{"id":8526,"date":"2017-08-01T08:10:01","date_gmt":"2017-08-01T16:10:01","guid":{"rendered":"http:\/\/www.palada.net\/index.php\/2017\/08\/01\/news-2300\/"},"modified":"2017-08-01T08:10:01","modified_gmt":"2017-08-01T16:10:01","slug":"news-2300","status":"publish","type":"post","link":"https:\/\/www.palada.net\/index.php\/2017\/08\/01\/news-2300\/","title":{"rendered":"Learning PowerShell: some basic commands"},"content":{"rendered":"<p><strong>Credit to Author: Pieter Arntz| Date: Tue, 01 Aug 2017 15:00:12 +0000<\/strong><\/p>\n<h3>My first Powershell script<\/h3>\n<p>The first PowerShell script I wrote (see below) was a quick fix to remove certificates from the \u201cUntrusted\u201d registry key after a <a href=\"https:\/\/blog.malwarebytes.com\/cybercrime\/2015\/11\/vonteera-adware-uses-certificates-to-disable-anti-malware\/\" target=\"_blank\" rel=\"noopener\">Vonteera<\/a> infection. After some initial commands, this script basically loops back for every certificate that doesn\u2019t belong under a certain key.<br \/> <code><br \/> $path = \"HKLM:SOFTWAREPoliciesMicrosoftSystemCertificatesDisallowedCertificatesC1437F2BC6F11...\"<br \/> $acl = Get-Acl $path<br \/> $rule = New-Object System.Security.AccessControl.RegistryAccessRule (\"Everyone\",\"FullControl\",\"Allow\")<br \/> $acl.SetAccessRule($rule)<br \/> $acl |Set-Acl -Path $Path<br \/> Remove-Item \u2013Path $path<br \/> <\/code><br \/> What it does is:<\/p>\n<ul>\n<li>Define the path to the key<\/li>\n<li>Set the permissions for that key<\/li>\n<li>Remove the key<\/li>\n<\/ul>\n<h3>Current challenge<\/h3>\n<p>The problem I have been faced with is finding the hexadecimal values that were the registry keys of the certificates. I have had to take registry snapshots before and after the infection to find out which ones were added. Getting an overview of the certificates that are present before the infection is not that difficult. Deciding what information to keep and how to store it is less trivial.<\/p>\n<p>I ended up with this command, which I will explain in detail as this is a learning experience:<br \/> <code><br \/> Get-ChildItem -Path cert:currentuserdisallowed -Recurse | select Thumbprint, FriendlyName, Subject | ConvertTo-Html | Set-Content c:userspublicdesktopcertificates.html<br \/> <\/code><br \/> The <em>cert:<\/em> drive is provided by the Windows PowerShell Certificate Provider, and using the <em>Get-ChildItem<\/em> cmdlet lets you get certificate store locations, certificate stores, and certificates from it.<\/p>\n<p>They have chosen the \u201cdisallowed\u201d path as that is where some malware samples have been known to block the download and operation of certain security programs. But of course, you can change that to any of the other possibilities you might be interested in.<\/p>\n<p>The \u201cRecurse\u201d parameter allows me to search subdirectories of the \u201cpath\u201d.<\/p>\n<p>I want to see these properties of each certificate:<\/p>\n<ul>\n<li><em>Thumbprint<\/em>, because that is the name of the registry key<\/li>\n<li><em>FriendlyName<\/em>, because that shows the reason for the certificate not to be trusted (which is sometimes helpful)<\/li>\n<li><em>Subject<\/em>, because that is the one that holds the humanly readable information we can see in the certmgr<\/li>\n<\/ul>\n<p>The last two bits of the command are necessary to prepare the output for export and to define the export location. I choose the public desktop so everybody can copy the command without having to change it to fit their own circumstances. And I have decided on HTML because that gives me a nice table.<\/p>\n<p>So, taking a snapshot is one thing. Now, we have to compare the sets of certificates before and after infection. Luckily, there is an obvious choice, which is the <em>compare-object<\/em> cmdlet.<\/p>\n<div id=\"attachment_19065\" style=\"width: 610px\" class=\"wp-caption aligncenter\"><a href=\"https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2017\/07\/differences.png\" data-rel=\"lightbox-0\" title=\"\"><img loading=\"lazy\" decoding=\"async\" class=\"wp-image-19065 size-large\" src=\"https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2017\/07\/differences-600x236.png\" alt=\"differences\" width=\"600\" height=\"236\" srcset=\"https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2017\/07\/differences-600x236.png 600w, https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2017\/07\/differences-300x118.png 300w\" sizes=\"auto, (max-width: 600px) 100vw, 600px\" \/><\/a><\/p>\n<p class=\"wp-caption-text\">click to enlarge<\/p>\n<\/div>\n<p>To compare the new set of certificates with an older snapshot, I have changed the previous command a little bit, for practical reasons. Below is the command to export it to a text file:<br \/> <code><br \/> Get-ChildItem -Path cert:currentuserdisallowed -Recurse | select Thumbprint, FriendlyName, Subject| Set-Content c:userspublicdesktopcertificates.txt<br \/> <\/code><br \/> I have made the change to avoid getting tables within tables when I do this comparison on text files. To have something to compare with, in this case, I have used the <a href=\"https:\/\/www.virustotal.com\/nl\/file\/88a8edb1c303cc24203939ecced33f899ed162c6d2498f56a8ef57bba98ed0c1\/analysis\/\" target=\"_blank\" rel=\"noopener\">certificate dropper section of a malware file we detect as Trojan.Wdfload<\/a>. <a href=\"https:\/\/forums.malwarebytes.com\/topic\/202565-removal-instructions-for-wdfload\/\" target=\"_blank\" rel=\"noopener\">Wdfload<\/a>\u00a0is an infection that combines a bitcoinminer with a module that disables the download and use of antimalware software by altering the hosts file and dropping certificates in the Untrusted category.\u00a0After running the command above, before and after the infection, I also renamed the corresponding files to add before and after to the filenames. And used this command to get yet another easy to read output file.<br \/> <code><br \/> compare-object (get-content c:userspublicdesktopcertificatesbefore.txt) (get-content c:userspublicdesktopcertificatesafter.txt)| ConvertTo-Html | Set-Content c:userspublicdesktopcomparison.html<br \/> <\/code><\/p>\n<p>Let&#8217;s look at the above image again. The SideIndicator column is added by the <em>compare-object<\/em> cmdlet. It shows on which side of the comparison the line was an extra compared to the other. In this case the arrows indicate whether a certificate was added ( =&gt; ) or whether it was removed ( &lt;= ).<\/p>\n<p>The certs dropper I used does not add any FriendlyName items, which is why that column shows up empty in the screenshot above.<\/p>\n<p>So far we have concentrated on creating some useful PowerShell commands. Next time I will attempt to write a Powershell script that uses my output (or a smaller version of it) to remove the certificates that were added by the certsdropper without me having to hardcode all the registry key names manually.<\/p>\n<p>Earlier in this series:<\/p>\n<ul>\n<li><a href=\"https:\/\/blog.malwarebytes.com\/101\/how-tos\/2017\/07\/learning-powershell-the-basics\/\" target=\"_blank\" rel=\"noopener\">Learning PowerShell: The basics<\/a><\/li>\n<\/ul>\n<p>Your comments and constructive criticism are welcome.<\/p>\n<p>The post <a rel=\"nofollow\" href=\"https:\/\/blog.malwarebytes.com\/101\/2017\/08\/learning-powershell-some-basic-commands\/\">Learning PowerShell: some basic commands<\/a> appeared first on <a rel=\"nofollow\" href=\"https:\/\/blog.malwarebytes.com\">Malwarebytes Labs<\/a>.<\/p>\n<p><a href=\"https:\/\/blog.malwarebytes.com\/101\/2017\/08\/learning-powershell-some-basic-commands\/\" target=\"bwo\" >https:\/\/blog.malwarebytes.com\/feed\/<\/a><\/p>\n","protected":false},"excerpt":{"rendered":"<p><strong>Credit to Author: Pieter Arntz| Date: Tue, 01 Aug 2017 15:00:12 +0000<\/strong><\/p>\n<table cellpadding='10'>\n<tr>\n<td valign='top' align='center'><a href='https:\/\/blog.malwarebytes.com\/101\/2017\/08\/learning-powershell-some-basic-commands\/' title='Learning PowerShell: some basic commands'><img src='https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2017\/07\/Powershellhero.jpg' border='0'  width='300px'  \/><\/a><\/td>\n<\/tr>\n<tr>\n<td valign='top' align='left'>We are going to construct some basic Powershell commands and explain how they work just to show you how useful Powershell can be. For good and for bad.<\/p>\n<p>Categories: <\/p>\n<ul class=\"post-categories\">\n<li><a href=\"https:\/\/blog.malwarebytes.com\/category\/101\/\" rel=\"category tag\">101<\/a><\/li>\n<li><a href=\"https:\/\/blog.malwarebytes.com\/category\/101\/how-tos\/\" rel=\"category tag\">How-tos<\/a><\/li>\n<\/ul>\n<p>Tags: <a href=\"https:\/\/blog.malwarebytes.com\/tag\/certificates\/\" rel=\"tag\">certificates<\/a><a href=\"https:\/\/blog.malwarebytes.com\/tag\/commands\/\" rel=\"tag\">commands<\/a><a href=\"https:\/\/blog.malwarebytes.com\/tag\/pieter-arntz\/\" rel=\"tag\">Pieter Arntz<\/a><a href=\"https:\/\/blog.malwarebytes.com\/tag\/powershell\/\" rel=\"tag\">powershell<\/a><a href=\"https:\/\/blog.malwarebytes.com\/tag\/trojan\/\" rel=\"tag\">trojan<\/a><a href=\"https:\/\/blog.malwarebytes.com\/tag\/vonteera\/\" rel=\"tag\">Vonteera<\/a><\/p>\n<table width='100%'>\n<tr>\n<td align=right>\n<p><b>(<a href='https:\/\/blog.malwarebytes.com\/101\/2017\/08\/learning-powershell-some-basic-commands\/' title='Learning PowerShell: some basic commands'>Read more&#8230;<\/a>)<\/b><\/p>\n<\/td>\n<\/tr>\n<\/table>\n<\/td>\n<\/tr>\n<\/table>\n<p>The post <a rel=\"nofollow\" href=\"https:\/\/blog.malwarebytes.com\/101\/2017\/08\/learning-powershell-some-basic-commands\/\">Learning PowerShell: some basic commands<\/a> appeared first on <a rel=\"nofollow\" href=\"https:\/\/blog.malwarebytes.com\">Malwarebytes Labs<\/a>.<\/p>\n","protected":false},"author":4,"featured_media":0,"comment_status":"open","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"colormag_page_container_layout":"default_layout","colormag_page_sidebar_layout":"default_layout","footnotes":""},"categories":[10488,10378],"tags":[10519,13240,13241,11171,10523,11191,10833,10805],"class_list":["post-8526","post","type-post","status-publish","format-standard","hentry","category-malwarebytes","category-security","tag-10519","tag-certificates","tag-commands","tag-how-tos","tag-pieter-arntz","tag-powershell","tag-trojan","tag-vonteera"],"_links":{"self":[{"href":"https:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/posts\/8526","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/users\/4"}],"replies":[{"embeddable":true,"href":"https:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/comments?post=8526"}],"version-history":[{"count":0,"href":"https:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/posts\/8526\/revisions"}],"wp:attachment":[{"href":"https:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/media?parent=8526"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/categories?post=8526"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/tags?post=8526"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}