PowerShell Remoting and Get-Process

James TaralaIncident Response, Scripting

One of the exciting features of Microsoft Windows PowerShell is the ability to run commands both against a local computer and against remote machines that the user has rights to access. PowerShell has a couple different ways it can do this – one is through Windows Management Instrumentation (WMI) calls against remote machines and the other is through true PowerShell Remoting capabilities (similar to having a telnet or SSH session open on a remote machine).

From an incident response point of view the idea of being able to centrally gather information from dozens or hundreds of machines simultaneously opens the door to much faster and efficient incident response activities. For example, imagine you have a process named evil.exe that you know is running on a number of machines in your organization. This is an Indicator of Compromise (IOC) that you’ve discovered and so you want to discover every machine in your organization where this command is running.

Using a cmdlet such as GET-PROCESS, an incident handler could use the –COMPUTERNAME parameter which will instantiate a WMI call against a list of machines, and as a result the incident handler could determine which machines are running the malicious process. For example, if you had a text file called computers.txt with a list of all your computer nodes in it, you could run the following script:

$Computers = get-content computers.txt

get-process -computername $computers

This script would return a list of all the running processes across all of the computers listed in the computers.txt file. From here you could perform a WHERE-OBJECT query to look for every instance of the evil.exe process as in the following code:

$Computers = get-content computers.txt

get-process -computername $computers | where {$_.ProcessName -eq "evil.exe"}

In fact if you really wanted to have fun, and you knew the effects of doing so, you could even add a few words to the above code and delete every instance of the evil.exe code that you discovered. And while it may not keep a dedicated attacker off your network perpetually, it might buy you some time as you perform your incident response work.

$Computers = get-content computers.txt

get-process -computername $computers | where {$_.ProcessName -eq "evil.exe"} | stop-process

But please be careful with the above script. Although it might be fun to kill all instances of sol.exe (Solitaire) at lunch every day, I’m not sure your staff will appreciate the humor…