Endpoint Analysis using Windows tool - Powershell

Windows Powershell is a cross-platform task automation solution made up of a command-line shell, a scripting language, and a configuration framework. Powershell runs on Windows, Linux, and MacOS.

Powershell makes the lives of administrators easier in managing their endpoints and servers. Why Powershell? Powershell is built on the .NET Common Language Runtime (CLR) which makes it possible for us to work on any technology we work with.

From an incident response perspective, it is necessary for the responder to have the ability and skill to triage to patient zero and, by using no additional tools and using the built-in Windows features, can make investigation easier and faster.

From an attacker’s perspective, they can triage inside the organization using this tool and it gives them an advantage; (1) they can mimic administrative tasks for less detection; (2) no additional tools to be dropped for less detection. This is part of the “living off the land” technique, which can give them time to triage inside the compromised organization without making too much noise. 

Windows Powershell can query services through Get-Process and Get-WmiObject 

To put this to workrun the following syntax:

To view Services or specific service: Get-Service <service_name> 

To view Services or a specific service: 

Get-WmiObject -Class Win32_Service -Filter ‘Name = “<Service_name>”‘ -Property <property_name>