PowerShell is a powerful management tool designed for system automation and configuration; however, its suppleness makes it justifiable to use for other purposes as well. Recent development of PowerShell has placed it also on the list of the live response tools an incident responder should have in their toolbox. In this blog post I’ll go through several key points why PowerShell is as good as it is from the incident responders’ point of view.
Windows PowerShell has been a built-in component of Windows for over a decade
When the tools used for investigation are already present in the system, the investigation workflow becomes more robust and efficient. Windows PowerShell has been a built-in component of Windows NT operating systems since Windows XP and Windows Server 2008. Since its first release in 2006, Windows PowerShell has been continuously developed by Microsoft. It’s currently at version 5.1.
In recent years Microsoft has become a more prominent player in the open-source community. Microsoft has open-sourced PowerShell, and the community is now involved in its development .
In recent years Microsoft has become a more prominent player in the open-source community. Microsoft has open-sourced PowerShell, and the community is now involved in its development. Microsoft has made announcements on different occasions that the development of Windows PowerShell is at the end of its life. This does not mean, however, that Windows PowerShell is disappearing anywhere. Version 5.1 is usable also in the future, and different versions of PowerShell can be used side-by-side on Windows operating systems. It is worth noting that the use of older versions of Window PowerShell (< 5.1.) is no longer recommended.
New era PowerShell is open-source and cross-platform
Early open-source versions of PowerShell use .NET Core and most recent versions .NET. Unlike the Windows-only .NET Framework, .NET Core and .NET are not operating system dependent, allowing the building of cross-platform versions of PowerShell. By now it has been packaged for macOS and different Linux distributions, covering now all major operating systems used in enterprises.
Today’s global organization networks require live response on devices and systems that are not readily physically accessible. PowerShell can be used to establish a remote connection to several Windows systems without wrestling with the configuration or installation of additional components.
Investigation can be performed remotely
Today’s global organization networks require live response on devices and systems that are not readily physically accessible. PowerShell can be used to establish a remote connection to several Windows systems without wrestling with the configuration or installation of additional components. Therefore, the same connections that the system administrators use for their management tasks can be used for live response investigation workflows, which makes investigation more manageable. For remote connections where one of the parties has a Linux or macOS operating system, PowerShell remoting is established over SSH. Despite the underlying remoting protocol, the connection is secure by default.
Actions are traceable
Live investigation inevitably changes the system’s state, so it is essential that the impact of the analysis tool is well known. Misuse of a tool can hinder investigation making it hard to differentiate investigator’s legitimate actions from an adversary’s malicious ones. At worst the tool can tamper with vital evidence, which is not acceptable.
The impact of PowerShell is traceable by versatile built-in logging features. You can easily create a timeline of your actions made with the tool and log and report them by using only the features that the PowerShell offers.
PowerShell is fairly easy to put to use
Windows PowerShell is probably already familiar to those performing administrative tasks such as file system management, listing of running processes, or firewall rule management on their Windows computers, only to mention a few. For those unfamiliar with PowerShell, the learning curve is low, and the detailed documentation helps when needed.
Learning PowerShell is time well spent. The tool is like a platform independent Swiss Army Knife mastering of which will become invaluable on other occasions as well.
Scripting reduces the amount of repetitive work
An investigation can easily consist of hundreds or thousands of endpoints. Investigation performed manually at this scale quickly becomes unwieldy. PowerShell scripting language is a mixture of object oriented and functional programming paradigms, which makes it flexible and powerful tool that allows an investigator to construct automated, robust, and manageable scripts for their workflows.