What Exactly is PowerShell?
Firstly, take a look at our recently launched Introduction to PowerShell Course which covers this in detail! But, let's answer the question since you are already here: PowerShell is an indispensable, open-source command-line (CLI) tool that empowers developers, IT admins, DevOps, and Security professionals to automate tasks and configurations using code. Built on Microsoft .NET technology, PowerShell serves dual purposes: it functions as both a command-line shell and a scripting language.
PowerShell as a Command-line Shell
As a command-line shell, PowerShell enables users to control the computer via commands related to the operating system, providing an alternative to the graphical user interface (GUI)—which many seem to prefer. This capability is particularly beneficial for automating repetitive processes, simplifying workflows, and minimizing the risk of errors. Also, commands executed in PowerShell are automatically saved, allowing for easy reproduction and consistency in operations.
PowerShell as a Scripting Language
As a scripting language, PowerShell stands out by passing instructions from one parent software to another seamlessly. Unlike traditional programming languages such as Java or C#, PowerShell scripts are interpreted line by line by an interpreter, rather than compiled into machine code. This makes it possible to enhance the functionality of parent software, automate complex tasks, extract and manipulate data, and manage configurations effectively. Speaking of scripting languages, PowerShell is very similar to Python: an easy-to-learn programming language used by some cybersecurity professionals. We recently launched a FREE full-fledged course on Python as well, if you are interested.
Common PowerShell Myths: Debunked
Before we dive into the technical portion of this blog, I want to dispel some common lies on the internet. Lies that deter cybersecurity students (and IT professionals) from mastering PowerShell can close up opportunities to automate security tasks, analyze data, and enhance overall system security. Let’s get started:
Myth: PowerShell is Only for Windows
Windows PowerShell was made open-source and cross-platform on August 18, 2016. Microsoft extended its functionality to multiple operating systems like macOS and Linux.
Myth: PowerShell is Difficult to Learn
To be frank, I believe this comes from folks who are GUI only—meaning they find the command prompt intimidating. While PowerShell can be complex, especially for advanced scripting, it is designed to be user-friendly. There are many resources, tutorials, and community support options available for beginners. For example, here is a great introduction guide by Microsoft.
Myth: PowerShell is Just a Replacement for Command Prompt
False. PowerShell is far more powerful and versatile than Command Prompt (CMD). It offers a richer scripting language, hence the dual-purpose explanation earlier, access to .NET Framework libraries, and the ability to perform complex administrative tasks, making it much more than a simple replacement. Please, don’t take this as a ‘diss’ against the CMD, it's just, that these two are not the same.
Myth: PowerShell Scripts are Insecure
Have people not heard of Execution Policies? These are policies that restrict the execution of scripts to only those that are signed by a trusted authority. Aside from that, you have features such as script signing and Just Enough Administration (JEA). When used correctly, it can enhance security rather than compromise. Yes, I am aware that hackers utilize PowerShell as an attack vector, just as they use computers for their dirty work. Is this the fault of the vendor with all of these features in place?
Myth: PowerShell is Only for System Administrators
I saved the best for last, this might hurt some feelings. This is one of the main reasons I made the FREE Introduction to PowerShell course. That is a course that displays the use case of PowerShell in cybersecurity. Also, with courses from SANS: SEC505 and SEC586, why do you believe PowerShell CAN’T be used for cybersecurity? Yes, it is widely used by system administrators and developers for automation, but it is not exclusive to them by any means. There are Network Engineers using commands like Test-NetConnection <ip/hostname> -port <number> and Cybersecurity Engineers using commands like Get-FileHash -Algorithm SHA256 <file name> in their daily work. Don’t tell me (or other folks) that PowerShell is exclusive to System Administrators only.
Now with the lies eradicated, let’s jump into the power of scripting by showing you some examples of PowerShell within cybersecurity.
Using PowerShell in Cybersecurity: Harnessing the ‘Power’
PowerShell scripts are widely used in cybersecurity practices such as penetration testing and ethical hacking. But as a Blue Teamer, PowerShell is essential for effective monitoring and detection of malicious activity on a Windows machine. The following examples below will show some use cases for monitoring suspicious processes, checking for open ports, extracting event logs, and more!
Disclaimer: Be careful running some of these commands below, as some of them may cause changes to your environment.
Monitoring for Suspicious Processes
Shocker! PowerShell can be used to monitor and identify suspicious processes running on a system. This is crucial for detecting potential malware or unauthorized activities. Let’s utilize the command below on our machine:
Get-Process | Where-Object { $_.CPU -gt 100 } | Select-Object Name, CPU
As you can see, this script lists all processes consuming more than 100 CPU units, which can help identify resource-hungry, potentially malicious processes. As you can see, these processes look quite normal, aside from the resource-intensive browser Chrome—which I have removed from my PC for this reason! Let’s carry on to the next use case.
Checking for Open Ports
Open ports can be an entry point for attackers, as a cut for germs. The script below checks for open TCP ports on the local machine:
Get-NetTCPConnection | Where-Object { $_.State -eq 'Listen' } | Select-Object LocalAddress, LocalPort
As you can see, it retrieves and displays all open TCP ports, aiding in network security audits. I am not sure if I mentioned this but it goes: you are free to edit and change the code to your liking. Go ahead, and try to filter for UDP ports, or change the state to ‘Close.’ This is the beauty of PowerShell script, or scripts in general: they are malleable.
Scanning for Vulnerable Software
Let’s look at another script. The one below checks for installed software and its version, helping identify outdated or vulnerable applications that need patching. This is not an exhaustive list, mind you.
Get-ItemProperty "HKLM:\Software\Microsoft\Windows\CurrentVersion\Uninstall\*" | Select-Object DisplayName, DisplayVersion
Although it fetches a list of installed software and their versions from the registry, you will still have to commit a diligent search for the latest version for each software to make sure it is updated, respectively.
Extracting Event Logs
If you worked in cybersecurity, you know how vital event logs are for incident response. Below is a basic script, which is expounded upon more in the FREE course, that extracts specific logs related to security events. We are going to filter for Event ID 4625—an event that is logged for any logon failure.
Get-WinEvent -FilterHashtable @{LogName='Security'; ID=4625} | Select-Object TimeCreated, Id, LevelDisplayName, Message
The above output has been redacted for clarity
The output above shows multiple failed login attempts, which could indicate potential brute force attacks or unauthorized access attempts. Luckily, it is just a VM which I have trouble logging into due to its ever-changing password feature.
Conclusion
Throughout this blog, we’ve debunked common myths about PowerShell and explored practical examples that highlight its relevance and utility in cybersecurity. From monitoring suspicious processes and checking for open ports to extracting events logs, PowerShell provides a versatile platform for a wide range of security tasks.
For cybersecurity students (or current practitioners), mastering PowerShell not only enhances technical skills but also opens up opportunities to improve organizational security. By incorporating these practical examples into your routine, you can proactively identify and mitigate risks, ensuring a robust security posture.
If you’re ready to take your skills to the next level, consider enrolling in our comprehensive PowerShell course. Designed with cybersecurity students in mind, it offers in-depth training and practical exercises to help you become proficient in using PowerShell for security purposes.
Lastly, if I have not stated this enough, PowerShell is an invaluable tool in the cybersecurity arsenal, offering powerful capabilities for automation, monitoring, and incident response. I truly believe if cybersecurity professionals leverage PowerShell, they can enhance security measures and respond more efficiently to potential threats.
Security Blue Team: Changing the Game for Cyber Defenders
Security Blue Team (SBT) is a leading provider of online education and training, specializing in cybersecurity courses and programs for over 100,000 students worldwide.
With a strong commitment to delivering an exceptional experience to each user, we have implemented a robust infrastructure to support our operations.