PowerShell commands in interACT

Introduction

In Digital Forensics and Incident Response (DFIR), PowerShell has become a powerful tool for investigators and analysts. Sometimes overlooked is its compatibility with AIR's interACT, which provides a true cross-platform remote shell for Windows, Linux, and macOS. This KB article aims to shed light on how users can leverage PowerShell within interACT to execute cmdlets and perform a variety of operations.

Why is this Important?

Many DFIR investigators rely on PowerShell (and Python) as their primary scripting and remediation tools. However, newcomers to AIR may assume that interACT is exclusively tailored for Linux, which is not the case. interACT is a versatile platform, and certain commands are available to both Windows and UNIX-like operating systems users.

Executing PowerShell in interACT

PowerShell can be executed in interACT through several methods. Here, we'll explore three basic ways to run PowerShell commands:

Using the 'exec' Command

The 'exec' or 'execute' command in interACT serves as a gateway to run PowerShell commands. This versatile command allows DFIR practitioners to integrate PowerShell into their workflows seamlessly. Below are examples of how to use 'exec' with PowerShell:

exec powershell.exe whoami

This command executes a simple PowerShell 'whoami' cmdlet, displaying the currently logged-in user.

exec powershell.exe Get-ScheduledTask

In this instance, 'exec' invokes the 'Get-ScheduledTask' cmdlet, providing insights into scheduled tasks on the system.

exec powershell.exe Remove-Item -path C:\\Temp\\example.txt

The 'exec' command facilitates the removal of a file ('example.txt') using the 'Remove-Item' cmdlet from a specified path.

Additional Useful Commands and syntax

1). Here are some additional PowerShell commands that can be invaluable in cyber investigations:

exec powershell.exe Get-Process

This command retrieves information about running processes, which can be critical for understanding system activity.

2). You can query specific log entries within a shorter time frame. Here's an example to retrieve Security log events from the last 24 hours:

exec powershell.exe Get-WinEvent -LogName Security -MaxEvents 100 -Oldest

In this command:

• -MaxEvents 100 limits the query to the most recent 100 events, which should make the query faster.

• -Oldest ensures that the query starts with the oldest event, which is from the last 24 hours in this case.

You can adjust the -MaxEvents value to retrieve a specific number of events or omit it to get all events from the last 24 hours. This command should provide a quicker response with a smaller dataset.

3). Here's an example of a simple PowerShell command that retrieves information about the local computer's operating system:

exec powershell.exe Get-CimInstance -ClassName Win32_OperatingSystem

This command uses the "Get-CimInstance" cmdlet to retrieve information about the local computer's operating system. It should execute quickly and provide details about the operating system on the machine where it's run along with other information such as Build Number, Registered User, Serial Number and Version.

Conclusion

By following these simple examples, users can harness the capabilities of PowerShell within interACT for DFIR investigations and operations. interACT's compatibility across different platforms ensures that investigators can seamlessly incorporate PowerShell into their toolkit, expanding their capabilities and efficiency in digital forensics and incident response.