AUDIT_POWERSHELL
This check runs powershell.exe on the remote server along with the arguments supplied with powershell_args and
returns the command output if only_show_cmd_output is set to YES or compares the result against value_data if
value_data is specified.
Usage
<custom_item>
type: AUDIT_POWERSHELL
description: "Powershell check"
value_type: [value_type]
value_data: [value]
powershell_args: ["arguments for powershell.exe"]
(optional) only_show_cmd_output: YES or NO
(optional) check_type: [CHECK_TYPE]
(optional) severity: ["HIGH" or "MEDIUM" or "LOW"]
(optional) powershell_option: CAN_BE_NULL
(optional) powershell_console_file: "C:\Program Files\Microsoft\Exchange
Server\ExShell.psc1"
</custom_item>
Associated types:
This item uses the field powershell_args to specify the arguments that need to be supplied to powershell.exe. If the location of powershell.exe is not default, you must use the powershell_console_file keyword to specify the location. Currently only get- cmdlets are supported. For example:
- get-hotfix | where-object {$_.hotfixid -ne 'File 1'} | select Description,HotFixID,InstalledBy | format-list
- get-wmiobject win32_service | select caption,name, state| format-list
- (get-WmiObject -namespace root\MicrosoftIISv2 -Class IIsWebService).ListWebServiceExtensions().Extensions
- get-wmiobject -namespace root\cimv2 -class win32_product | select Vendor,Name,Version | format-list
- get-wmiobject -namespace root\cimv2\power -class Win32_powerplan | select description,isactive | format-list
The item uses the optional field only_show_cmd_output if the entire command output needs to be reported:
only_show_cmd_output: YES or NO
Other considerations:
- PowerShell scripts included in audits have a 8,192 character limit.
- If you set
only_show_cmd_outputand would like to set the severity of the output, then you could use the severity tag to change the severity. The default is INFO. - Powershell is not installed by default on some Windows operating systems (for example, XP, 2003), and on such systems this check would not yield any result. Therefore make sure Powershell is installed on the remote target before using this check.
- For this check to work correctly, WMI service needs to be enabled. Also configure the firewall to “Allow inbound remote administration exception."
- Cmdlet aliases (for example, “gps” instead of “Get-Process”) are not allowed.
Examples
This example runs the Get-Hotfix PowerShell cmdlet, specifies a where-object not to select hotfixes with id File 1, and then reports Description, HotfixID, Installedby formatted as a list.
<custom_item>
type: AUDIT_POWERSHELL
description: "Show Installed Hotfix"
value_type: POLICY_TEXT
value_data: ""
powershell_args: "get-hotfix | where-object {$_.hotfixid -ne 'File 1'} | select
Description,HotFixID,InstalledBy | format-list"
only_show_cmd_output: YES
</custom_item>
This example checks whether the windows service “WinRM” is running.
<custom_item>
type: AUDIT_POWERSHELL
description: "Check if WinRM service is running"
value_type: POLICY_TEXT
value_data: "Running"
powershell_args: "get-wmiobject win32_service | where-object {$_.name -eq 'WinRM' -
and $_.state -eq 'Running'} | select state"
check_type: CHECK_REGEX
</custom_item>
Nessus also allows a user to pass a PowerShell script (.ps1) encoded as a base64 string to PowerShell.exe via the - EncodedCommand switch. The following example script lists local user account information on the target:
$strComputer = "."
$colItems = get-wmiobject -class "Win32_UserAccount" -namespace "root\CIMV2" -filter "LocalAccount = True" -computername $strComputer
foreach ($objItem in $colItems) {
write-output "Account Type: " $objItem.AccountType
write-output "Description: " $objItem.Description
write-output "Disabled: " $objItem.Disabled
write-output "Full Name: " $objItem.FullName
write-output "Installation Date: " $objItem.InstallDate
write-output "Lockout: " $objItem.Lockout
write-output "Password Changeable: " $objItem.PasswordChangeable
write-output "Password Expires: " $objItem.PasswordExpires
write-output "Password Required: " $objItem.PasswordRequired
write-output "SID: " $objItem.SID
write-output "SID Type: " $objItem.SIDType
write-output "Status: " $objItem.Status
write-output ""
}
To pass this script to PowerShell, you must encode it and then pass it as a PowerShell command. Begin by assigning the contents of the file to a string. The basic syntax is as follows:
$foo = {
add your PowerShell code here....
}
A full example would look like the following:
$string = {
$strComputer = "."
$colItems = get-wmiobject -class "Win32_UserAccount" -namespace "root\CIMV2" -filter
"LocalAccount = True" -computername $strComputer
foreach ($objItem in $colItems) {
write-output "Account Type: " $objItem.AccountType
write-output "Description: " $objItem.Description
write-output "Disabled: " $objItem.Disabled
write-output "Full Name: " $objItem.FullName
write-output "Installation Date: " $objItem.InstallDate
write-output "Lockout: " $objItem.Lockout
write-output "Password Changeable: " $objItem.PasswordChangeable
write-output "Password Expires: " $objItem.PasswordExpires
write-output "Password Required: " $objItem.PasswordRequired
write-output "SID: " $objItem.SID
write-output "SID Type: " $objItem.SIDType
write-output "Status: " $objItem.Status
write-output ""
}
}
Next, Base64 encodes it:
PS C:\Documents and Settings\Administrator>
[System.Convert]::ToBase64String([System.Text.Encoding]::UNICODE.GetBytes($string))
Use your resulting Base64 string in an .audit file. Be sure to set ps_encoded_args to YES, per the following example:
<custom_item>
type: AUDIT_POWERSHELL
description: "List local user account info"
value_type: POLICY_TEXT
value_data: ""
powershell_args:
'DQAKACIAMQAwAC4AMAAuADAAIgAgAHwAIABXAHIAaQB0AGUALQBPAHUAdABwAHUAdAA7AA0ACgA='
ps_encoded_args: YES
only_show_cmd_output: YES
</custom_item>
After the .audit is run, the information displayed appears similar to the following example:
"List local user account info": [INFO]
Account Type: 512
Description: Built-in account for administering the computer/domain
Disabled: False
Full Name:
Installation Date:
Lockout: False
Password Changeable: True
Password Expires: False
Password Required: True
SID: S-1-5-21-2137291905-473285123-5405471365-500
SID Type: 1
Status: OK
Account Type: 512
Description: Account used for running the ASP.NET worker process (aspnet_wp.exe)
Disabled: False
Full Name: ASP.NET Machine Account
Installation Date:
Lockout: False
Password Changeable: False
Password Expires: False
Password Required: False
SID: S-1-5-21-2137291905-473285123-5405471365-1006
SID Type: 1
Status: OK