is to \u201cpipe\u201d it and add a -executionpolicy bypass<\/strong> switch. This will ensure the command will run without taking the current execution policy into consideration. If the script is too complex to pipe, you can encode the entire script (base64) and use the switch –EncodedCommand<\/strong>. For malware authors, this has the added benefit that it will take the average user a lot longer to figure out what was done.<\/p>\n

Basics<\/strong><\/h3>\n

Cmdlets<\/h4>\n

But let\u2019s start with the basics first. PowerShell uses so-called cmdlets<\/em>. These cmdlets<\/em> typically perform a task and return a .NET object that can be piped to the next command. They are NOT standalone executables like some of the commands that we used in the command prompt, but rather .NET framework classes.<\/p>\n

Naming convention<\/h4>\n

Windows PowerShell uses a verb-noun pair for the names of cmdlets<\/em> and their derived classes. This makes it easy to understand what to expect. For example, if we look at the cmdlet<\/em>\u00a0ConvertTo-Xml <\/strong>it\u00a0<\/strong>should be clear enough to figure out what will happen when you use it. And for cmdlets<\/em> that aren\u2019t so clear, or when\u00a0you\u2019d like to know more about the cmdlet<\/em> or its syntax you can use the Get-Help <\/strong>cmdlet.<\/p>\n

\"Get-Help\"<\/p>\n

Aliases<\/h4>\n

Another important thing to know about in this context, however, especially when reverse engineering a script, are aliases. A lot of cmdlets<\/em> have an alias that triggers the cmdlet<\/em>, but that doesn\u2019t use the naming convention for them. For example, the alias del<\/strong> is in use for the cmdlet<\/em> Remove-Item<\/strong>. An overview of the basic cmdlets<\/em>, aliases, and functions can be obtained by running Get-Command <\/strong>which will show you an extensive list.<\/p>\n

\"Get-Command\"<\/p>\n

This was a quick summary of the working knowledge I have together with some de-obfuscation techniques and a lot of \u201clooking stuff up\u201d, it has been enough to serve my purpose of being able to figure out what others were doing. But I feel it\u2019s time to learn some more, and since I learn best using the hands-on method, in the next post we will be doing some basic programming.<\/p>\n

See you then!<\/p>\n

The post Learning PowerShell: The basics<\/a> appeared first on Malwarebytes Labs<\/a>.<\/p>\n

https:\/\/blog.malwarebytes.com\/feed\/<\/a><\/p>\n","protected":false},"excerpt":{"rendered":"

Credit to Author: Pieter Arntz| Date: Tue, 11 Jul 2017 15:00:15 +0000<\/strong><\/p>\n\n\n\n
<\/a><\/td>\n<\/tr>\n
Get acquainted with some of the basic principles of Powershell and get prepared for some basic usage of this versatile tool that is available on all modern Windows systems.<\/p>\n

Categories: <\/p>\n