https://twitter.com/Johncomiskey77/status/1668237556071235585

https://twitter.com/Johncomiskey77/status/1668237556071235585

Khalil Afridi

@khalilApriday

PowerShell is a cross-platform task automation solution a command-line shell, a scripting language, and a configuration mangt framework.
PowerShell runs on Windows, Linux, & macOS.

To master #PowerShell, here are some excellent free resources: 🧵

#Linux #Windows #infosec

What is PowerShell?

docs.microsoft.com/en-us/powershe…

PowerShell for Beginners

Read 5 tweets

Hillel

@hillelogram

n² likes = n powershell tips

I guess I should tag this #powershell lol

1/ `?` is an alias for Where-Object and `%` is an alias for ForEach. So you can do `obj | ? filter | % block` to do things compactly.

`&` lets you invoke a string or script-block as a powershell command

2/ ctrl-space gives you a menu-completion for all options. This means you can write `obj.` and hit ctrl-space to get all its properties.

Alternatively, you can pipe the object to the `get-member` cmdlet

Read 18 tweets

SophosLabs

@SophosLabs

NEW: Reconstructing PowerShell scripts from multiple Windows event logs

On the trail of malicious #PowerShell artifacts too large to be contained in a single log? Help is on the way.

1/19

Adversaries continue to abuse PowerShell to execute malicious commands and scripts. It's easy to understand its popularity among attackers: Not only is it present on all versions of Windows by default (and crucial to so many Windows applications that few disable it)... 2/19

... this powerful interactive CLI and scripting environment can execute code in-memory without malware ever touching the disk. This poses a problem for defenders and researchers alike. 3/19

Read 19 tweets

Paul Melson

@pmelson

THREAD
Found an interesting #PowerShell dropper today that uses multiple rounds of complex obfuscation, even actual encryption. And I reversed the whole things using one stupid trick: Replace 'Invoke-Expression' with 'Write-Host' Wanna see?

The initial script has two lines: the first writes obfuscated code to the string variable0 $dz61UV and the second executes the contents of that string with Invoke-Expression after first reversing the order of bytes and stripping out unneeded spaces.

Invoke-Expression is first replaced with its shorthand 'IEX' and then in the next round reconstructed to 'ieX' from characters in the Windows $ShellId global environment variable. In both cases, replacing with Write-Host works just fine.

Read 5 tweets

Dattaveer Boda

@DattaveerBoda

🔷Want to master Command Line but struggling to find where to start ? Then here is the mega thread 🧵for you to start
🔷This thread covers Windows Commands, Power shell Cmdlets, Linux shell commands along side Mac
🔷You will get to know Kernels & Shells

#Windows #Linux #macOS

What is KERNEL?
What is Shell ?
What is the Relation ?
Unlike many things, Every Operating System will have KERNEL not just Linux, it's a misconception
#kernel #Shell #DEVCommunity

Windows - Regular Command Prompt
Linux - Most of shells like SH, BASH and ZSH
Apple - ZSH shell
#Developer

Read 13 tweets

Offensive Hacking & Security Networks

@OffhackOficial

CVE-2021-36934
Un atacante exitoso podría, dijo #Microsoft, "instalar programas; ver, cambiar o eliminar datos; o crear nuevas cuentas con derechos de usuario completos". Todas las versiones de #Windows10 desde 1809 en adelante son #vulnerables a este método de ataque.

En cuanto a los parches, todavía no hay uno; en cambio, Microsoft ha emitido una solución alternativa para restringir el acceso mediante el símbolo del sistema o #PowerShell y luego eliminar los puntos de restauración del sistema existentes.

Esa solución se puede encontrar aquí msrc.microsoft.com/update-guide/v…

Read 3 tweets

Mark Kraus [in]

@markekraus

Hi #PowerShell community. You may wonder where I've been these past few years. My blog is dormant. My PS PRs nonexistent.
What follows are my thoughts/feelings on recent community discussions.

1/11

This is not new. Neither the problems nor the promises. I sought in earnest to become a member PS Committee. Met with almost all of them. In the end, it did not happen. I'm mad, but not at any personal slight.

2/11

I'm mad because no one else was added either. Nothing sells me on previous MSFT employees on the committee being "community members."

3/11

Read 12 tweets

Chaitanya Tejaswi

@CRTejaswi

After a lot of fretting for years, I've decided to give blogging a go.
Read on to find out how you can leverage #PowerShell to create custom-file structures for your next project:
crtejaswi.github.io/blog/13-02-202…

Check out this post to learn how to easily generate QR codes for any text using #PowerShell:
crtejaswi.github.io/blog/15-02-202…

Check out this post to learn how to write a simple #PowerShell cmdlet that easily lets you log in/out of your user accounts. Not very efficient, but a helpful use-case for beginners.
crtejaswi.github.io/blog/16-02-202…

Read 5 tweets

Jackson Brumbaugh

@JackalBruit

1 / _ , where _ = 12
Here is the story of how the vast portion of my driving motivation to someday be paid for my coding prowess (i.e. a professional coder) is a phone convo from over a yr ago

#100DaysOfCode

2 / _
Backstory ...
May 20, 2019 my prev employer suddenly closed their doors

We walked into those doors that morning thinking it would be a typical Mon, only to learn at closing that we would never walk thru those doors again

3 / _
There I was, 2 Associate degrees in engineering tech (so not full blown engineering degrees, least not to HR depts) with 3 yrs exp in a niche industry

But! I had slowly been learning #PowerShell to automate many aspects of my job (and some other people's 😆)

Read 12 tweets

Chase Wright

@mysticryuujin

I have no idea why I'm looking at this but...

docs.microsoft.com/en-us/dotnet/a…

public const double PI = 3.1415926535897931;

PS > [math]::pi
3.14159265358979

3.1415926535897931
3.14159265358979

Where did my 2 digits go?

#dotnet #pi #PowerShell

The rabbit hole goes deeper...

And it goes even DEEPER...above is PS7 and this is Windows PowerShell

Read 3 tweets

Nick Carr

@ItsReallyNick

Attackers can check your security visibility faster than you can configure it.

Here's an UNC group we track 😉 using Outlook home page (CVE-2017-11774) to check the target's attack surface and process creation & PowerShell event visibility - then sending it to domain-fronted C2.

@matthewdunwoody

If some of the #PowerShell logging terms there were new to you, make sure you check out @matthewdunwoody's classic blog on visibility.ps1: fireeye.com/blog/threat-re… (it still holds up!)

I also plan to blog with more info on the first stage TTPs (not pictured) & hardening guidance.

https://twitter.com/itsreallynick/status/1202191316932874245

Here’s the blog as promised on how this persists and removes the CVE-2017-11774 patch

https://twitter.com/itsreallynick/status/1202191316932874245

Read 3 tweets

John Lambert

@JohnLaTwC

It uses a spreadsheet
...to launch a macro
......to register a scheduled task
..........to run #PowerShell
.............to copy a file
................to run VBA in Outlook
..................for C2
(╯°□°）╯︵ ✉️🔥

@cybereason

🔗virustotal.com/gui/file/a8f5b…
🎁virustotal.com/gui/file/7b69d…
📄gist.github.com/JohnLaTwC/7514…
🔬joesandbox.com/analysis/18922…
🙏See @cybereason report on the technique: cybereason.com/hubfs/Cybereas…
👀

https://twitter.com/JohnLaTwC/status/1190380661900578816

@cybereason

@cybereason And payload:

https://twitter.com/JohnLaTwC/status/1194423953256669186

Read 3 tweets

Ophir Harpaz

@OphirHarpaz

@Guardicore

#Campaign in tweets - @Guardicore Labs in a new tradition; we find the attacks, you get to know them and learn the attackers' tricks and techniques. This time, let's get familiarized with "Lemon_Duck", a #cryptomining campaign involving a sophisticated #propagation tool. 🍋🦆

Before we start: all scripts, binaries and IOCs are available on our github repository. In addition, malicious IPs, attack servers and domains appear on @Guadicore Cyber Threat Intelligence portal. You're welcome to take a look :)
threatintelligence.guardicore.com/?utm_medium=or…
github.com/guardicore/lab…

Lemon_Duck starts by breaching machines over the #MSSQL service or the #SMB protocol. We'll focus on the MS-SQL flow. Once inside the machine, the attacker enables #xp_cmdshell to run shell commands. It will take only a single command line to trigger the rest of the attack.

Read 12 tweets

Lawrence Hwang

@CPoweredLion

<thread> My thoughts around #PowerShell's future... Being blindly optimistic about PowerShell's future or overly pessimistic about major team member's departure is actionless. There will always be a future. /1

And it is the choice you make from this point on determines how bright that future is. When you choose to use PowerShell; learn about its new use cases (e.g in the Cloud); talk about it; build new solutions with it; /2

show the solution to peers; participate and contribute on GitHub/StackOverFlow/Reddit/PowerShell.org, and always ask your vendor when they will actively offer PowerShell support, you brighten PowerShell's future. I am sure you can think of lots more. You might ask why? /3

Read 6 tweets

John Lambert

@JohnLaTwC