1.6.1 PowerShell Command Basics

Before delving into the details of how malware uses PowerShell, let's understand how to execute PowerShell commands. You can execute a PowerShell command using the interactive PowerShell console; you can bring it up using the Windows program search feature or by typing powershell.exe in the command prompt. Once in the interactive PowerShell, you can type the command to execute it. In the following example, the Write-Host cmdlet writes the message to the console. A cmdlet (such as Write-Host) is a compiled command written in a .NET Framework language which is meant to be small and serves a single purpose. The cmdlet follows a standard Verb-Noun naming convention:

PS C:> Write-Host "Hello world"
Hello world

A cmdlet can accept parameters. The parameter starts with a dash immediately followed by a parameter name and a space followed by the parameter value. In the following example, the Get-Process cmdlet is used to display the information about the explorer process. The Get-Process cmdlet accepts a parameter whose name is Name, and the value is explorer:

PS C:> Get-Process -Name explorer
Handles NPM(K) PM(K)  WS(K)  VM(M)  CPU(s) Id  ProcessName
------- ------ -----  -----  ----- ------  --  -----------
1613       86  36868  77380  ...35  10.00  3036 explorer

Alternatively, you can also use parameter shortcuts to reduce some typing; the above command can also be written as:

PS C:> Get-Process -n explorer
Handles NPM(K) PM(K) WS(K)  VM(M)  CPU(s) Id  ProcessName
------- ------ ----- -----  -----  -----  --  -----------
1629       87 36664  78504  ...40  10.14  3036 explorer

To get more information about cmdlet (such as details about the syntax and the parameters), you can use the Get-Help cmdlet or the help command. If you wish to get the most up-to-date information, you can get help online, using the second command shown here:

PS C:> Get-Help Get-Process
PS C:> help Get-Process -online

In PowerShell, variables can be used to store values. In the following example, hello is a variable that is prefixed with a $ symbol:

PS C:> $hello = "Hello World"
PS C:> Write-Host $hello
Hello World

Variables can also hold the result of PowerShell commands, and the variable can then be used in the place of a command, as follows:

PS C:> $processes = Get-Process
PS C:> $processes | where-object {$_.ProcessName -eq 'explorer'}
Handles NPM(K) PM(K) WS(K) VM(M) CPU(s) Id  ProcessName
------- ------ ----- ----- ----- ------ --  -----------
1623        87 36708 78324 ...36 10.38  3036 explorer
..................Content has been hidden....................

You can't read the all page of ebook, please click here login for view all page.
Reset
18.218.184.214