PowerShell commands in interACT

Introduction

In Digital Forensics and Incident Response (DFIR), PowerShell has become a powerful tool for investigators and analysts. Sometimes overlooked is its compatibility with AIR's interACT, which provides a true cross-platform remote shell for Windows, Linux, and macOS. This KB article aims to shed light on how users can leverage PowerShell within interACT to execute cmdlets and perform a variety of operations.

Why is this Important?

Many DFIR investigators rely on PowerShell (and Python) as their primary scripting and remediation tools. However, newcomers to AIR may assume that interACT is exclusively tailored for Linux, which is not the case. interACT is a versatile platform, and certain commands are available to both Windows and UNIX-like operating systems users.

Executing PowerShell in interACT

PowerShell can be executed in interACT through several methods. Here, we'll explore three basic ways to run PowerShell commands:

Using the 'exec' Command

The 'exec' or 'execute' command in interACT serves as a gateway to run PowerShell commands. This versatile command allows DFIR practitioners to integrate PowerShell into their workflows seamlessly. Below are examples of how to use 'exec' with PowerShell:

exec powershell.exe whoami

This command executes a simple PowerShell 'whoami' cmdlet, displaying the currently logged-in user.

exec powershell.exe Get-ScheduledTask

In this instance, 'exec' invokes the 'Get-ScheduledTask' cmdlet, providing insights into scheduled tasks on the system.

exec powershell.exe Remove-Item -path C:\\Temp\\example.txt

The 'exec' command facilitates the removal of a file ('example.txt') using the 'Remove-Item' cmdlet from a specified path.

Understanding the -NonInteractive PowerShell Flag in interACT

When using PowerShell commands in scripts or automated workflows, you may encounter scenarios where PowerShell expects user input. This can disrupt execution, especially in non-interactive environments such as Binalyze AIR's interACT automation. To address this, PowerShell offers the -NonInteractive flag.

What is -NonInteractive?

The -NonInteractive flag is a command-line option for powershell.exe that instructs PowerShell to operate in non-interactive mode. When this mode is enabled, PowerShell does not prompt for user input and will terminate the script or command if user input is required.

This feature is particularly useful when running commands in environments where no user interaction is possible or desirable, such as during forensic investigations or automation tasks initiated via interACT.

Example Use Case in interACT

Here’s an example of how the -NonInteractive flag can be applied within interACT:

powershell.exe -NonInteractive Get-CimInstance -Namespace 'root\SecurityCenter2'

Explanation:

• powershell.exe: The executable for running PowerShell commands.

• -NonInteractive: Ensures the command runs without expecting user interaction.

• Get-CimInstance -Namespace 'root\SecurityCenter2': Retrieves information from the specified namespace.

This command is designed to collect system security information without risking a prompt for user input that could interrupt execution.

Using the -NonInteractive flag in Binalyze AIR's interACT provides the following advantages:

• Seamless Automation: Prevents disruptions in workflows caused by unexpected prompts.

• Increased Reliability: Ensures consistent execution of PowerShell commands, even in headless or remote environments.

• Enhanced Efficiency: Minimizes delays during investigative or forensic operations.

Troubleshooting Tips

If a command using -NonInteractive fails:

1. Check the command syntax for errors.

2. Ensure the command does not inherently require user input.

3. Review interACT logs for additional context on the failure.

For more details, refer to the official PowerShell documentation on about_PowerShell_exe.

Additional Useful PowerShell Commands and Syntax

1). Here are some additional PowerShell commands that can be invaluable in cyber investigations:

exec powershell.exe Get-Process

This command retrieves information about running processes, which can be critical for understanding system activity.

2). You can query specific log entries within a shorter time frame. Here's an example to retrieve Security log events from the last 24 hours:

exec powershell.exe Get-WinEvent -LogName Security -MaxEvents 100 -Oldest

In this command:

• -MaxEvents 100 limits the query to the most recent 100 events, which should make the query faster.

• -Oldest ensures that the query starts with the oldest event, which is from the last 24 hours in this case.

You can adjust the -MaxEvents value to retrieve a specific number of events or omit it to get all events from the last 24 hours. This command should provide a quicker response with a smaller dataset.

3). Here's an example of a simple PowerShell command that retrieves information about the local computer's operating system:

exec powershell.exe Get-CimInstance -ClassName Win32_OperatingSystem

This command uses the "Get-CimInstance" cmdlet to retrieve information about the local computer's operating system. It should execute quickly and provide details about the operating system on the machine where it's run along with other information such as Build Number, Registered User, Serial Number, and Version.

Conclusion

By following these simple examples, users can harness the capabilities of PowerShell within interACT for DFIR investigations and operations. interACT's compatibility across different platforms ensures that investigators can seamlessly incorporate PowerShell into their toolkit, expanding their capabilities and efficiency in digital forensics and incident response.