Analyzing a System using PowerShell

Analyzing a System using PowerShell

This project involved using PowerShell to analyze a system. I collected information about a system and did some analysis of the data collected. The skills that I developed in this activity include collecting data from various cyber defense resources and examining recovered data for relevance to the issue under investigation.

First, I used PowerShell cmdlets and command-line tools to collect and save system information to files. Then, I analyzed the compiled files, asking specific questions about the information to guide the analysis. The skills developed in this activity are essential for the Cyber Defense Analyst and Cyber Defense Forensics Analyst work role.

Steps followed to complete the project.

Log in to Domain Controller machine and open command prompt. To start PowerShell prompt, type the following command

C:\Users\Administrator> PowerShell

To get the list of user accounts, I typed the following command in PowerShell:

PS C:\Users\Administrator> Get-ADuser -Filter *

The next task was to pipe the account list to a text file to save it for later use. I did this by typing in the following command:

PS C:\Users\Administrator> Get-ADUser -Filter * >> accounts.txt

I used PowerShell to get a list of all running services and piped(saved) it to a text file by typing in the following command:

PS C:\Users\Administrator> Get-Service >> Services.txt

To get a list of running processes and pipe the list to a text file called Processes.txt, I typed in the following command:

PS C:\Users\Administrator> Get-Process >> Processes.txt

Get a list of scheduled tasks and save it to a text file called scheduledTasks.txt. I used the following command:

PS C:\Users\Administrator> Get-ScheduledTask >> ScheduledTasks.txt

Then, I wanted to get a list of Domain Admins and save it to a text file called DomainAdmins.txt. To do that, I used the following command:

PS C:\Users\Administrator> Get-AdGroupMember “Domain Admins” >> DomainAdmins.txt

To get a list of local administrators and save it to LocalAdministrators.txt, I used the following command in PowerShell:

PS C:\Users\Administrator> invoke-command {net localgroup administrators} >> LocalAdministrators.txt

I also wanted to check for any open connections to find out who may be communicating with a particular system. I stored the results in a text file known as OpenConnections.txt. I used the following command:

PS C:\Users\Administrator> invoke-command {netstat -nab} >> OpenConnections.txt

The next task was to record the DNS being used to redirect hosts to DNS servers. I used the following command:

PS C:\Users\Administrator> invoke-command {ipconfig /displaydns} >> displaydns.txt

Analysis of Data Collected

At this point, I have collected some essential data, and I wanted to analyze the data.

I located the files created in the previous tasks by opening Windows Explorer and navigating to C:\users\administrators\

First, I opened the accounts.txt file to find out which accounts are enabled.

I open the proceses.txt file and used it to answer the following questions:

Which process has the most handles?

Which process uses the most CPU resources?

Which process is used the most?

Which process has the most handles? — DNS

Which process uses the most CPU resources? — Server Manager

Which process is used the most? –

The list of questions goes on. You can use this to find out a lot more about the processes running in your system.

I open the services.txt file and wanted to know which services were currently running. Here is part of my results.

I explored the scheduledtasks.txt file to find out, for example, which installed program is associated with the proxy service.

You can see that the command gets an array of scheduled task definition objects in multiple paths.

TaskName: Specifies an array of one or more names of a scheduled task. You can use “*” for a wildcard character query.

TaskPath: Specifies an array of one or more paths for scheduled tasks in the Task Scheduler namespace.

I could disable scheduled task by using the following:

PS C:\Users\Administrator> Disable-ScheduledTask

[-TaskName] <String>

[[-TaskPath] <String>]

[-CimSession <CimSession[]>]

[-ThrottleLimit <Int32>]

[-AsJob]

[<CommonParameters>]

For example,

PS C:\Users\Administrator> Disable-ScheduledTask -TaskName “SystemScan”

TaskPath TaskName State

— — — — — — — — — — — —

\ SystemScan Disabled

Next, I opened the localadministrators.txt file and checked for the user accounts or groups that are local administrators on the system.

I also opened the domainadmins.txt file to find out which users have domain administrator privileges.

I opened the openconnections.txt file to find out what connections were currently established on the system and the services and ports listening.

The final file was the displaydns.txt file. In this file, I wanted to find out if a DNS server was in use and what DNS server was being used to resolve DNS queries.

Conclusively, PowerShell can be used to analyze a system and answer important questions about the services, processes, DNS, Domain Administrators, and many more.