The Purple Team Journey: My Cybersecurity Chronicles.

PowerShell Exploitation in Cyber Attacks PowerShell has become a common attack vector due to its powerful scripting capabilities and deep integration with Windows systems. Below, we’ll go through advanced technical details, real-world use cases, and thorough explanations for different PowerShell exploitation methods. Recently, PowerShell has become a favored tool among cyber attackers. The Carbon Black Threat Research Team, alongside numerous managed security service providers (MSSP) and incident response (IR) partners, reported an increasing use of PowerShell in cyber attacks. Their research indicates that 38% of cyber incidents involved PowerShell, with 87% of these incidents being commodity malware attacks like click fraud, fake antivirus, ransomware, and other opportunistic malware. Social engineering remains the primary technique for delivering these PowerShell-based attacks, often via malicious email attachments or links. 38% of the confirmed incidents seen by 28 MSSP and IR part...

Differential analysis is a powerful method for tracking changes in your system’s configuration. It helps you detect anomalies or suspicious activities, such as malware or unauthorized changes, by comparing the current state of a system to a known baseline. Let’s dive deeper into advanced use cases, case scenarios, and additional examples that illustrate how to apply differential analysis effectively using PowerShell. 1. Services Differential Analysis - Advanced Use Cases. In a typical use case, you’d want to monitor services that run on your system. Malware often installs services to maintain persistence, so it’s crucial to identify any unexpected services. Let's take a closer look at how to extend the analysis and adapt it for real-world scenarios. Case Scenario 1: New Service Addition. Suppose you suspect malware added a new service to your system. You can check the differences between the baseline and the current service list. Example: ```powershell $servicenow = Get-Content .\s...

Detailed Overview: PowerShell for Registry Analysis Modifying the registry can lead to significant system instability or data loss if not handled properly. Always back up your registry before making changes. For more information, refer to these Microsoft guidelines: - [Windows Registry Advanced Users Guide](https://learn.microsoft.com/en-us/troubleshoot/windows-server/performance/windows-registry-advanced-users) - [How to Backup and Restore the Registry](https://support.microsoft.com/en-us/topic/how-to-back-up-and-restore-the-registry-in-windows-855140ad-e318-2a13-2829-d428a2ab0692) Registry Query Using PowerShell The Windows Registry stores settings and options for both the operating system and installed software. You can use PowerShell to query and manipulate these registry keys. Example 1: Query Programs in the Run Key To list programs that are configured to run automatically upon login, use the following command: ```powershell Get-ItemProperty -Path "HKLM:\SOFTWARE\Microsoft\W...

 Enhancing Efficiency in PowerShell 1. Auto-complete commands: ``` PS C:\\> get-child<TAB> PS C:\\> Get-ChildItem ``` - Description: PowerShell provides an auto-completion feature when typing commands. The <TAB> key can be used to complete cmdlets, file paths, or parameter names. - Usage: After typing part of the cmdlet (e.g., get-child), pressing <TAB> will auto-complete it to the full cmdlet name Get-ChildItem. 2. Shorten parameters: ``` PS C:\\> ls –recurse PS C:\\> ls -r ``` - Description: PowerShell allows the use of shortened cmdlet parameters to save time and reduce the length of commands. - Usage: The -recurse parameter in ls can be abbreviated as -r, allowing for faster typing while maintaining the same functionality.  Essential PowerShell Concepts 1. Help & examples: ``` PS C:\\> Get-Help [cmdlet] -examples PS C:\\> help [cmdlet] -examples ``` - Description: Provides examples on how to use a cmdlet. - Usage: The -examples flag ...

Discovering Cmdlets 1. List all cmdlets: ```powershell PS C:\\> Get-Command ``` - Description: `Get-Command` is used to list all commands available in the current PowerShell session, which includes cmdlets, functions, workflows, scripts, and aliases. - Details: When you run `Get-Command`, PowerShell will show you a list of commands that are defined in the session. This can include built-in cmdlets, third-party modules, or any custom functions/scripts you have loaded. - Use case: Useful when you're unsure of what commands are available or when you're looking for a specific cmdlet. 2. Filter cmdlets by verb: ```powershell PS C:\\> Get-Command Set* PS C:\\> Get-Command –Verb Set ``` - Description: The `Get-Command` cmdlet can be filtered to show cmdlets based on their verb. In PowerShell, cmdlets follow a naming convention of `<Verb>-<Noun>`, where the verb describes the action, and the noun describes the object being acted upon. - Details:    - `Set` will li...

1. List directory contents (ls, dir, gci): ```powershell PS C:\\> Get-ChildItem ``` - `Get-ChildItem`: Lists the files and directories in the current directory.  - Common Aliases: `ls`, `dir`, `gci`. - The cmdlet retrieves items from the current location or from the specified path. By default, it lists files and folders. 2. Copy a file (cp, copy, cpi): ```powershell PS C:\\> Copy-Item src.txt dst.txt ``` - `Copy-Item`: Copies a file or directory from a source (`src.txt`) to a destination (`dst.txt`). - Common Aliases: `cp`, `copy`, `cpi`. - If the destination is a folder, the item will be copied into that folder. If the destination is a file, it will be copied and renamed accordingly. 3. Move a file (mv, move, mi): ```powershell PS C:\\> Move-Item src.txt dst.txt ``` - `Move-Item`: Moves a file or directory from a source (`src.txt`) to a destination (`dst.txt`). - Common Aliases: `mv`, `move`, `mi`. - If the destination is a folder, the item is moved into that folder. If t...

1. Perform a network ping sweep: ```powershell PS C:\\> 1..255 | % {echo "192.168.1.$_"; ping -n 1 -w 100 192.168.1.$_ | Select-String ttl} ``` - `1..255`: Generates a sequence of numbers from 1 to 255. These represent the last octet of the target IP addresses (`192.168.1.1` to `192.168.1.255`). - `%`: The shorthand for `ForEach-Object` cmdlet, iterating over each number in the range. - `ping -n 1 -w 100`: Sends one (`-n 1`) ICMP Echo Request packet to the target IP address with a timeout of 100 milliseconds (`-w 100`). - `Select-String ttl`: Filters the output of the `ping` command to capture responses with a TTL value, indicating that the target host is reachable. 2. Execute a port scan: ```powershell PS C:\\> 1..1024 | % {echo ((new-object Net.Sockets.TcpClient).Connect("192.168.1.1",$_)) "Port $_ is open!"} 2>$null ``` - `1..1024`: Iterates over the port range from 1 to 1024. - `new-object Net.Sockets.TcpClient`: Creates an instance of the `Tc...