AUDIT_POWERSHELL

This check runs powershell.exe on the remote server along with the arguments supplied with powershell_args and returns the command output if only_show_cmd_output is set to YES or compares the result against value_data if value_data is specified.

Usage

<custom_item>

type: AUDIT_POWERSHELL

description: "Powershell check"

value_type: [value_type]

value_data: [value]

powershell_args: ["arguments for powershell.exe"]

(optional) only_show_cmd_output: YES or NO

(optional) check_type: [CHECK_TYPE]

(optional) severity: ["HIGH" or "MEDIUM" or "LOW"]

(optional) powershell_option: CAN_BE_NULL

(optional) powershell_console_file: "C:\Program Files\Microsoft\Exchange

Server\ExShell.psc1"

</custom_item>

Associated types:

This item uses the field powershell_args to specify the arguments that need to be supplied to powershell.exe. If the location of powershell.exe is not default, you must use the powershell_console_file keyword to specify the location. Currently only get- cmdlets are supported. For example:

  • get-hotfix | where-object {$_.hotfixid -ne 'File 1'} | select Description,HotFixID,InstalledBy | format-list
  • get-wmiobject win32_service | select caption,name, state| format-list
  • (get-WmiObject -namespace root\MicrosoftIISv2 -Class IIsWebService).ListWebServiceExtensions().Extensions
  • get-wmiobject -namespace root\cimv2 -class win32_product | select Vendor,Name,Version | format-list
  • get-wmiobject -namespace root\cimv2\power -class Win32_powerplan | select description,isactive | format-list

The item uses the optional field only_show_cmd_output if the entire command output needs to be reported:

only_show_cmd_output: YES or NO

Other considerations:

  • PowerShell scripts included in audits have a 8,192 character limit.
  • If you set only_show_cmd_output and would like to set the severity of the output, then you could use the severity tag to change the severity. The default is INFO.
  • Powershell is not installed by default on some Windows operating systems (for example, XP, 2003), and on such systems this check would not yield any result. Therefore make sure Powershell is installed on the remote target before using this check.
  • For this check to work correctly, WMI service needs to be enabled. Also configure the firewall to “Allow inbound remote administration exception."
  • Cmdlet aliases (for example, “gps” instead of “Get-Process”) are not allowed.

Examples

This example runs the Get-Hotfix PowerShell cmdlet, specifies a where-object not to select hotfixes with id File 1, and then reports Description, HotfixID, Installedby formatted as a list.

<custom_item>

type: AUDIT_POWERSHELL

description: "Show Installed Hotfix"

value_type: POLICY_TEXT

value_data: ""

powershell_args: "get-hotfix | where-object {$_.hotfixid -ne 'File 1'} | select

Description,HotFixID,InstalledBy | format-list"

only_show_cmd_output: YES

</custom_item>

This example checks whether the windows service “WinRM” is running.

<custom_item>

type: AUDIT_POWERSHELL

description: "Check if WinRM service is running"

value_type: POLICY_TEXT

value_data: "Running"

powershell_args: "get-wmiobject win32_service | where-object {$_.name -eq 'WinRM' -

and $_.state -eq 'Running'} | select state"

check_type: CHECK_REGEX

</custom_item>

Nessus also allows a user to pass a PowerShell script (.ps1) encoded as a base64 string to PowerShell.exe via the - EncodedCommand switch. The following example script lists local user account information on the target:

$strComputer = "."

 

$colItems = get-wmiobject -class "Win32_UserAccount" -namespace "root\CIMV2" -filter "LocalAccount = True" -computername $strComputer

 

foreach ($objItem in $colItems) {

write-output "Account Type: " $objItem.AccountType

write-output "Description: " $objItem.Description

write-output "Disabled: " $objItem.Disabled

write-output "Full Name: " $objItem.FullName

write-output "Installation Date: " $objItem.InstallDate

write-output "Lockout: " $objItem.Lockout

write-output "Password Changeable: " $objItem.PasswordChangeable

write-output "Password Expires: " $objItem.PasswordExpires

write-output "Password Required: " $objItem.PasswordRequired

write-output "SID: " $objItem.SID

write-output "SID Type: " $objItem.SIDType

write-output "Status: " $objItem.Status

write-output ""

}

To pass this script to PowerShell, you must encode it and then pass it as a PowerShell command. Begin by assigning the contents of the file to a string. The basic syntax is as follows:

$foo = {

add your PowerShell code here....

}

A full example would look like the following:

$string = {

 

$strComputer = "."

 

$colItems = get-wmiobject -class "Win32_UserAccount" -namespace "root\CIMV2" -filter

"LocalAccount = True" -computername $strComputer

 

foreach ($objItem in $colItems) {

write-output "Account Type: " $objItem.AccountType

write-output "Description: " $objItem.Description

write-output "Disabled: " $objItem.Disabled

write-output "Full Name: " $objItem.FullName

write-output "Installation Date: " $objItem.InstallDate

write-output "Lockout: " $objItem.Lockout

write-output "Password Changeable: " $objItem.PasswordChangeable

write-output "Password Expires: " $objItem.PasswordExpires

write-output "Password Required: " $objItem.PasswordRequired

write-output "SID: " $objItem.SID

write-output "SID Type: " $objItem.SIDType

write-output "Status: " $objItem.Status

write-output ""

}

}

Next, Base64 encodes it:

PS C:\Documents and Settings\Administrator>

[System.Convert]::ToBase64String([System.Text.Encoding]::UNICODE.GetBytes($string))

Use your resulting Base64 string in an .audit file. Be sure to set ps_encoded_args to YES, per the following example:

<custom_item>

type: AUDIT_POWERSHELL

description: "List local user account info"

value_type: POLICY_TEXT

value_data: ""

powershell_args:

'DQAKACIAMQAwAC4AMAAuADAAIgAgAHwAIABXAHIAaQB0AGUALQBPAHUAdABwAHUAdAA7AA0ACgA='

ps_encoded_args: YES

only_show_cmd_output: YES

</custom_item>

After the .audit is run, the information displayed appears similar to the following example:

"List local user account info": [INFO]

 

Account Type: 512

Description: Built-in account for administering the computer/domain

Disabled: False

Full Name:

Installation Date:

Lockout: False

Password Changeable: True

Password Expires: False

Password Required: True

SID: S-1-5-21-2137291905-473285123-5405471365-500

SID Type: 1

Status: OK

 

Account Type: 512

Description: Account used for running the ASP.NET worker process (aspnet_wp.exe)

Disabled: False

Full Name: ASP.NET Machine Account

Installation Date:

Lockout: False

Password Changeable: False

Password Expires: False

Password Required: False

SID: S-1-5-21-2137291905-473285123-5405471365-1006

SID Type: 1

Status: OK