PowerShell is a shell scripting framework developed by Microsoft originally designed for the administration of Windows systems. It is a standard but powerful tool for systems administrators, because it allows you to quickly (and remotely) perform configuration of remote computers and other devices, and automate many repetitive tasks.
For the vast majority of administrators, PowerShell is also a fundamental component in their cybersecurity framework. When paired with an advanced data security platform such as Varonis, PowerShell allows administrators to keep a close watch on their networks, and to protect them from attack.
Get the Free PowerShell and Active Directory Essentials Video Course
We’ve produced and shared many guides on how to get started with PowerShell, how to make the most of it, and also how to start using some of the more advanced features of the tool. We also have a course dedicated to PowerShell.
In this article, we’ll draw all of these resources together in one place, so you can get started with PowerShell quickly, or take your skills to the next level.
Additional Chapters on PowerShell
For quick reference, here are the guides to PowerShell we’ve published before, arranged by the topic and level of expertise they are relevant for. See more detail about the pieces in our tutorial section below.
- Windows PowerShell Tutorial
- Connecting to Office 365 with PowerShell
- PowerShell Inputs and Options
- PowerShell Scripting
Commands + Scripting
- 13 Useful PowerShell commands for Office 365
- PowerShell vs CMD
- PowerShell Objects and Data Piping
- Arrays in PowerShell
- PowerShell Tools
- PowerShell for Pentesting
- PowerView Pentesting
- PowerShell Privilege Escalation
- PowerShell and CryptoLocker
- SysMon Threat Detection Guide
- Windows Management Instrumentation (WMI)
Quick Review: What is PowerShell?
PowerShell is a shell scripting language developed by Microsoft for configuration management and automating tasks. A shell is a command interface that gives you access to features of your operating system and can be command-line based or used via a graphical user interface (GUI).
PowerShell is a ubiquitous tool for system administrators because it allows them to manage the devices and users connected to their networks much more quickly and more easily than other tools. Using PowerShell, you can quickly add new users for your networks, manage the level of access they have, and much, much more.
PowerShell is also a fundamental part of cybersecurity for network administrators because it allows them to closely monitor the activity taking place on their systems.
What is PowerShell Used For?
PowerShell has been designed to help you automate almost any administration task for Windows devices and networks. As such, almost any task you are presented with as a network administrator can be accomplished, often much more efficiently and much more quickly, through PowerShell.
Some of the most common tasks that PowerShell is used for are as follows:
- Managing users and user access across networks
- Auditing and managing devices connected to each computer on a network
- Working with secure file sharing systems in which multiple users have access to encrypted documents
- Automating tasks that are normally performed via Active Directory
Windows PowerShell Features
Each PowerShell version released by Microsoft has built on the previous iterations of the tool, and so each new version comes with new features. However, there is also a design philosophy that guides the development of PowerShell, and therefore a set of fundamental features that each version offers:
- Discoverability: Microsoft’s way of saying that PowerShell is able to give you a list of commands that can be performed, either on your local machine or on a remote machine. This means that it is easy to see when, and where, you can automate your tasks.
- Help Capabilities: The help capabilities of PowerShell are another of its key features. The Get-Help command in PowerShell provides an interactive guide to using the tool, and the -online parameter can be used to automatically search for online guides.
- Remote Commands: In most implementations, commands can be performed on remote machines as easily as on the one you are using PowerShell on. These remote capabilities build on a number of subsidiary tools provided by Microsoft. These include Windows Management Instrumentation and WS-Management, the latter of which lets users run PowerShell commands and scripts on remote computers.
- Pipelining: A powerful technique inherited from the shell languages that preceded it, and lets you feed the result of one command directly into another. In PowerShell, you can even pipe objects, rather than just text strings, in this way.
PowerShell Advantages over CMD
There are many advantages to using PowerShell over the default CMD shell. Most users will come to PowerShell after a period spent learning the basics of manual system administration
However, there are a number of key differences between the two languages:
|Object-based scripting language||Text-based scripting language|
|Cmd commands works in PowerShell||PowerShell cmdlets won’t work in Cmd.exe|
|System Administration tasks for managing the registry to WMI (Windows Management Instrumentation) are accessible via PowerShell||System Administration tasks for managing the registry to WMI (Windows Management Instrumentation) are not accessible via cmd|
|A powerful scripting environment that can be used to create complex scripts for managing Windows systems||Very difficult to compose complex scripts|
Scripting is much easier in PowerShell when compared to CMD for a number of key reasons.
- PowerShell has a massive library of cmdlets, modules that provide pre-built methods of accomplishing tasks.
- PowerShell lets you easily pipe output between scripts and other cmdlets. Pipes allow users to create complex scripts that pass parameters and data from one cmdlet to another. Users can create reusable scripts to automate or make mass changes with variable data – a list of servers, for example.
- Piped data is not raw text. PowerShell’s ability to move complex data objects between scripts helps to avoid data transformation mistakes and other pitfalls.
PowerShell ISE and PowerShell
The Windows PowerShell Integrated Scripting Environment (ISE) is a host application for Windows PowerShell.
By using ISE, you can run commands and write, test, and debug scripts in a single Windows-based graphic user interface. The application provides many extra features that can help you learn PowerShell: multiline editing, tab completion, syntax coloring, selective execution, context-sensitive help, and support for right-to-left languages.
ISE is a great tool for users getting used to PowerShell, because it provides a more intuitive way of writing scripts, and working with commands. However, as you build your confidence with using PowerShell, it is also worth becoming familiar with the “standard”, console-based implementation of PowerShell. This is because not all networks (or employers) will offer ISE, and so knowing how to use PowerShell in different contexts improves your agility when it comes to administration tasks.
Windows PowerShell Fundamentals
In this section, we’ll take you through all of the fundamental elements, definitions, and skills you’ll need to work with PowerShell. We’ll start right at the beginning, with launching a PowerShell window. We’ll then take you through the basic concepts in PowerShell, before moving on to more advanced guides.
In each section, we’ll provide you with links to more detailed guides on each subject, so if you want to read more you can.
PowerShell is pre-installed on every instance of Windows, and launching it is easy. In Windows 10, the search field is one of the fastest ways to launch PowerShell. From the taskbar, in the search text field, type “PowerShell”. Then, click or tap the ‘Windows PowerShell’ result.
To run PowerShell as an administrator, right-click (touchscreen users: tap and hold) on the Windows PowerShell search result, then click or tap ‘Run as administrator’.
There are also many other ways to start a PowerShell console, but this is a good method to begin with.
If you’ve used other scripting languages before, the way that PowerShell works will be instantly familiar. However, the names that PowerShell uses to refer to the elements it works with can be a little counter-intuitive. Here is a table that you can print and stick to your desk to help you remember:
|Cmdlets||The cmdlet is build-command written in .net languages like VB or C#. It allows developers to extend the set of cmdlets by loading and write PowerShell snap-ins.|
|Functions||Functions are commands which are written in the PowerShell language. They can be developed without using other IDE like Visual Studio and devs.|
|Scripts||Scripts are text files on disk with a .ps1 extension|
|Applications||Applications are existing windows programs.|
|What if||Tells the cmdlet not to execute, but to tell you what would happen if the cmdlet were to run.|
|Confirm||Instruct the cmdlet to prompt before executing the command.|
|Verbose||Gives a higher level of detail.|
|Debug||Instructs the cmdlet to provide debugging information.|
|ErrorAction||Instructs the cmdlet to perform a specific action when an error occurs. Allowed actions to continue, stop, silently- continue, and inquire.|
|ErrorVariable||It specifies the variable which holds error information.|
|OutVariable||Tells the cmdlet to use a specific variable to hold the output information|
|OutBuffer||Instructs the cmdlet to hold the specific number of objects before calling the next cmdlet in the pipeline.|
We’ve produced and shared many guides on how to get started with PowerShell as well as a course dedicated to learning PowerShell.
To get started with using PowerShell, check out these guides:
- Our article on PowerShell commands will provide you with an easy-to-use resource for working in PowerShell.
- Our Windows PowerShell Tutorial covers the basics of how to set up PowerShell on your network, and how to start using it.
- Connecting to Office 365 with PowerShell troubleshoots the process of beginning to use PowerShell over your network.
- The basic forms of input for PowerShell, and how to work with them, are covered in our guide on PowerShell Inputs and Options.
- Scripting is easy in PowerShell, and our guide to PowerShell scripting will show you how to start automating some of your tasks.
Scripting and Commands
If you are new to PowerShell, take a look at our PowerShell Tutorial before trying to get into PowerShell scripting. In that guide, you’ll find descriptions of all the basic tools you’ll need to work with PowerShell. This includes cmdlets, aliases, help commands, and pipes.
Once you’ve mastered the basic commands, you can begin to write scripts. We cover the basics of how to do that in our guide to PowerShell scripting, but there are some fundamental ideas in that article that are important to remember.
PowerShell scripts are saved as .ps1 files. By default, Windows will not allow you to run these scripts by just double-clicking the file. This is because malicious (or poorly written) scripts can cause a lot of accidental damage to your system.
Instead, to run a PowerShell script, right-click the .ps1 file, and then click ‘Run with PowerShell’.
If this is your first time working with PowerShell scripts, this might not work. That’s because there is a system-wide policy that prevents execution. Run this command in PowerShell:
You will see one of the following outputs:
No scripts will be executed. This is the default setting in Windows, so you’ll need to change it.
You can only run scripts signed by a trusted developer. You will be prompted before running any script.
You can run your own scripts or scripts signed by a trusted developer.
You can run any script you want. This option should not be used, for obvious reasons.
To start working with PowerShell scripts, you’ll need to change this policy setting. You should change it to ‘RemoteSigned’, and you can do that right from PowerShell by running the following command:
Now you are ready to get started with scripting. To start your journey, take a look at the following guides.
- For slightly more advanced users, we’ve produced a guide to the most common (and useful) PowerShell commands for Office 365.
- Many people are confused by the difference between PowerShell and cmd, and so we’ve written about this as well.
- PowerShell Objects and Data Piping are two of the fundamental techniques when working with PowerShell, and you should ensure you understand them before moving to more advanced uses of PowerShell.
- Arrays are a more advanced object in PowerShell that lets you work with multi-dimensional data points. Our guide to arrays in PowerShell explains what they are, and how to use them.
Variables and Arrays
Arrays are a fundamental feature of PowerShell. Arrays make it possible to ingest, manipulate, and output true data structures (and not just raw strings). This capability makes PowerShell different and more useful than other scripting languages.
Arrays in PowerShell can contain one or more items. An item can be a string, an integer, an object, or even another array, and one array can contain any combination of these items. Each of these items has an index, which always starts (sometimes confusingly) at 0. So the first item in an array is given the index 0, the second is indexed as 1, and so on.
PowerShell arrays are such a fundamental part of PowerShell that they appear in every PowerShell tutorial out there, and a good knowledge of how to work with them is critical for many aspects of using PowerShell, from configuring Office 365 to using PowerShell for Pentesting.
There are several ways to create arrays in Powershell, but the easiest is to run this command:
This will create an empty array. An empty array is not that useful, however, so let’s add some fruits to our new array. These will be represented as text strings. To do that, run this command:
$fruit = @('Apples','Oranges','Bananas')
This will name an array “fruit”, and add three items to it. To see that this has worked, you can read the array using this command:
PS /Users/yourname> $fruit
Which will now return:
Apples Oranges Bananas
As you can see, this array is a group of individual pieces of data. PowerShell will automatically index them in the way we’ve explained above: “Apple” will be indexed as 0, “Oranges” as 1, and “Bananas” as 2.
This example might make it seem like arrays are quite simple objects, and in a way they are. Their simplicity, however, is also what makes them such flexible, powerful objects.
- Intro to PowerShell Arrays: Learn about arrays and start using arrays to their full potential.
Advanced PowerShell Tutorials
Once you’ve mastered the basics of working with PowerShell scripts, it’s worth looking at the more advanced tasks that PowerShell can help you with. Many of these relate to cybersecurity. We’ve looked at the statistics on cybersecurity incidents and on data breaches, and have produced a series of guides that show you how to identify and overcome the most common forms of attack.
These include the following:
Privilege escalation is when an attacker is able to exploit the current rights of an account to gain additional, unexpected access. While this can be caused by zero-day vulnerabilities, state-level actors crafting attacks, or cleverly disguised malware most often it’s a result of a simple account misconfiguration. From there, attackers can escalate through a series of small vulnerabilities that when chained together result in a potentially catastrophic data breach.
In this guide, we’ll show you how to protect yourself against Privilege Escalation attacks, and how to simulate them on your own systems so you can better understand how to protect yourself.
What’s the answer to event log confusion? Ultimately, a SIEM solution would help normalize the event information, making it more amenable to analysis.
But you don’t have to go that far, at least initially. A first step in understanding what SIEM can do is to try the Windows freebie tool Sysmon. It’s surprisingly easy to work with and provides useful process information that’s readable. You’ll get some amazing details not found in the raw Windows log, but most significantly these fields:
- Process id (in decimal format, not in hex!)
- Parent process-id
- Process command line
- Parent process command line
- Hash of file image
- File image names
In this guide, we’ll take you through how to install, configure, and use SysMon.
One big reason to learn PowerShell and use it to find security holes in your own IT systems is that this is exactly what hackers are doing themselves. Many attacks leverage PowerShell to run “file-less” malware, which are non-binary files that can’t easily be detected by anti-virus (AV) solutions. In other words, the same ingredients that make for a great automation tool for administrators are useful to hackers and then ultimately pen-testers.
In this guide, we’ll show you how to use PowerShell for pen-testing, so you can better understand how hackers will use your own PowerShell implementation against you.
PowerView is a relatively new tool for helping pen testers and “red teamers” explore offensive Active Directory techniques. The aim of the tool is to give those of us on the security side a completely self-contained PowerShell environment for seeing AD environments the way hackers do.
This guide builds on our guide to Pentesting with PowerShell by showing you how PowerView gives you more advanced pen-testing techniques that can help you understand your system in more detail.
One of the few proven ways of stopping CryptoLocker from gaining a foothold on a network (or even a single computer) is the use of the AppLocker utility (or its predecessor Software Restriction Policies), which can be used to allow or deny the execution of an application.
CryptoLocker is known to evade the detection of common malware scanners. The program usually spreads via an executable email attachment, which then installs in %AppData%\*.exe, so preventing executables from launching from this path will help ward off CryptoLocker and other similarly structured malware.
Microsoft has made this easier for you to roll out with its release of AppLocker Windows PowerShell Cmdlets, which automate much of the process. In this guide, we’ll show you how to use PowerShell to avoid Cryptlocker infections.
We’ve also produced a series of guides that will allow you to get the best out of your PowerShell implementation, and will let you take your skills to the next level. These include:
- Best PowerShell Tools: A roundup for those of you who are already expert PowerShell users, also learn how to use PowerShell as part of your cybersecurity strategy.
- Windows Management Instrumentation (WMI) Guide: Go a little deeper into the technologies and systems that underpin PowerShell.
PowerShell Resource and Tutorial Round-up
To help you find exactly what you need, here is a condensed guide to all of our PowerShell resources:
Basics and Getting Started
|Windows PowerShell Tutorial||Covers the basics of how to set up PowerShell on your network, and how to start using it.|
|Connecting to Office 365 with PowerShell||Troubleshoots the process of beginning to use PowerShell over your network.|
|PowerShell Inputs and Options||The basic forms of input for PowerShell, and how to work with them.|
|Guide to PowerShell scripting||Takes you through the basics of how to use scripting in PowerShell, and will show you how to start automating some of your tasks.|
Scripting and Commands
|The Most Common PowerShell Commands for Office 365||An easy-to-use guide to all of the most useful commands for working with Office 365 through PowerShell.|
|Difference Between PowerShell and CMD||Aims to clear up the confusion between these two languages, and explains why you should be using PowerShell.|
|PowerShell Objects and Data Piping||These are two of the fundamental techniques when working with PowerShell, and you should ensure you understand them before moving to more advanced uses of PowerShell.|
|Introduction to Arrays in PowerShell||Arrays are a more advanced object in PowerShell that lets you work with multi-dimensional data points. Our guide explains what they are, and how to use them.|
Advanced PowerShell Tutorials
|Privilege Escalation||How to protect yourself against Privilege Escalation attacks, and how to simulate them on your own systems so you can better understand how to protect yourself.|
|Sysmon Threat Detection and Analysis||Sysmon is a free tool that gives you basic SIEM functionality. In this guide, we’ll take you through how to install, configure, and use SysMon.|
|PowerShell for Pentester: Scripts, Examples, and Tips||How to use PowerShell for pen-testing, so you can better understand how hackers will use your own PowerShell implementation against you.|
|PowerView Pen Testing: PowerShell Probing of Active Directory||This guide builds on our guide to Pentesting with PowerShell by showing you how PowerView gives you more advanced pentesting techniques that can help you understand your system in more detail.|
|Using PowerShell to Combat Cryptolocker||Microsoft has made protection against Cryptolocker easier for its release of AppLocker Windows PowerShell Cmdlets, which automate much of the process. In this guide, we’ll show you how to use PowerShell to avoid Cryptlocker infections.|
|The Best PowerShell Tools||A round-up of all the best tools available at the moment.|
|Guide to Windows Management Instrumentation||A deeper look into the technologies and systems that underpin PowerShell, and specifically Windows Management Instrumentation, more commonly known as WMI.|
A Final Word
PowerShell is an extremely powerful tool for system administrators. It is easy to learn the basics, but mastering the application can be difficult. With the resources above, you can begin your journey into the world of PowerShell, improve your skills, or start using the more advanced functionality that it provides.
Just make sure that, whatever your level of familiarity with PowerShell, you protect yourself by using an advanced data security platform like Varonis. This will help you avoid becoming easy prey for hackers, and help to ensure that your data is safe from theft.
And if you want to learn PowerShell easily, you can also check out our course on getting started with PowerShell to really super-charge your learning.