Powershell Tips

Tips and links.

This list will be regularly updated.

Threat hunting with event logs

https://www.sans.org/blog/working-with-event-log-part-2-threat-hunting-with-event-logs/

Equivalent of grep for a recursive search

$> ls -r *.txt | Select-String "ZIP"
$> ls -r | Select-String dummy | select line,path

Find which process is currently listening on a port

netstat -ano -p tcp | Select-String 8888

Find a service by name, and stop it by name

# Stop service
Get-Service | Where {$_.DisplayName  -like "*elnet*"} | Stop-Service
Get-Service -DisplayName "telnet" | Stop-Service

# Format display result
Get-Service -Name "telnet" | Format-List -Property Name, DependentServices

# Stop a service that has dependent services
Stop-Service -Name "telnet" -Force -Confirm -WhatIf
# Force option : option required to stop a service that has some dependent services
# Confirm option : required if you want a prompt for confirmation before all the dependent services are stopped
# WhatIf option : Show what would happen if the cmdlet ist executed. The cmdlet is not executed.

Stop-Service -Name "WebDev 19" -Force -Confirm -WhatIf
# Result is : What if: Performing the operation "Stop-Service" on target "Serveur d'Application WebDev 19 (PC SOFT) (WebDev 19)".

# Start service
Get-Service -DisplayName "telnet" | Start-Service

Find process by name, and stop it by it’s id

Get-Service | Where {$_.DisplayName  -like "*w19*"}
# Alternative :
Get-WmiObject Win32_Process | select commandline | Select-String -Pattern "wd19*"

Get-Process | Where {$_.ProcessName -Like "*wd19*"}

Get-Service -Name "WebDev 19"

# Get process IDs
Get-Process | Where {$_.ProcessName -Like "*svchost"} | select -expand id

# Stop one or more process
Stop-Process -Name "w190admin" -Force -WhatIf

Execute cmd file on a windows server from a linux server

Through ssh, you can install ssh on the windows server just follow the instructions here: https://learn.microsoft.com/en-us/windows-server/administration/openssh/openssh_install_firstuse?tabs=powershell

• A device running at least Windows Server 2019 or Windows 10 (build 1809).
• PowerShell 5.1 or later.
• An account that is a member of the built-in Administrators group.

Get-WindowsCapability -Online | Where-Object Name -like 'OpenSSH*'

# Install the OpenSSH Client
Add-WindowsCapability -Online -Name OpenSSH.Client~~~~0.0.1.0

# Install the OpenSSH Server
Add-WindowsCapability -Online -Name OpenSSH.Server~~~~0.0.1.0

# Start the sshd service
Start-Service sshd

# OPTIONAL but recommended:
Set-Service -Name sshd -StartupType 'Automatic'

# Confirm the Firewall rule is configured. It should be created automatically by setup. Run the following to verify
if (!(Get-NetFirewallRule -Name "OpenSSH-Server-In-TCP" -ErrorAction SilentlyContinue | Select-Object Name, Enabled)) {
    Write-Output "Firewall Rule 'OpenSSH-Server-In-TCP' does not exist, creating it..."
    New-NetFirewallRule -Name 'OpenSSH-Server-In-TCP' -DisplayName 'OpenSSH Server (sshd)' -Enabled True -Direction Inbound -Protocol TCP -Action Allow -LocalPort 22
} else {
    Write-Output "Firewall rule 'OpenSSH-Server-In-TCP' has been created and exists."
}

Now from a linux server:

ssh Administrator@172.30.XXX.XXX '"C:\nicotest\nicotest.cmd"'

REM Example of source code of nicotest.cmd
@echo off

set path_exe=C:\nicotest

cd %path_exe%
echo Nico test at %Date% %time% >> %path_exe%\nicotest.log

Delete files older than x days

$limit = (Get-Date).AddDays(-15)
Get-ChildItem -Path "C:\Oracle\diag" -Recurse -Force | Where-Object { !$_.PSIsContainer -and $_.LastWriteTime -lt $limit } | Remove-Item -Force

# FYI
# !$_.PSIsContainer true corresponds to a file
# $_.PSIsContainer true corresponds to a directory

# or like this is equivalent :
Get-ChildItem  "C:\Oracle\diag" -Recurse -File | Where LastWriteTime -lt $limit | Remove-Item -Force

# Before you execute you can test which files will be deleted :
Get-ChildItem -Path "C:\Oracle\diag" -Recurse -Force | Where-Object { !$_.PSIsContainer -and $_.LastWriteTime -lt $limit } | Select-Object -Property FullName, CreationTime, LastWriteTime

# You can filter file name with the condition $_.DisplayName  -like "*filenameSearched*"
 Get-ChildItem -Path "C:\Oracle\diag" -Recurse -Force | Where-Object { !$_.PSIsContainer -and $_.LastWriteTime -lt $limit -and $_.Name -like "*.trm" } | Select-Object -Property FullName, CreationTime, LastWriteTime

Execute all scripts inside a directory which is inside current dir

$target_dir = Join-Path -Path $PWD.Path -ChildPath "\clean_logs"
Get-ChildItem $target_dir | ForEach-Object {
  # Execut each script inside target_dir
  & $_.FullName
}