Shellfish Systems and Security

Share this post

Shellfish Systems and Security
Shellfish Systems and Security
PowerShell
Copy link
Facebook
Email
Notes
More

PowerShell

You either learn Linux, or you learn PowerShell

BowTiedCrawfish
Oct 08, 2022
3

Share this post

Shellfish Systems and Security
Shellfish Systems and Security
PowerShell
Copy link
Facebook
Email
Notes
More
Share

Hello all. If you’ve been paying attention to cybersecurity news recently, you may have heard of a breach concerning Uber. After getting login credentials through social engineering, a hacker managed to find management level credentials inside of PowerShell scripts within the company’s intranet. I had wanted to do a PowerShell post for a while, but this recent development pushed me to write this one sooner. So, here you go.

What

If you’re familiar with Linux, you may have, at one time, heard of bash, sh, zsh, fish, ksh, csh, all of that. These are called shells and are used to run shell scripts. Shell scripts are small, interpreted programs that are written for a user to run within a shell. They are (hopefully) quick to write and are used to execute a multitude of commands that would take a very long time to type out. Now you might be thinking, “why not just use Python’s os.system() function?”. Excellent idea, but can you imagine writing a 2000 line script that does nothing but os.system()? It would actually be more efficient to learn bash and write out the commands. Also, think of the syntax highlighting you would be missing out on!

Shellfish Security is a reader-supported publication. To receive new posts and support my work, consider becoming a free or paid subscriber.

A neat feature about shell scripts is that they act as if they are the user typing into the console. If I wanted to run a command 4 times and spew out its contents into an output file, I would simply type this:

#!/bin/bash
for {1..4}; do
    date >> date.log
    sleep 1
done

I can also simply type date >> date.log into my console 4 times too.

Now that that’s out of the way, let’s get into the Windows side of it. PowerShell is literally bash, but for Windows. Kind of.

PowerShell is like cmd.exe but on steroids. You not only have a complete, open source scripting language at your fingertips built just for Windows (and cross-platform, too!), but you also have access to the entire .NET API. Meaning you can literally do whatever you want on a computer within a PowerShell script, assuming you have access to, of course.

Why

Now what does all of this mean for you? PowerShell is, well, powerful. And learning it allows you to control a Windows machine from a command-line scripting interface. That’s pretty powerful. It’s not only useful if you’re on a red team trying to poke and prod into the registry, writing a loader/dropper, or dumping password hashes, but also if you’re on a blue team automating adding employees to your AD, timing up scripts around work hours, or writing installer scripts for your sandbox tools.

PowerShell has gotten more secure over time, but you used to be able to wreck machines with tools like Empire. Microsoft has implemented several security features to prevent PowerShell shenanigans. For example, you aren’t able to run a .ps1 file (a PowerShell script file) without enabling the feature for your user.

Some of the malware written for paid posts could be done solely through PowerShell with relative ease. In fact, I bet all of them could, barring any that have to do with injections.

TLDR; if you want to work in a Windows-based, cybersecurity environment, you’re gonna want to learn PowerShell. It would be a very nice tool to have on your résumé should you want to be into Windows IT or InfoSec.

How

Now, I’m not going to sit here and write a 5 post tutorial on how to write PowerShell. That’s your job, not mine. However, I do have a script that I commonly drop into and run on any fresh Windows VM sandbox I create. It automatically downloads and installs a bunch of tools that I need for reverse engineering and debugging. So, I figured I would share it with you all here.

Requirements

  • A Windows machine.

  • Allowed .ps1 scripts to be run on your user.

This will install a bunch of stuff. Only continue ahead if you actually want to.

Copy and paste this script into a file and save it as a .ps1. I didn’t feel like zipping a file and uploading it to my Tor site.

Install-Module 7Zip4PowerShell -Scope CurrentUser # -Force #-Verbose

$WebClient = New-Object System.Net.WebClient

# Get current directory
# $dir = (pwd).Path

# Get Desktop
$desktop = $env:USERPROFILE + '\Desktop'
$downloads = $env:USERPROFILE + '\Downloads'

function Make-Shortcuts ($files) {
	$files | ForEach-Object {
		$desktopShortcut = New-Object -ComObject WScript.Shell
		$ss = $desktopShortcut.CreateShortcut($desktop + '\' + $_.Name + '.lnk')
		$ss.IconLocation = $_.FullName
		$ss.TargetPath = $_.FullName
		$ss.Save()
	}
}

# Download and install Autoruns
$path = $downloads + '\Autoruns.zip'
$WebClient.DownloadFile('https://download.sysinternals.com/files/Autoruns.zip', $path)

Expand-7Zip $path -TargetPath 'C:\Program Files\Autoruns\' #-Verbose

# Get exe's in Autoruns
$files = Get-ChildItem -Path 'C:\Program Files\Autoruns\' -Recurse -Filter *.exe

# Place shortcuts on desktop
Make-Shortcuts $files

# Download process hacker
$path = $downloads + '\processhacker.zip'
$WebClient.DownloadFile('https://github.com/processhacker/processhacker/releases/download/v2.39/processhacker-2.39-bin.zip', $path)

Expand-7Zip $path -TargetPath 'C:\Program Files\ProcessHacker\' #-Verbose

# Recursively get the exe's named ProcessHacker* in the extracted folder
$files = (Get-ChildItem 'C:\Program Files\ProcessHacker' -Recurse | Where-Object { $_.Name -match 'ProcessHacker*' } | Where-Object { $_.Extension -match 'exe' })

# Create shortcuts of these exe's to the desktop
Make-Shortcuts $files

# Download procdot
$path = $downloads + '\procdot.zip'
$WebClient.DownloadFile('https://www.procdot.com/download/procdot/binaries/procdot_1_22_57_windows.zip', $path)

# Extract all files to C:\Program Files\Procdot
Expand-7Zip $path -TargetPath 'C:\Program Files\Procdot\' -Password 'procdot' #-Verbose

# Recursively get the exe's named procdot.exe in the extracted folder
$files = (Get-ChildItem 'C:\Program Files\Procdot' -Recurse | Where-Object { $_.Name -match 'procdot.exe' } | Where-Object { $_.Extension -match 'exe' })

# Create shortcuts of these exe's to the desktop
Make-Shortcuts $files

# Download Detect It Easy
$path = $downloads + '\detectit.zip'
$WebClient.DownloadFile('https://github.com/horsicq/DIE-engine/releases/download/3.04/die_win64_portable_3.04.zip', $path)

# Extract all files to C:\Program Files\Detect It Easy
Expand-7Zip $path -TargetPath 'C:\Program Files\Detect It Easy\' #-Verbose

# Recursively get the exe's named die.exe in the extracted folder
$files = (Get-ChildItem 'C:\Program Files\Detect It Easy' -Recurse | Where-Object { $_.Name -match 'die.exe' } | Where-Object { $_.Extension -match 'exe' })

# Create shortcuts of these exe's to the desktop
Make-Shortcuts $files

# Download Scylla
$path = $downloads + '\scylla.rar'
$WebClient.DownloadFile('https://github.com/NtQuery/Scylla/releases/download/v0.9.8/Scylla_v0.9.8.rar', $path)

# Extract all exe's to C:\Program Files\Scylla
Expand-7Zip $path -TargetPath 'C:\Program Files\Scylla\' #-Verbose

# Create shortcuts of these exe's that start with Scylla_ to the desktop
$files = (Get-ChildItem 'C:\Program Files\Scylla' -Recurse | Where-Object { $_.Name -match 'Scylla_*' } | Where-Object { $_.Extension -match 'exe' })

# Download PeStudio
$path = $downloads + '\pes.zip'
$WebClient.DownloadFile('https://www.winitor.com/tools/pestudio/current/pestudio.zip', $path)

# Extract to C:\Program Files\PeStudio
Expand-7Zip $path -TargetPath 'C:\Program Files\PeStudio\' #-Verbose

# Recursively get exe
$files = (Get-ChildItem 'C:\Program Files\PeStudio' -Recurse | Where-Object { $_.Extension -match 'exe' })

# Create shortcuts of these exe's to the desktop
Make-Shortcuts $files

# Download and install OllyDbg
$path = $downloads + '\olly.zip'
$WebClient.DownloadFile('https://www.ollydbg.de/odbg110.zip', $path)

# Extract to C:\Program Files\OllyDbg
Expand-7Zip $path -TargetPath 'C:\Program Files\OllyDbg\' #-Verbose

# Get exe
$files = (Get-ChildItem 'C:\Program Files\OllyDbg' -Recurse | Where-Object { $_.Extension -match 'exe' })

# Create shortcuts of these exe's to the desktop
Make-Shortcuts $files

# Dispose everything
$WebClient.Dispose()

Next, open up a PowerShell script as Admin. Then, run the .ps1. If a prompt comes up, enter “A”, and it should slap a bunch of analysis tool shortcuts on your Desktop.

Now, that I look over this. This was pretty much me shilling you a Windows tool and then showing off that I knew how to write basic stuff with it. Anyways, I do actually encourage you to learn at least the some common .NET functions used in malicious programs pertaining to things like the registry, loaders/droppers, credential stealing, etc. Future Substack posts will use PowerShell, so be on the lookout!

That’s all for now. Have a great weekend, as always.

Go!

-BowTiedCrawfish

Shellfish Security is a reader-supported publication. To receive new posts and support my work, consider becoming a free or paid subscriber.

3

Share this post

Shellfish Systems and Security
Shellfish Systems and Security
PowerShell
Copy link
Facebook
Email
Notes
More
Share

Discussion about this post

No posts

Ready for more?

© 2025 BowTiedCrawfish
Privacy ∙ Terms ∙ Collection notice
Start WritingGet the app
Substack is the home for great culture

Share

Copy link
Facebook
Email
Notes
More