#BSidesCMH PowerShell Copyright (C) 2014 ColumbusBSides. PowerShell: Drink the Kool-Aid

#BSidesCMH PowerShell Copyright (C) 2014 ColumbusBSides. AGENDA Why PowerShell PowerShell Overview Why you should care Brief description Let’s get started / warm-up System Administration Incident Response Compliance

PS C:\>Get-Content –ne Presentation Not intended to make you a programmer Not a deep-dive Will Not make you an expert We are not affiliated with any sweet rich vendors

#BSidesCMH PowerShell Copyright (C) 2014 ColumbusBSides. PS C:\>Get-Content HardbitSolutions Wayne Pruitt 85%Mountaindew,15%Brain The Lead Geek of the Hardbit Solutions team MCAD, MCSD, MCDBA, C|EH, E|CSA, C|HFI, and E|CIH. Over the past 12 years he has held many jobs supporting a variety of roles within the Federal Government ranks; ranging from system administrator, security administrator, developer and several IT manager roles. Zack Wojton 87%Beer,2%CrownRoyal,11%Hair CTO of the Hardbit Solutions team Bachelors of Science in Information Technology (BSIT), MCSA, ICND, G2700, C|EH, E|CSA, and C|HFI certifications A night owl, that believes in life-long learning. Has over a decade of IT security under his belt, held more IT related jobs than they have certifications for, and believes security is where it all comes together.

PS C:\>Why-PowerShell Scripting powers for all Mentoring Crossing the streams Highly available

PS C:\>Get-Caring PowerShell is native PowerShell can save you time PowerShell can save you $ PowerShell can do remote administration PowerShell can be controlled through policy Can be immediately effective

PS C:\>Get-Started No book necessary (there are some sweet ones) Verb-Noun Get-Help / Man Get-Command Get-Help About_*

PS C:\>Help about_Windows_PowerShell Command-Line Shell Built on.NET framework CLR WMI cmdlets? We don’t need no stinking cmdlets! Modules - New tools for managing / configuring Windows Command aliases for *nix folks!

PS C:\> Get-Process Handles NPM(K) PM(K) WS(K) VM(M) CPU(s) Id ProcessName AcroRd AcroRd32 _________________________________ PS C:\> Get-Process | sort-object –property VM -descending Handles NPM(K) PM(K) WS(K) VM(M) CPU(s) Id ProcessName OUTLOOK powershell _________________________________ PS C:\> Get-Process | sort-object –property VM –descending | select- object –first 10 –property company, Name, ID, Path | fl Company : Microsoft Corporation Name : OUTLOOK Id : 8920 Path : C:\Program Files (x86)\Microsoft Office\Office14\OUTLOOK.EXE DEMO

PS C:\>PowerShell Administrators Get-Hotfix Account Info / Management System Inventory / Management Log Review (Failed Logons)

PS C:\>PowerShell IR / Analysis Gather restore points Gather File Information Gather NIC Modes Gather File MRU List

PS C:\>PowerShell Compliance Is machine part of a domain? Gather Server Roles Gather Local Groups Gather Members of Local Admin Group Answer “are security updates installed on a regular basis?”

PS C:\>Get-Hardbit PCAT2 Demo

CHEERS!

PS C:\>Get-Questions Any Questions? Steve is gay

Resources: Hardbit Solutions: PowerShellCommunity.Org: Many excellent books: Manning Press book by PowerShell Dev Lead Bruce Payette: PowerShell in Action O’Reilly book by PowerShell Dev Lee Holmes – Windows PowerShell Cookbook