Getting Started with PowerShell Core

Hello, BugBuster’s community! Today, we will explore PowerShell Core, an incredibly powerful tool making waves in cybersecurity. If you’re familiar with traditional Windows PowerShell, you’ll be excited to learn about its advancements and benefits.

PowerShell Core is a modern, cross-platform version of PowerShell that runs on Windows, macOS, and Linux. This flexibility makes it a valuable asset for cybersecurity professionals who work in diverse environments and need a robust tool that operates seamlessly across different systems.

Unlike the traditional Windows PowerShell built on the .NET Framework, PowerShell Core is built on .NET Core. This foundation offers improved performance, modern features, and the ability to run on a broader range of operating systems. This cross-platform capability is particularly beneficial in cybersecurity, where environments vary widely.

Critical Differences Between PowerShell Core and Windows PowerShell

1. Cross-Platform Support:
   • PowerShell Core can run on Windows, macOS, and Linux, making it incredibly versatile for cybersecurity tasks across different platforms.
2. Performance and Features:
   • Built on .NET Core, PowerShell Core provides enhanced performance and access to modern features that are not available in Windows PowerShell.
3. Compatibility:
   • While PowerShell Core is designed to be as compatible as possible with existing PowerShell scripts, some differences exist due to the underlying platform changes. However, most cmdlets and scripts work seamlessly, and the community and support for PowerShell Core continue to grow.

PowerShell Core’s cross-platform nature and enhanced capabilities make it an ideal tool for cybersecurity professionals who need to automate tasks, manage systems, and respond to threats quickly and efficiently. In this article, we’ll guide you through setting up PowerShell Core, explore some basic commands, and demonstrate how it can streamline your security workflows.

So, let’s get started and unlock the potential of PowerShell Core in your cybersecurity toolkit.

Understanding PowerShell Core

PowerShell Core is a significant evolution from the traditional Windows PowerShell, designed to meet the demands of modern IT environments and cybersecurity practices. Let’s delve into its features, benefits, and the key differences that make it an essential tool for today’s cybersecurity professionals.

Features and Benefits of PowerShell Core

1. Cross-Platform Support:
   • Versatility: One of the most significant advancements of PowerShell Core is its ability to run on Windows, macOS, and Linux. This cross-platform support ensures that you can use the same powerful toolset across different operating systems, making it incredibly versatile for any cybersecurity professional.
   • Unified Toolset: Whether you’re managing a mixed environment or switching between different systems, PowerShell Core provides a unified toolset, reducing the need to learn multiple scripting languages for various platforms.
2. Enhanced Performance:
   • Improved Speed: Built on the open-source .NET Core, PowerShell Core offers enhanced performance over the traditional Windows PowerShell. Scripts run faster and more efficiently, which is crucial when automating complex security tasks.
   • Resource Management: The improved performance also means better resource management, allowing you to run intensive scripts without significantly impacting system performance.
3. Modern Cmdlets and Features:
   • Updated Cmdlets: PowerShell Core includes a range of modern cmdlets that are optimized for current IT and security needs. These cmdlets provide more functionality and flexibility, enabling you to perform more tasks with fewer commands.
   • New Features: In addition to updated cmdlets, PowerShell Core introduces new features such as advanced logging, improved error handling, and enhanced debugging tools. These features make developing, troubleshooting, and optimizing scripts easier.

Key Differences Between PowerShell Core and Windows PowerShell

1. Platform:
   • PowerShell Core: Runs on .NET Core, which is cross-platform and open-source.
   • Windows PowerShell: Runs on the .NET Framework, which is Windows-only and proprietary.
2. Compatibility:
   • PowerShell Core: While designed to be compatible with most Windows PowerShell scripts, some differences exist due to the underlying .NET Core. PowerShell Core continues to evolve with community support and regular updates.
   • Windows PowerShell: Fully compatible with Windows environments and applications but lacks the cross-platform capabilities and modern enhancements of PowerShell Core.
3. Community and Support:
   • PowerShell Core: Actively developed and supported by the community and Microsoft, with frequent updates and improvements. Being open-source, it benefits from contributions and feedback from many users.
   • Windows PowerShell: Although still widely used, it is not actively developed with new features, as the focus has shifted to PowerShell Core.

Why PowerShell Core is Preferable for Modern Cybersecurity Tasks

• Cross-Platform Operations: As cybersecurity professionals often deal with a variety of operating systems, the ability to use a single tool across all platforms simplifies workflow and enhances productivity.
• Improved Automation: Enhanced performance and modern cmdlets enable more efficient automation of repetitive tasks, which is critical for maintaining robust security measures.
• Future-Proofing: With ongoing development and community support, PowerShell Core ensures you have access to the latest features and security improvements.

Understanding these features and benefits clarifies why PowerShell Core is an invaluable tool for modern cybersecurity tasks. In the next section, we’ll guide you through the setup and initial configuration of PowerShell Core, so you can start leveraging its capabilities immediately.

Advertisements

Setting Up PowerShell Core

Now that we’ve covered PowerShell Core and why it’s a powerful cybersecurity tool, it’s time to get it up and running on your system. These step-by-step instructions will help you install and configure PowerShell Core smoothly, whether you’re using Windows, macOS, or Linux.

Installing PowerShell Core on Different Operating Systems

Windows

1. Download the Installer:
   • Visit the PowerShell GitHub Releases page.
   • Download the latest .msi package for Windows.
2. Run the Installer:
   • Double-click the downloaded .msi file.
   • Follow the installation wizard instructions to complete the installation.
3. Verify the Installation:
   • Open PowerShell Core by searching for pwsh in the Start menu.
   • In the PowerShell Core window, type the following command to check the version:

pwsh --version

macOS

1. Install Homebrew (if not already installed):
   • Open the Terminal application.
   • Run the following command to install Homebrew:

/bin/bash -c "$(curl -fsSL https://raw.githubusercontent.com/Homebrew/install/HEAD/install.sh)"

2. Install PowerShell Core:

• Once Homebrew is installed, run the following command in Terminal:

brew install --cask powershell

3. Verify the Installation:

• Open a new Terminal window.
• Type the following command to start PowerShell Core:

pwsh

• Then, check the version with:

pwsh --version

Linux

1. Update Package Repository:
   • Open your terminal.
   • Run the following commands to update the package repository and install the necessary prerequisites:

sudo apt update
sudo apt install -y wget apt-transport-https software-properties-common

2. Add Microsoft Repository:

• Import the public repository GPG keys:

wget -q https://packages.microsoft.com/config/ubuntu/20.04/packages-microsoft-prod.deb
sudo dpkg -i packages-microsoft-prod.deb

3. Install PowerShell Core:

• Run the following commands to install PowerShell Core:

sudo apt update
sudo apt install -y powershell

4. Verify the Installation:

• Start PowerShell Core by typing:

pwsh

• Then, check the version with:

pwsh --version

Configuring the Environment

After installing PowerShell Core, let’s configure the environment to optimize your workflow.

1. Setting Up Aliases:
   • Create aliases for frequently used commands to save time. For example:

Set-Alias ll Get-ChildItem

2. Customizing the Profile:

• Customize your PowerShell profile to load your preferred settings and functions each time PowerShell starts.
• Open your profile script for editing:

if (!(Test-Path -Path $PROFILE)) {
    New-Item -ItemType File -Path $PROFILE -Force
}
notepad $PROFILE

• Add customizations, such as aliases or functions, and save the file.

3. Installing Modules:

• Enhance PowerShell Core’s capabilities by installing additional modules. For instance, the PSReadLine module improves the command-line editing experience:

Install-Module -Name PSReadLine -Scope CurrentUser -Force -SkipPublisherCheck

By following these steps, you’ll have PowerShell Core installed and configured on your system, ready to tackle various cybersecurity tasks. In the next section, we’ll explore some basic PowerShell Core commands that are particularly useful for security operations. Stay tuned!

Basic PowerShell Core Commands

Hello again, BugBustersUnited community! Now that you have PowerShell Core installed and configured, it’s time to dive into some basic commands. These key cmdlets are particularly relevant for security operations and can significantly enhance your efficiency in bug bounty hunting and other cybersecurity tasks. Let’s explore these commands and see how they can be applied in practical scenarios.

Key PowerShell Core Cmdlets for Cybersecurity

1. Get-Process:
   • Description: Retrieves information about the processes running on your computer.
   • Example:

Get-Process

• Use Case: Monitor running processes to identify suspicious activity or unexpected resource usage.

2. Get-Service:

• Description: Retrieves the status of services on a local or remote machine.
• Example:

Get-Service

• Use Case: Check the status of critical security services to ensure they are running and configured correctly.

3. Get-EventLog:

• Description: Retrieves events from event logs on the local or remote computers.
• Example:

Get-EventLog -LogName Security -Newest 50

• Use Case: Analyze recent security events to identify potential security breaches or policy violations.

4. Get-ChildItem:

• Description: Gets the items and child items in one or more specified locations.
• Example:

Get-ChildItem -Path C:\ -Recurse -Filter *.exe

• Use Case: Search for executable files across the file system to identify unauthorized or suspicious programs.

5. Invoke-WebRequest:

• Description: Gets content from a web page on the internet.
• Example:

Invoke-WebRequest -Uri "https://example.com" -OutFile "example.html"

• Use Case: Automate retrieving web content for analysis, such as downloading files or scanning web pages for vulnerabilities.

6. Get-NetTCPConnection:

• Description: Gets current TCP connections.
• Example:

Get-NetTCPConnection

• Use Case: Monitor network connections to detect unauthorized or suspicious network activity.

7. Test-Connection:

• Description: Sends ICMP echo request packets (pings) to one or more computers.
• Example:

Test-Connection -ComputerName google.com

• Use Case: Check connectivity to critical systems or external resources to ensure they are reachable.

8. Get-LocalUser:

• Description: Gets local user accounts.
• Example:

Get-LocalUser

• Use Case: Enumerate local user accounts to audit user permissions and detect unauthorized accounts.

Practical Use Cases

1. Monitoring Suspicious Processes:
   • Use Get-Process to monitor for processes that are consuming an unusually high amount of resources or are unexpected:

Get-Process | Where-Object { $_.CPU -gt 100 }

2. Checking Service Status:

• Ensure that critical security services are running:

Get-Service | Where-Object { $_.Status -ne 'Running' }

3. Analyzing Security Logs:

• Retrieve and analyze recent security events to investigate potential breaches:

Get-EventLog -LogName Security -Newest 100 | Where-Object { $_.EventID -eq 4625 }

4. Scanning for Executable Files:

• Search the file system for executable files, which can help in identifying unauthorized software:

Get-ChildItem -Path C:\ -Recurse -Filter *.exe | Select-Object FullName, Length, CreationTime

5. Automating Web Requests:

• Automate the download of web content for vulnerability analysis:

Invoke-WebRequest -Uri "https://example.com/vulnerable_page" -OutFile "C:\Downloads\vulnerable_page.html"

6. Monitoring Network Connections:

• Monitor active network connections to detect anomalies:

Get-NetTCPConnection | Where-Object { $_.State -eq 'Established' }

Mastering these basic PowerShell Core commands can significantly enhance your ability to automate tasks, monitor systems, and identify potential security issues. These examples provide a solid foundation to start exploring the power of PowerShell Core in your cybersecurity practices.

Automating Security Tasks with PowerShell Core

Now that you’ve familiarized yourself with some basic PowerShell Core commands, it’s time to explore how you can leverage these commands to automate repetitive security tasks. Automation saves time and ensures consistency and accuracy in your security workflows. Let’s dive into writing simple scripts for log analysis, system monitoring, and vulnerability scanning and see how these can streamline your security operations.

Automating Log Analysis

Log analysis is crucial for identifying potential security incidents and compliance issues. Automating this task ensures that you can quickly and consistently analyze logs to detect anomalies.

1. Script to Extract Failed Login Attempts:

# Define the output file path
$outputPath = "C:\Logs\FailedLogins.csv"

# Get failed login attempts from the Security event log
$failedLogins = Get-WinEvent -LogName Security -FilterHashtable @{Id=4625}

# Select relevant properties and export to CSV
$failedLogins | Select-Object TimeCreated, Id, LevelDisplayName, Message | Export-Csv -Path $outputPath -NoTypeInformation

• Benefits:
• Automatically generates a report of failed login attempts.
• Provides a consistent method for identifying potential unauthorized access attempts.

Automating System Monitoring

Regular system monitoring is essential to ensure that your infrastructure is secure and performing optimally. PowerShell Core can help automate these checks.

1. Script to Monitor System Performance:

# Define the output file path
$outputPath = "C:\Monitoring\SystemPerformance.csv"

# Get system performance data
$performanceData = Get-Counter -Counter "\Processor(_Total)\% Processor Time","\Memory\Available MBytes","\LogicalDisk(_Total)\% Free Space"

# Export performance data to CSV
$performanceData.CounterSamples | Select-Object Path, InstanceName, CookedValue | Export-Csv -Path $outputPath -NoTypeInformation

• Benefits:
• Provides regular updates on system performance metrics.
• It helps identify performance bottlenecks and potential security issues.

Automating Vulnerability Scanning

Vulnerability scanning is a proactive approach to identifying and mitigating security risks. Automating this task ensures that you can regularly check for vulnerabilities without manual intervention.

1. Script to Scan for Missing Updates:

# Install PSWindowsUpdate module if not already installed
if (-not (Get-Module -ListAvailable -Name PSWindowsUpdate)) {
    Install-Module -Name PSWindowsUpdate -Force
}

# Import the module
Import-Module PSWindowsUpdate

# Define the output file path
$outputPath = "C:\VulnerabilityScanning\MissingUpdates.csv"

# Get missing updates
$missingUpdates = Get-WindowsUpdate -IsInstalled $false

# Export missing updates to CSV
$missingUpdates | Select-Object Title, KBArticleID, Size, InstallDate | Export-Csv -Path $outputPath -NoTypeInformation

• Benefits:
• Ensures systems are regularly checked for missing updates.
• Helps maintain security compliance by identifying and addressing vulnerabilities promptly.

Practical Examples

1. Automating Disk Space Monitoring:
   • Script:

# Define the threshold for free space (in percentage)
$threshold = 10

# Get all logical drives
$drives = Get-PSDrive -PSProvider FileSystem

# Check each drive for free space
foreach ($drive in $drives) {
    if ($drive.Used/$drive.Used + $drive.Free * 100 -gt $threshold) {
        Write-Output "Drive $($drive.Name) is running low on space. Only $($drive.Free / 1GB) GB left."
    }
}

• Benefits:
• Alerts you when disk space is running low, preventing potential system outages.

2. Automating User Account Audits:

• Script:

# Define the output file path
$outputPath = "C:\Audits\UserAccounts.csv"

# Get all local user accounts
$users = Get-LocalUser

# Export user accounts to CSV
$users | Select-Object Name, Enabled, LastLogon, Description | Export-Csv -Path $outputPath -NoTypeInformation

• Benefits:
• Provides regular audits of user accounts to ensure compliance and detect unauthorized accounts.

By automating these security tasks with PowerShell Core, you can significantly enhance the efficiency and effectiveness of your cybersecurity operations. These scripts provide a foundation for automating more complex workflows, allowing you to focus on strategic initiatives rather than repetitive tasks. Next, we’ll explore advanced configuration and scripting techniques to extend the capabilities of PowerShell Core further.

Advertisements

Advanced Configuration and Scripting

After covering the basics and some automation scripts, it’s time to explore the advanced features and scripting techniques of PowerShell Core. These advanced configurations will help you create more powerful and flexible scripts, further enhancing your security operations. Let’s explore creating functions, handling errors, and using modules to take your PowerShell skills to the next level.

Creating Functions

Functions allow you to encapsulate code into reusable blocks, making your scripts more modular and easier to manage.

1. Defining a Function:

function Get-DiskSpace {
    param (
        [string]$DriveLetter = "C"
    )
    Get-PSDrive -Name $DriveLetter | Select-Object Name, @{Name="FreeSpaceGB";Expression={[math]::round($_.Free/1GB,2)}}
}

# Calling the function
Get-DiskSpace -DriveLetter "D"

• Benefits:
• Encapsulates repetitive tasks into reusable blocks.
• It makes your scripts cleaner and more organized.

Handling Errors

Proper error handling ensures that your scripts can gracefully handle unexpected situations without crashing.

1. Try-Catch Blocks:

function Get-ProcessInfo {
    param (
        [string]$ProcessName
    )
    try {
        $process = Get-Process -Name $ProcessName -ErrorAction Stop
        return $process
    } catch {
        Write-Output "Error: Process $ProcessName not found."
    }
}

# Calling the function
Get-ProcessInfo -ProcessName "notepad"

• Benefits:
• Catches and handles errors, preventing script failures.
• Provides meaningful error messages and alternate actions.

Using Modules

Modules allow you to package and distribute your scripts, functions, and cmdlets. This makes it easy to share and reuse code.

1. Creating a Module:
   • Step 1: Create a new folder with the name of your module (e.g., MySecurityModule).
   • Step 2: Inside this folder, create a .psm1 file (e.g., MySecurityModule.psm1).
   • Step 3: Add functions or scripts to the .psm1 file:

function Get-SecurityLogs {
    Get-EventLog -LogName Security
}

function Get-SystemInfo {
    Get-ComputerInfo
}

• Step 4: Import and use the module in your scripts:

Import-Module -Name "C:\Path\To\MySecurityModule"
Get-SecurityLogs
Get-SystemInfo

• Benefits:
  • Organizes and packages your scripts for easy distribution and reuse.
  • Enhances script modularity and maintainability.

Example of a Complex Script

You can create complex scripts that perform sophisticated security operations by combining functions, error handling, and modules.

1. Vulnerability Scanning and Reporting Script:

# Define the module
New-Item -ItemType Directory -Path "C:\MySecurityModule"
New-Item -ItemType File -Path "C:\MySecurityModule\MySecurityModule.psm1"

# Add functions to the module
Set-Content -Path "C:\MySecurityModule\MySecurityModule.psm1" -Value @"
function Get-MissingUpdates {
    try {
        if (-not (Get-Module -ListAvailable -Name PSWindowsUpdate)) {
            Install-Module -Name PSWindowsUpdate -Force
        }
        Import-Module PSWindowsUpdate
        $updates = Get-WindowsUpdate -IsInstalled $false
        return $updates
    } catch {
        Write-Output "Error: Unable to retrieve updates."
    }
}

function Get-DiskUsage {
    param (
        [string]$DriveLetter = "C"
    )
    try {
        $diskUsage = Get-PSDrive -Name $DriveLetter | Select-Object Name, @{Name="FreeSpaceGB";Expression={[math]::round($_.Free/1GB,2)}}
        return $diskUsage
    } catch {
        Write-Output "Error: Unable to retrieve disk usage."
    }
}
"@

# Import the module
Import-Module -Name "C:\MySecurityModule"

# Use the functions from the module
$updates = Get-MissingUpdates
$diskUsage = Get-DiskUsage -DriveLetter "C"

# Export the results to CSV
$updates | Select-Object Title, KBArticleID, Size, InstallDate | Export-Csv -Path "C:\SecurityReports\MissingUpdates.csv" -NoTypeInformation
$diskUsage | Export-Csv -Path "C:\SecurityReports\DiskUsage.csv" -NoTypeInformation

• Benefits:
  • Combines various advanced scripting techniques for a robust security script.
  • Automates comprehensive vulnerability scanning and reporting.

You can significantly enhance your scripts’ power, flexibility, and reliability by mastering these advanced PowerShell Core features. This enables you to handle more complex security tasks and improve your overall efficiency in managing cybersecurity operations.

Harness the Power of PowerShell Core in Your Cybersecurity Journey

As we wrap up our exploration of PowerShell Core, let’s take a moment to reflect on the key points we’ve covered and the tremendous potential this tool holds for your cybersecurity practices. PowerShell Core offers versatility, enhanced performance, and cross-platform capabilities that make it an indispensable asset for any cybersecurity professional, especially those engaged in bug bounty hunting.

Key Takeaways

• Introduction to PowerShell Core: We introduced PowerShell Core and highlighted its advantages over traditional Windows PowerShell, emphasizing its cross-platform support and modern cmdlets.
• Understanding PowerShell Core: We delved into the features and benefits of PowerShell Core, explaining why it is preferable for modern cybersecurity tasks.
• Setting Up PowerShell Core: Step-by-step installation guides for Windows, macOS, and Linux were provided, along with tips for configuring your environment.
• Basic PowerShell Core Commands: We explored essential cmdlets and practical use cases, showcasing how these commands can enhance your security operations.
• Automating Security Tasks: We demonstrated how to write scripts to automate repetitive tasks like log analysis, system monitoring, and vulnerability scanning, highlighting the benefits of automation.
• Advanced Configuration and Scripting: Advanced features and scripting techniques were discussed, including creating functions, handling errors, and using modules to build more powerful and flexible scripts.

The Importance of Continued Learning and Automation

PowerShell Core is a powerful tool, but its true potential is realized through continuous learning and practice. As cybersecurity threats evolve, so too must your skills and tools. Automation is a key component in staying ahead of these threats, allowing you to efficiently manage and secure your systems.

Here are some resources to help you continue your journey with PowerShell Core:

• Microsoft PowerShell Documentation: MS Powershell
• Community Forums: Engage with other professionals on forums like PowerShell Community.
• Books: Learn Windows PowerShell in a Month of Lunches, which is a great resource to deepen your understanding.

Join the Conversation

We encourage all members and visitors of the BugBustersUnited community to share their experiences with PowerShell Core. Your insights and stories can help others learn and grow:

• Share Your Usage: How are you using PowerShell Core in your cybersecurity tasks? What scripts have you found most effective?
• Discuss the Goods and Bads: What successes have you achieved with PowerShell Core? What challenges have you faced, and how did you overcome them?
• Contribute to the Community: Your feedback can help improve our collective understanding and application of PowerShell Core in cybersecurity.

By integrating PowerShell Core into your cybersecurity practices and continuously expanding your knowledge, you can elevate your skills and make a significant impact in your organization. Let’s harness the power of automation together and create a safer digital world. Happy scripting, BugBusters!