1. #BSidesCMH PowerShell Copyright (C) 2014 ColumbusBSides. PowerShell: Drink the Kool-Aid

2. #BSidesCMH PowerShell Copyright (C) 2014 ColumbusBSides. AGENDA Why PowerShell PowerShell Overview Why you should care Brief description Let’s get started / warm-up System Administration Incident Response Compliance

3. PS C:\>Get-Content –ne Presentation Not intended to make you a programmer Not a deep-dive Will Not make you an expert We are not affiliated with any sweet rich vendors

4. #BSidesCMH PowerShell Copyright (C) 2014 ColumbusBSides. PS C:\>Get-Content HardbitSolutions Wayne Pruitt 85%Mountaindew,15%Brain The Lead Geek of the Hardbit Solutions team MCAD, MCSD, MCDBA, C|EH, E|CSA, C|HFI, and E|CIH. Over the past 12 years he has held many jobs supporting a variety of roles within the Federal Government ranks; ranging from system administrator, security administrator, developer and several IT manager roles. Zack Wojton 87%Beer,2%CrownRoyal,11%Hair CTO of the Hardbit Solutions team Bachelors of Science in Information Technology (BSIT), MCSA, ICND, G2700, C|EH, E|CSA, and C|HFI certifications A night owl, that believes in life-long learning. Has over a decade of IT security under his belt, held more IT related jobs than they have certifications for, and believes security is where it all comes together.

5. PS C:\>Why-PowerShell Scripting powers for all Mentoring Crossing the streams Highly available

6. PS C:\>Get-Caring PowerShell is native PowerShell can save you time PowerShell can save you $ PowerShell can do remote administration PowerShell can be controlled through policy Can be immediately effective

8. PS C:\>Get-Started No book necessary (there are some sweet ones) Verb-Noun Get-Help / Man Get-Command Get-Help About_*

9. PS C:\>Help about_Windows_PowerShell Command-Line Shell Built on.NET framework CLR WMI cmdlets? We don’t need no stinking cmdlets! Modules - New tools for managing / configuring Windows Command aliases for *nix folks!

10. PS C:\> Get-Process Handles NPM(K) PM(K) WS(K) VM(M) CPU(s) Id ProcessName ------- ------ ----- ----- ----- ------ -- ----------- 213 16 6644 15060 95 30.15 5140 AcroRd32 386 47 236592 257684 398 293.63 5476 AcroRd32 _________________________________ PS C:\> Get-Process | sort-object –property VM -descending Handles NPM(K) PM(K) WS(K) VM(M) CPU(s) Id ProcessName ------- ------ ----- ----- ----- ------ -- ----------- 3587 151 101740 156400 617 21.06 8920 OUTLOOK 583 23 85832 90608 577 4.88 8736 powershell _________________________________ PS C:\> Get-Process | sort-object –property VM –descending | select- object –first 10 –property company, Name, ID, Path | fl Company : Microsoft Corporation Name : OUTLOOK Id : 8920 Path : C:\Program Files (x86)\Microsoft Office\Office14\OUTLOOK.EXE DEMO

11. PS C:\>PowerShell Administrators Get-Hotfix Account Info / Management System Inventory / Management Log Review (Failed Logons)

12. PS C:\>PowerShell IR / Analysis Gather restore points Gather File Information Gather NIC Modes Gather File MRU List

13. PS C:\>PowerShell Compliance Is machine part of a domain? Gather Server Roles Gather Local Groups Gather Members of Local Admin Group Answer “are security updates installed on a regular basis?”

14. PS C:\>Get-Hardbit PCAT2 Demo

15. CHEERS!

16. PS C:\>Get-Questions Any Questions? Steve is gay

17. Resources: Hardbit Solutions: http:/www.HardbitSolutions.com PowerShellCommunity.Org: http://www.PowershellCommunity.Org Many excellent books: Manning Press book by PowerShell Dev Lead Bruce Payette: PowerShell in Action O’Reilly book by PowerShell Dev Lee Holmes – Windows PowerShell Cookbook