# PowerShell commands in interACT **Introduction** In Digital Forensics and Incident Response (DFIR), **PowerShell** has become a powerful tool for investigators and analysts. Sometimes overlooked is its compatibility with AIR's interACT, which provides a true cross-platform remote shell for Windows, Linux, and macOS. This KB article aims to shed light on how users can leverage PowerShell within interACT to execute cmdlets and perform a variety of operations. **Why is this Important?** Many DFIR investigators rely on PowerShell (and Python) as their primary scripting and remediation tools. However, newcomers to AIR may assume that interACT is exclusively tailored for Linux, which is not the case. interACT is a versatile platform, and specific commands are available to users of both Windows and UNIX-like operating systems. **Executing PowerShell in interACT** PowerShell can be executed in interACT through several methods. Here, we'll explore three basic ways to run PowerShell commands: **Using the 'exec' Command** The 'exec' or 'execute' command in interACT serves as a gateway to run PowerShell commands. This versatile command enables DFIR practitioners to integrate PowerShell into their workflows seamlessly. Below are examples of how to use 'exec' with PowerShell: ```bash exec powershell.exe whoami ``` This command executes a simple PowerShell 'whoami' cmdlet, displaying the currently logged-in user. ```bash exec powershell.exe Get-ScheduledTask ``` In this instance, 'exec' invokes the 'Get-ScheduledTask' cmdlet, providing insights into scheduled tasks on the system. ```bash exec powershell.exe Remove-Item -path C:\\Temp\\example.txt ``` The 'exec' command facilitates the removal of a file ('example.txt') using the 'Remove-Item' cmdlet from a specified path. {% hint style="danger" %} When running exec commands in InterACT, please note that commands requiring additional user input (e.g., Get-CimInstance prompting for a ClassName) may not display the prompt dynamically during execution. Instead, InterACT will continue running and appear to "hang" until the process times out or completes. To avoid this, we recommend: 1. **Modify the Command:** Specify all required parameters directly in the command to prevent prompts. For example:\ \&#xNAN;**`exec powershell.exe Get-CimInstance -Namespace 'root\SecurityCenter2' -ClassName "YourClassName"`** 2. **Test Commands Locally First:** Run the command in a native PowerShell console to ensure all required inputs are included before executing it in InterACT. We are aware of this behavior and are continuously working to improve user experience. {% endhint %} ## Understanding the `-NonInteractive` PowerShell Flag in interACT When using **PowerShell** commands in scripts or automated workflows, you may encounter scenarios where PowerShell expects user input. This can disrupt execution, especially in non-interactive environments such as **AIR's interACT** automation. To address this, PowerShell offers the `-NonInteractive` flag. **What is `-NonInteractive`?** The `-NonInteractive` flag is a command-line option for `powershell.exe` that instructs PowerShell to operate in non-interactive mode. When this mode is enabled, PowerShell does **not** prompt for user input and will terminate the script or command if user input is required. This feature is particularly useful when running commands in environments where no user interaction is possible or desirable, such as during forensic investigations or automation tasks initiated via interACT. **Example Use Case in interACT** Here’s an example of how the `-NonInteractive` flag can be applied within **interACT**: `powershell.exe -NonInteractive Get-CimInstance -Namespace 'root\SecurityCenter2'` **Explanation:** * `powershell.exe`: The executable for running PowerShell commands. * `-NonInteractive`: Ensures the command runs without expecting user interaction. * `Get-CimInstance -Namespace 'root\SecurityCenter2'`: Retrieves information from the specified namespace. This command is designed to collect system security information without risking a prompt for user input that could interrupt execution. **Using the** `-NonInteractive` **flag in AIR's interACT provides the following advantages:** * **Seamless Automation**: Prevents disruptions in workflows caused by unexpected prompts. * **Increased Reliability**: Ensures consistent execution of PowerShell commands, even in headless or remote environments. * **Enhanced Efficiency**: Minimizes delays during investigative or forensic operations. **Troubleshooting Tips** If a command using `-NonInteractive` fails: 1. Check the command syntax for errors. 2. Ensure the command does not inherently require user input. 3. Review interACT logs for additional context on the failure. For more details, refer to the official PowerShell documentation on `about_PowerShell_exe`. ## **Additional Useful PowerShell Commands and Syntax** **1).** Here are some additional PowerShell commands that can be invaluable in cyber investigations: ```bash exec powershell.exe Get-Process ``` This command retrieves information about running processes, which is crucial for understanding system activity. **2)**. You can query specific log entries within a shorter time frame. Here's an example to retrieve Security log events from the last 24 hours: ```bash exec powershell.exe Get-WinEvent -LogName Security -MaxEvents 100 -Oldest ``` In this command: * `-MaxEvents 100` limits the query to the most recent 100 events, which should make the query faster. * `-Oldest` ensures that the query starts with the oldest event, which is from the last 24 hours in this case. You can adjust the `-MaxEvents` value to retrieve a specific number of events or omit it to get all events from the last 24 hours. This command should provide a quicker response with a smaller dataset. **3).** Here's an example of a simple PowerShell command that retrieves information about the local computer's operating system: ```bash exec powershell.exe Get-CimInstance -ClassName Win32_OperatingSystem ``` This command uses the "Get-CimInstance" cmdlet to retrieve information about the local computer's operating system. It should execute quickly and provide details about the operating system on the machine where it's run along with other information such as Build Number, Registered User, Serial Number, and Version. ## **Conclusion** By following these simple examples, users can harness the capabilities of PowerShell within interACT for DFIR investigations and operations. interACT's compatibility across different platforms ensures that investigators can seamlessly incorporate PowerShell into their toolkit, expanding their capabilities and efficiency in digital forensics and incident response.