Live Cyber Attack Lab 🎯 Watch our IR team detect & respond to a rogue insider trying to steal data! Choose a Session

X

PowerShell Resource Center

PowerShell

In This Article

PowerShell resources

PowerShell is a shell scripting framework developed by Microsoft originally designed for the administration of Windows systems. It is a standard but powerful tool for systems administrators, because it allows you to quickly (and remotely) perform configuration of remote computers and other devices, and automate many repetitive tasks.

For the vast majority of administrators, PowerShell is also a fundamental component in their cybersecurity framework. When paired with an advanced data security platform such as Varonis, PowerShell allows administrators to keep a close watch on their networks, and to protect them from attack.

Get the Free PowerShell and Active Directory Essentials Video Course

I'd recommend this for both new and advanced PowerShell users. Building an AD tool is a great learning experience.

We’ve produced and shared many guides on how to get started with PowerShell, how to make the most of it, and also how to start using some of the more advanced features of the tool. We also have a course dedicated to PowerShell.

In this article, we’ll draw all of these resources together in one place, so you can get started with PowerShell quickly, or take your skills to the next level.

Additional Chapters on PowerShell

For quick reference, here are the guides to PowerShell we’ve published before, arranged by the topic and level of expertise they are relevant for. See more detail about the pieces in our tutorial section below.

PowerShell Basics

  1. Windows PowerShell Tutorial
  2. Connecting to Office 365 with PowerShell
  3. PowerShell Inputs and Options
  4. PowerShell Scripting

Commands + Scripting

  1. 13 Useful PowerShell commands for Office 365
  2. PowerShell vs CMD
  3. PowerShell Objects and Data Piping
  4. Arrays in PowerShell

IT Pros

  1. PowerShell Tools
  2. PowerShell for Pentesting
  3. PowerView Pentesting
  4. PowerShell Privilege Escalation
  5. PowerShell and CryptoLocker
  6. SysMon Threat Detection Guide
  7. Windows Management Instrumentation (WMI)

Quick Review: What is PowerShell?

what is PowerShell?: Image of a web browser and speech bubble

PowerShell is a shell scripting language developed by Microsoft for configuration management and automating tasks. A shell is a command interface that gives you access to features of your operating system and can be command-line based or used via a graphical user interface (GUI).

PowerShell is a ubiquitous tool for system administrators because it allows them to manage the devices and users connected to their networks much more quickly and more easily than other tools. Using PowerShell, you can quickly add new users for your networks, manage the level of access they have, and much, much more.

PowerShell is also a fundamental part of cybersecurity for network administrators because it allows them to closely monitor the activity taking place on their systems.

What is PowerShell Used For?

what is PowerShell used for: image of a monitor

PowerShell has been designed to help you automate almost any administration task for Windows devices and networks. As such, almost any task you are presented with as a network administrator can be accomplished, often much more efficiently and much more quickly, through PowerShell.

Some of the most common tasks that PowerShell is used for are as follows:

  • Managing users and user access across networks
  • Auditing and managing devices connected to each computer on a network
  • Working with secure file sharing systems in which multiple users have access to encrypted documents
  • Automating tasks that are normally performed via Active Directory

Windows PowerShell Features

Each PowerShell version released by Microsoft has built on the previous iterations of the tool, and so each new version comes with new features. However, there is also a design philosophy that guides the development of PowerShell, and therefore a set of fundamental features that each version offers:

  • Discoverability: Microsoft’s way of saying that PowerShell is able to give you a list of commands that can be performed, either on your local machine or on a remote machine. This means that it is easy to see when, and where, you can automate your tasks.
  • Help Capabilities: The help capabilities of PowerShell are another of its key features. The Get-Help command in PowerShell provides an interactive guide to using the tool, and the -online parameter can be used to automatically search for online guides.
  • Remote Commands: In most implementations, commands can be performed on remote machines as easily as on the one you are using PowerShell on. These remote capabilities build on a number of subsidiary tools provided by Microsoft. These include Windows Management Instrumentation and WS-Management, the latter of which lets users run PowerShell commands and scripts on remote computers.
  • Pipelining: A powerful technique inherited from the shell languages that preceded it, and lets you feed the result of one command directly into another. In PowerShell, you can even pipe objects, rather than just text strings, in this way.

PowerShell Advantages over CMD

There are many advantages to using PowerShell over the default CMD shell. Most users will come to PowerShell after a period spent learning the basics of manual system administration

However, there are a number of key differences between the two languages:

PowerShell Cmd.exe
Object-based scripting language Text-based scripting language
Cmd commands works in PowerShell PowerShell cmdlets won’t work in Cmd.exe
System Administration tasks for managing the registry to WMI (Windows Management Instrumentation) are accessible via PowerShell System Administration tasks for managing the registry to WMI (Windows Management Instrumentation) are not accessible via cmd
A powerful scripting environment that can be used to create complex scripts for managing Windows systems Very difficult to compose complex scripts

Scripting is much easier in PowerShell when compared to CMD for a number of key reasons.

  1. PowerShell has a massive library of cmdlets, modules that provide pre-built methods of accomplishing tasks.
  2. PowerShell lets you easily pipe output between scripts and other cmdlets. Pipes allow users to create complex scripts that pass parameters and data from one cmdlet to another. Users can create reusable scripts to automate or make mass changes with variable data – a list of servers, for example.
  3. Piped data is not raw text. PowerShell’s ability to move complex data objects between scripts helps to avoid data transformation mistakes and other pitfalls.

PowerShell ISE and PowerShell

The Windows PowerShell Integrated Scripting Environment (ISE) is a host application for Windows PowerShell.

By using ISE, you can run commands and write, test, and debug scripts in a single Windows-based graphic user interface. The application provides many extra features that can help you learn PowerShell: multiline editing, tab completion, syntax coloring, selective execution, context-sensitive help, and support for right-to-left languages.

ISE is a great tool for users getting used to PowerShell, because it provides a more intuitive way of writing scripts, and working with commands. However, as you build your confidence with using PowerShell, it is also worth becoming familiar with the “standard”, console-based implementation of PowerShell. This is because not all networks (or employers) will offer ISE, and so knowing how to use PowerShell in different contexts improves your agility when it comes to administration tasks.

Windows PowerShell Fundamentals

PowerShell Fundamentals: image of a web browser

In this section, we’ll take you through all of the fundamental elements, definitions, and skills you’ll need to work with PowerShell. We’ll start right at the beginning, with launching a PowerShell window. We’ll then take you through the basic concepts in PowerShell, before moving on to more advanced guides.

In each section, we’ll provide you with links to more detailed guides on each subject, so if you want to read more you can.

Getting Started

PowerShell is pre-installed on every instance of Windows, and launching it is easy. In Windows 10, the search field is one of the fastest ways to launch PowerShell. From the taskbar, in the search text field, type “PowerShell”. Then, click or tap the ‘Windows PowerShell’ result.

To run PowerShell as an administrator, right-click (touchscreen users: tap and hold) on the Windows PowerShell search result, then click or tap ‘Run as administrator’.

There are also many other ways to start a PowerShell console, but this is a good method to begin with.

Basics

If you’ve used other scripting languages before, the way that PowerShell works will be instantly familiar. However, the names that PowerShell uses to refer to the elements it works with can be a little counter-intuitive. Here is a table that you can print and stick to your desk to help you remember:

Element Definition
Cmdlets The cmdlet is build-command written in .net languages like VB or C#. It allows developers to extend the set of cmdlets by loading and write PowerShell snap-ins.
Functions Functions are commands which are written in the PowerShell language. They can be developed without using other IDE like Visual Studio and devs.
Scripts Scripts are text files on disk with a .ps1 extension
Applications Applications are existing windows programs.
What if Tells the cmdlet not to execute, but to tell you what would happen if the cmdlet were to run.
Confirm Instruct the cmdlet to prompt before executing the command.
Verbose Gives a higher level of detail.
Debug Instructs the cmdlet to provide debugging information.
ErrorAction Instructs the cmdlet to perform a specific action when an error occurs. Allowed actions to continue, stop, silently- continue, and inquire.
ErrorVariable It specifies the variable which holds error information.
OutVariable Tells the cmdlet to use a specific variable to hold the output information
OutBuffer Instructs the cmdlet to hold the specific number of objects before calling the next cmdlet in the pipeline.

Additional Resources:

We’ve produced and shared many guides on how to get started with PowerShell as well as a course dedicated to learning PowerShell.

To get started with using PowerShell, check out these guides:

Scripting and Commands

If you are new to PowerShell, take a look at our PowerShell Tutorial before trying to get into PowerShell scripting. In that guide, you’ll find descriptions of all the basic tools you’ll need to work with PowerShell. This includes cmdlets, aliases, help commands, and pipes.

Once you’ve mastered the basic commands, you can begin to write scripts. We cover the basics of how to do that in our guide to PowerShell scripting, but there are some fundamental ideas in that article that are important to remember.

PowerShell scripts are saved as .ps1 files. By default, Windows will not allow you to run these scripts by just double-clicking the file. This is because malicious (or poorly written) scripts can cause a lot of accidental damage to your system.

Instead, to run a PowerShell script, right-click the .ps1 file, and then click ‘Run with PowerShell’.

If this is your first time working with PowerShell scripts, this might not work. That’s because there is a system-wide policy that prevents execution. Run this command in PowerShell:

Get-ExecutionPolicy

You will see one of the following outputs:

Restricted

No scripts will be executed. This is the default setting in Windows, so you’ll need to change it.

AllSigned

You can only run scripts signed by a trusted developer. You will be prompted before running any script.

RemoteSigned

You can run your own scripts or scripts signed by a trusted developer.

Unrestricted

You can run any script you want. This option should not be used, for obvious reasons.

To start working with PowerShell scripts, you’ll need to change this policy setting. You should change it to ‘RemoteSigned’, and you can do that right from PowerShell by running the following command:

Set-ExecutionPolicy RemoteSigned

Now you are ready to get started with scripting. To start your journey, take a look at the following guides.

Additional Resources:

Variables and Arrays

Arrays are a fundamental feature of PowerShell. Arrays make it possible to ingest, manipulate, and output true data structures (and not just raw strings). This capability makes PowerShell different and more useful than other scripting languages.

Arrays in PowerShell can contain one or more items. An item can be a string, an integer, an object, or even another array, and one array can contain any combination of these items. Each of these items has an index, which always starts (sometimes confusingly) at 0. So the first item in an array is given the index 0, the second is indexed as 1, and so on.

PowerShell arrays are such a fundamental part of PowerShell that they appear in every PowerShell tutorial out there, and a good knowledge of how to work with them is critical for many aspects of using PowerShell, from configuring Office 365 to using PowerShell for Pentesting.

There are several ways to create arrays in Powershell, but the easiest is to run this command:

@()

This will create an empty array. An empty array is not that useful, however, so let’s add some fruits to our new array. These will be represented as text strings. To do that, run this command:

$fruit = @('Apples','Oranges','Bananas')

This will name an array “fruit”, and add three items to it. To see that this has worked, you can read the array using this command:

PS /Users/yourname> $fruit

Which will now return:

Apples
Oranges
Bananas

As you can see, this array is a group of individual pieces of data. PowerShell will automatically index them in the way we’ve explained above: “Apple” will be indexed as 0, “Oranges” as 1, and “Bananas” as 2.

This example might make it seem like arrays are quite simple objects, and in a way they are. Their simplicity, however, is also what makes them such flexible, powerful objects.

Advanced PowerShell Tutorials

Once you’ve mastered the basics of working with PowerShell scripts, it’s worth looking at the more advanced tasks that PowerShell can help you with. Many of these relate to cybersecurity. We’ve looked at the statistics on cybersecurity incidents and on data breaches, and have produced a series of guides that show you how to identify and overcome the most common forms of attack.

These include the following:

Privilege escalation is when an attacker is able to exploit the current rights of an account to gain additional, unexpected access. While this can be caused by zero-day vulnerabilities, state-level actors crafting attacks, or cleverly disguised malware most often it’s a result of a simple account misconfiguration. From there, attackers can escalate through a series of small vulnerabilities that when chained together result in a potentially catastrophic data breach.

In this guide, we’ll show you how to protect yourself against Privilege Escalation attacks, and how to simulate them on your own systems so you can better understand how to protect yourself.

What’s the answer to event log confusion? Ultimately, a SIEM solution would help normalize the event information, making it more amenable to analysis.

But you don’t have to go that far, at least initially. A first step in understanding what SIEM can do is to try the Windows freebie tool Sysmon. It’s surprisingly easy to work with and provides useful process information that’s readable. You’ll get some amazing details not found in the raw Windows log, but most significantly these fields:

    • Process id (in decimal format, not in hex!)
    • Parent process-id
    • Process command line
    • Parent process command line
    • Hash of file image
    • File image names

In this guide, we’ll take you through how to install, configure, and use SysMon.

One big reason to learn PowerShell and use it to find security holes in your own IT systems is that this is exactly what hackers are doing themselves. Many attacks leverage PowerShell to run “file-less” malware, which are non-binary files that can’t easily be detected by anti-virus (AV) solutions. In other words, the same ingredients that make for a great automation tool for administrators are useful to hackers and then ultimately pen-testers.

In this guide, we’ll show you how to use PowerShell for pen-testing, so you can better understand how hackers will use your own PowerShell implementation against you.

PowerView is a relatively new tool for helping pen testers and “red teamers” explore offensive Active Directory techniques. The aim of the tool is to give those of us on the security side a completely self-contained PowerShell environment for seeing AD environments the way hackers do.

This guide builds on our guide to Pentesting with PowerShell by showing you how PowerView gives you more advanced pen-testing techniques that can help you understand your system in more detail.

One of the few proven ways of stopping CryptoLocker from gaining a foothold on a network (or even a single computer) is the use of the AppLocker utility (or its predecessor Software Restriction Policies), which can be used to allow or deny the execution of an application.

CryptoLocker is known to evade the detection of common malware scanners. The program usually spreads via an executable email attachment, which then installs in %AppData%\*.exe, so preventing executables from launching from this path will help ward off CryptoLocker and other similarly structured malware.

Microsoft has made this easier for you to roll out with its release of AppLocker Windows PowerShell Cmdlets, which automate much of the process. In this guide, we’ll show you how to use PowerShell to avoid Cryptlocker infections.

Going Further

We’ve also produced a series of guides that will allow you to get the best out of your PowerShell implementation, and will let you take your skills to the next level. These include:

PowerShell Resource and Tutorial Round-up

PowerShell Tutorial Round-up: Image of man on a laptop

To help you find exactly what you need, here is a condensed guide to all of our PowerShell resources:

Basics and Getting Started

Resource Description
Windows PowerShell Tutorial Covers the basics of how to set up PowerShell on your network, and how to start using it.
Connecting to Office 365 with PowerShell Troubleshoots the process of beginning to use PowerShell over your network.
PowerShell Inputs and Options The basic forms of input for PowerShell, and how to work with them.
Guide to PowerShell scripting Takes you through the basics of how to use scripting in PowerShell, and will show you how to start automating some of your tasks.

Scripting and Commands

Resource Description
The Most Common  PowerShell Commands for Office 365 An easy-to-use guide to all of the most useful commands for working with Office 365 through PowerShell.
Difference Between PowerShell and CMD Aims to clear up the confusion between these two languages, and explains why you should be using PowerShell.
PowerShell Objects and Data Piping These are two of the fundamental techniques when working with PowerShell, and you should ensure you understand them before moving to more advanced uses of PowerShell.
Introduction to Arrays in PowerShell Arrays are a more advanced object in PowerShell that lets you work with multi-dimensional data points. Our guide explains what they are, and how to use them.

Advanced PowerShell Tutorials

Resource Description
Privilege Escalation How to protect yourself against Privilege Escalation attacks, and how to simulate them on your own systems so you can better understand how to protect yourself.
Sysmon Threat Detection and Analysis Sysmon is a free tool that gives you basic SIEM functionality. In this guide, we’ll take you through how to install, configure, and use SysMon.
PowerShell for Pentester: Scripts, Examples, and Tips How to use PowerShell for pen-testing, so you can better understand how hackers will use your own PowerShell implementation against you.
PowerView Pen Testing: PowerShell Probing of Active Directory This guide builds on our guide to Pentesting with PowerShell by showing you how PowerView gives you more advanced pentesting techniques that can help you understand your system in more detail.
Using PowerShell to Combat Cryptolocker Microsoft has made protection against Cryptolocker easier for its release of AppLocker Windows PowerShell Cmdlets, which automate much of the process. In this guide, we’ll show you how to use PowerShell to avoid Cryptlocker infections.
The Best PowerShell Tools A round-up of all the best tools available at the moment.
Guide to Windows Management Instrumentation A deeper look into the technologies and systems that underpin PowerShell, and specifically Windows Management Instrumentation, more commonly known as WMI.

A Final Word

PowerShell is an extremely powerful tool for system administrators. It is easy to learn the basics, but mastering the application can be difficult. With the resources above, you can begin your journey into the world of PowerShell, improve your skills, or start using the more advanced functionality that it provides.

Just make sure that, whatever your level of familiarity with PowerShell, you protect yourself by using an advanced data security platform like Varonis. This will help you avoid becoming easy prey for hackers, and help to ensure that your data is safe from theft.

And if you want to learn PowerShell easily, you can also check out our course on getting started with PowerShell to really super-charge your learning.

Jeff Petters

Jeff Petters

Jeff has been working on computers since his Dad brought home an IBM PC 8086 with dual disk drives. Researching and writing about data security is his dream job.

 

Does your cybersecurity start at the heart?

Get a highly customized data risk assessment run by engineers who are obsessed with data security.