Category: Powershell

Don’t Forget about Domain Trusts

I recently was talking to an organization about their security posture and mostly everything I recommended to them, they had already implemented and plus some. The audits I conducted for them seconded what they were saying. I must say, I was thoroughly impressed. There was, however, one gray area that stood out to me and that was Domain Trusts. In their eyes, they didn’t have any but the Domain Controller displayed otherwise.

I’m sure everyone knows how to check via the GUI but did you also know it can be done through PowerShell? If not, let’s proceed.

From within a Domain Controller of a system with Remote System Administration Tools (RSAT) installed, we can utilize the Active Directory module which contains the Get-AdTrust cmdlet. For us to view Trusts, we can do the following:

From the above, we see the trust is with the Multiverse domain. We can also see that the direction is bi-directional, meaning it is a Two-Way Trust. It is also non-transitive, noted by the numerical one listed in the Trust Attributes property.

We can also get this same information using WMI, which we will use on the same server. To do so, we can do the following:

A simple script for this can be found at HERE.

From the above, we see the Trust Attributes property again along with a Trusted Domain property, which depicts the name of the domain we have a trust with. In addition, we see the Trust Direction property with a value of three, which depicts two-way.

For future reference, the meanings for each available value in Trusted Attributes and Trusted Direction are below.

Hunting Self-signed Certificates

Self-signed certificates could be indicative of malicious behavior on a system and being able to identify them is a key task in responding to an incident. Having self-signed certificates in an environment isn’t always a bad thing but not being able to identify them and their purpose is! Nonetheless, taking to PowerShell we can search for them and there is a Certificate PSDrive that will assist with our process. A key indication of self-signed certificates is the issuer and subject being the same. It is also worth noting that a CA may issue a certificate to itself to support key rollover or changes in certificate policies.

This and more PowerShell scripts can be found on my GitHub.

PowerShell Cheat Sheet

I recall when I started out in PowerShell coming from Python. Some aspects of the language I was able to pick up on rather quickly while other aspects took some take. I found myself writing down notes until I was able to remember them on my own. Reminiscing on that inspired me to develop a cheat sheet for others who are aspiring to make the jump. The cheat sheet is not an all incompassing list but it touches on most of the important areas of the language to get a person started.

PS Cheat Sheet

Find Malicious Versions of CCleaner

In light of the recent discovery about the malicious versions of CCleaner and the millions affected, it felt like a great time to write some PowerShell scripts that enable a person to identify if the malicious versions of CCleaner are on a system and if so, provides a method to delete the software.

The below checks a local machine for the malicious versions of CCleaner.

Using PS Remoting, the below allows you to get a list of systems with the infected versions.

Using PS Remoting, the below allows you to remove CCleaner with the infected versions.

Using WMI, the below allows you to look for the infected versions. It also writes a log of infected and not infected machines along with deleting the software from the infected machines.



Determining WinRM connections to a Machine

PSRemoting is an awesome feature in Microsoft Windows that serves as a ssh-like function. In Server 2012 and newer, it is enabled by default. You will, however, need to enable the feature on any client system you’d want to use it on. Some organizations feel having the service enabled throughout their organization is more of the burden than something that will increase productivity. Most of those of thoughts stem from not knowing who and is connecting or connected to systems. Luckily, there is a built-in cmdlet to should ease the worrying.

With suitable rights on a system, we can use the below to see who is connected to our system.

Below are the results.

To clean this up a little, we can do the following:

Our results are shown below and are a little easier to understand.

You could easily setup this up on some reoccurring schedule and output it to a file for further analysis.

Base64 with PowerShell

All too often I find myself on a Windows system and need to either encode or decode base64. Rather than using an online service, installing a program, or going to a *nix based system, I took to PowerShell. In PowerShell, we can use .NET to accomplish this.


The result is this base64 encoded text:



Getting hashes with Microsoft’s File Checksum Integrity Verifier (FCIV)

Are you responding to an incident? Are you trying to hash particular portions of the disk for comparison with a known good hashes? Are you questioning whether or not to trust the binaries on the possibly compromised system disk in order to get said hashes? Well have no fear, Microsoft has a portable program called File Checksum Integrity Verifier (FCIV) that can help and it can be downloaded here. Since it comes from Microsoft, it will by signed by them as well.

The portable program can be executed from a CD\DVD, flash drive, or network share. With it, we can get MD5 and\or SHA1 hashes files on a system by either printing them to screen or outputting them to another file or database. With this in mind, we can feel better about our capture source and method and easily save the day! We can accomplish this using the below.

Recursively capturing hashes from a specified directory.


Get Registry Hives and Keys Remotely

Talking with a buddy of mine, the conversation about retrieving Registry Hives and Keys remotely came up. He initially was looking for something he could use and eventually sided with an open-source program on the web. I, myself, tested said program as well and it for the most part did what it said it would. In the end though, that is just another product I could be adding to someone’s network. With that said, I took to PowerShell! Which I ended up using reg.exe wrapped in PowerShell to export to Hives and Keys. I now needed something as the workhorse to execute this remotely and that’s where WMI came in. I used it to start a process-call against a supplied list of systems and once complete, Get-ChildItem is used to pull the .reg file back to my system. The code can be found HERE.

Finding Passwords in Text Files with PowerShell

Using PowerShell, we can look in text files for strings that fit the criteria for passwords and return the potential password, file path, and line number. The criteria that is being search uses regex expressions and looks for at least four characters but no more than 15 with at least one character being upper, lower, a number, and a special character. The data is returned in a xml file and is best read back into PowerShell using out-gridview (my fav.). The code is on my GitHub located HERE.

Mass Import of McAfee Firewall Domains to block

As of late, I’ve been experimenting more and more with the McAfee HIPS Firewall with the McAfee ePO. So far, I think it is decent. It is at least stateful, so that’s a plus. The firewall has a feature to block domains and using the GUI, you can only add them one at a time. There is an option to import them but that would require us to have it in a readable format the McAfee could understand. Thinking outside the box, I decided to put an entry in the firewall and export that policy in order to get a feel for the structure. Once I did that, I was able to take a list of domains from, change some formatting in their file, and fit it into the McAfee format. The result is a perfectly formatted firewall policy ready to import. The workhorse of it all, PowerShell!

In my testing from testing with, I imported over 14000 entries and while McAfee HIPS took it, I don’t think it can handle that much as the server became incredibly slow. Nonetheless, you could now take my script, make some minor adjustments and use it with your malware domain listing of choice. Since we are on the subject, below are a few other sites that are good sources as well.

The code, by the way, is on my github at

Sinkhole Domains Using DNS with the help of PowerShell

Thanks to Jason Fossen, there was no need to create a PowerShell script to input domains to sink. He had already created one called Sinkhole-DNS.ps1 (located here). One of the options in the script is to read in a file with domains listed. I like to frequent for my listing of bad domains and wanted to use that to feed it into the PowerShell script so I fired up ISE and begin knocking out some code. In the end, I developed a script located here that will download from, uncompress it and take only the domain names out, and output them to a file. The file can then be used with the Sinkhole-DNS.ps1 script to import the domains into DNS. The syntax for this is shown below.

Under The Wire!

Under The Wire, the PowerShell gaming server is now web based and can be access at On there, you will find directions to access our servers using you own instance of PowerShell. To date, we have two games that are live with another in production.

Under the Wire v2

I just posted v2 of Under to Wire which contains an additional 5 levels to Century. V2 can be found at the link on the right-hand side of the screen or here.

This release will be the last one containing Century and the next variation that the team and I will be working on will be called Cyborg. It will still have the same feel as Century but will be focused primarily on Active Directory, DNS, DHCP and few other random areas that will total somewhere around 20 to 25 levels (like Century).

I hope you enjoy the additional 5 levels of Century and stay tuned for the release of Cyborg within Under the Wire.

PowerShell Web Server for Raw Text Transmission

This script will create a temporary web server on the local system and will listen on the host IP and specified port. You will then be able to post some raw data that will be accessible on the network. When running the script you will be asked what port to listen on and what raw data to post. This script does not supporting the posting of files or folders.

The raw data can be accessed one of three ways.

Option 1: PowerShell — Using the below syntax to view it on the screen. It will be in
the raw content section.
Invoke-WebRequest http://<IP_Address>:<port>/default

Option 2: PowerShell — Using the below syntax to save the data to a local file
Invoke-WebRequest http://:/default -OutFile downloaded_data.txt

Option 2: Internet browser — Using the below syntax to view it in the browser

This PowerShell script can be found in my script repo on the right-hand side of the screen.

PowerShell Web Server for File Transmission

This script will deploy a temporary web server on the local system and will listen on the port of your choice. Once it is listening, you will be able to transfer .txt and .html files from the directory in which the script is ran from (not located). The web server will continue to run as long as the script is running.

To execute, run the script and when prompted, input a port to listen on. To access the system and the data in the directory that the script ran from, use the below syntax from another system.

Invoke-WebRequest http:/:/file_in_dir.txt -OutFile downloaded_data.txt

Example: “Invoke-WebRequest http:/ -OutFile passwords.txt”

This PowerShell script can be found in my script repo on the right-hand side of the screen.

PowerShell Network Connection Monitor Script

This script displays the current TCP/IP connections for a local or remote system to include the PID, process name, port, and its current running state (listening, established, etc..). If the port is not yet established, the port number is shown as an asterisk (*). It will also take the initial output and save it to old_state.txt and then sleep for a period of time of your choosing before running again and outputting to new_state.txt. It will then compare the two files and print the output to the screen. Both files will be saved to the directory in which the script was ran from (not located). It will continue to do this process until the script is stopped.

This PowerShell script can be found in my script repo on the right-hand side of the screen.

PowerShell Remote Process Termination

Ever remotely executed a program on another system but the process failed to exit which lead it to being an active process on the users system? No matter the cause or what your purpose on the system is, that is never a good thing. We can quickly fix the issue with PowerShell. To do so, we can use a script in which we supply it with the hostname or IP along with the process name of the process.

This PowerShell script can be found in my script repo on the right-hand side of the screen.

Detecting Alternate Data Streams with PowerShell and DOS

Alternate Data Streams (ADS) are nothing new and there are a few ways to detect them within a NTFS filesystem. My tools of choice for detecting an ADS is LADS (List Alternate Data Streams) by Frank Heyne or SysInternals’ Streams… both of which work rather well. My issue though is that I, much like the customer, normally wants to limit and lessen the amount of external tools that are added to any of their systems. Resident to Microsoft Windows, we have a way to do some detection using one of two ways but one provides a little more capability than the other. Let’s check them both out.

The DOS way depicted below will recursively search a directory (/s), search for ADS (/s), and then look at the string “:DATA”.

The PowerShell way is depicted below. Be advised that the cmdlet used below goes back as far as version 2. The –Stream option was not available until version 4.

If you just executed these commands, you probably noticed how a number of the files might have popped up matching the (more…)

Under the Wire… Windows Shell War Gaming

My boss and I had a conversation a few months ago regarding Over the Wire, a Linux war gaming server. The conversation revolved around how it was a great tool for those trying to build strength in Linux. From that conversation, we had a thought of why there wasn’t a variant on Windows focusing on the command line and from that thought came Under the Wire.

Under the Wire is a Windows Server 2008R2 Core system. The war game focuses on the Windows command line and the hope is that it helps people hone their skills or gain a better understanding for some of the things that can be done with a Windows shell.

It’s not expected for anyone to know everything they will encounter in this game, so please don’t panic, as the purpose of the game is to learn.

The object of the game is to use the hints for each level to find the password for the following level. For example, the password for level 2 is somewhere in level 1 and the password for level 3 is somewhere in level 2. That is the case for all levels, with level 20 being the last one. Once you have successfully logged into level 20, you have successfully completed the game.

The VM, instructions, and change log can be found here -> Under the Wire

General Notes:
• All passwords are lowercase regardless of how they may appear on the screen.

• The username for logging in will be century plus the corresponding level number. For example, the username for level 1 is century1 and for level 2, it would be century2 and so forth.

• The default shell is Powershell but you can switch to command line if you want. You can easily switch back and forth by typing cmd or powershell in the shell. If you wish to have multiple shells open, you can achieve that by doing the below.
1.Type taskmgr in the shell
2. Hit file > New Task (run…)
3. Type powershell or cmd

• You may find that while trying to accomplish a level using one shell it may render an access denied error. If that is the case, please just use the other shell. During testing, at least one of the shells worked for every level.

• You may be warned that this isn’t a genuine copy of windows. That alert is due to not having a product key and the trial period expiring. It does not hinder the game in any way other than the warning popping up. If it appears, simply exit out of it and continue on.

• Some things that may help you in the game are below.
– The Internet
– Get-help
– /?
– The Tab key will help with finishing out commands

Display Credentials For All Previous Wireless Networks Connected To

I was at a friend’s house and needed to connect my laptop to his network. My friend was reluctant to give me password to his network and decided to type it in himself. In his mind, he was just doing his part to provide some security to his home network, so I don’t blame him but it did spark my curiosity as to was there a way to pull the password. So I fired up PowerShell and began pegging away. The below code will return SSID and passwords for all systems the computer it is read from his connected to.