#BSidesCLEVO PowerShell Copyright (C) 2014 ClevelandBSides. PowerShell: Drink the Kool-Aid

AGENDA SA Vs SA Why PowerShell PowerShell Overview Why you should care Brief description System Administration Incident Response Compliance Module #BSidesCLEVO PowerShell Copyright (C) 2014 ClevelandBSides.

PS C:\>Get-Content –ne Presentation Not intended to make you a programmer Not a deep-dive Will Not make you an expert We are not affiliated with any sweet rich vendors

PS C:\>Get-Content HardbitSolutions Wayne Pruitt 85%Mountaindew,15%Brain The Lead Geek of the Hardbit Solutions team MCAD, MCSD, MCDBA, C|EH, E|CSA, C|HFI, E|CSP, E|DRP, E|CIH and E|CEI. Over the past 12 years he has held many jobs supporting a variety of roles within the Federal Government ranks; ranging from system administrator, security administrator, developer and several IT manager roles. Zack Wojton 87%Beer,2%CrownRoyal,11%Hair CTO of the Hardbit Solutions team Masters of Science in Information Technology | Security, MCSA, ICND, G2700, C|EH, E|CSA, and C|HFI certifications A night owl, that believes in life-long learning. Has over a decade of IT security under his belt, held more IT related jobs than they have certifications for, and believes security is where it all comes together. Masters is so almost over. #BSidesCLEVO PowerShell Copyright (C) 2014 ClevelandBSides.

PS C:\>SA-Vs-SA Sure we have things wrong with our industry (but that is why it rocks!) Secure Administrator Mentoring Crossing the streams

PS C:\>Why-PowerShell Scripting powers for all Make reusable tools

PS C:\>Get-Caring PowerShell is native PowerShell can save you time PowerShell can save you $ PowerShell can do remote administration PowerShell can be controlled through policy Can be immediately effective

PS C:\>Get-Started No book necessary (there are some sweet ones) Verb-Noun Get-Help / Man Get-Command Get-Help About_*

PS C:\> Get-Process Handles NPM(K) PM(K) WS(K) VM(M) CPU(s) Id ProcessName AcroRd AcroRd32 _________________________________ PS C:\> Get-Process | sort-object –property VM -descending Handles NPM(K) PM(K) WS(K) VM(M) CPU(s) Id ProcessName OUTLOOK powershell _________________________________ PS C:\> Get-Process | sort-object –property VM –descending | select- object –first 10 –property company, Name, ID, Path | fl Company : Microsoft Corporation Name : OUTLOOK Id : 8920 Path : C:\Program Files (x86)\Microsoft Office\Office14\OUTLOOK.EXE DEMO

PS C:\>PowerShell Administrators Get-Hotfix Account Info / Management System Inventory / Management Log Review (Failed Logons)

PS C:\>PowerShell IR / Analysis Gather restore points Gather File Information Gather NIC Modes Gather File MRU List

PS C:\>PowerShell Compliance Is machine part of a domain? Gather Server Roles Gather Local Groups Gather Members of Local Admin Group Answer “are security updates installed on a regular basis?”

PS C:\>PowerShell Module Sweetness Get-MachineInfo Get-Uptime Get-RebootTime Get-PageFile Get-PendingReboot Get-InstalledSoftware Get-USBDevice

PS C:\>Get-Questions Any Questions?

CHEERS!

Resources: Hardbit Solutions: PowerShellCommunity.Org: Many excellent books: Manning Press book by PowerShell Dev Lead Bruce Payette: PowerShell in Action O’Reilly book by PowerShell Dev Lee Holmes – Windows PowerShell Cookbook