Endpoint Analysis using Windows tool - Powershell

Windows Powershell is a cross-platform task automation solution made up of a command-line shell, a scripting language, and a configuration framework. Powershell runs on Windows, Linux, and MacOS.

Powershell makes the lives of administrators easier in managing their endpoints and servers. Why Powershell? Powershell is built on the .NET Common Language Runtime (CLR) which makes it possible for us to work on any technology we work with.

From an incident response perspective, it is necessary for the responder to have the ability and skill to triage to patient zero and, by using no additional tools and using the built-in Windows features, can make investigation easier and faster.

From an attacker’s perspective, they can triage inside the organization using this tool and it gives them an advantage; (1) they can mimic administrative tasks for less detection; (2) no additional tools to be dropped for less detection. This is part of the “living off the land” technique, which can give them time to triage inside the compromised organization without making too much noise. 

Windows Powershell’s Get-CimInstance cmdlet gets the CIM instance of a class from a CIM server.

To use the following syntax: In this case, to query a process’s name, pid, and parent pid

Get-CimInstance -Class Win32_<class_name> -Filter “Name = ‘<object_name>’ | Select-Object <object_property>

To apply a condition to the previous query, we can pipe it to a Where-Object

Get-CimInstance -Class Win32_<class_name> -Filter “Name = ‘<object_name>’ | Select-Object <object_property> | Where-Object{$_.ParentProcessId -eq <pid>}