cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 

All versions of Powershell Core

Description: This query looks for all versions (6,7, preview versions) of PowerShell Core installed on Linux and Windows. PowerShell can be used maliciously used and should be monitored as some AV products only block the PowerShell.exe and PowerShell_ISE.exe not the PowerShell dll (system.management_automation.dll). Another way hackers can bypass the PowerShell blocking is by installing PowerShell Core.

What The Data Shows:  Shows all versions of PowerShell Core on Windows and Linux (tested on CentOS and Ubuntu).

SQL: SELECT filename,path,attributes,
datetime(mtime,"unixepoch","localtime") AS "Modified",
datetime(ctime,"unixepoch","localtime") AS "Created",
datetime(atime,"unixepoch","localtime") AS "Accessed"
FROM file WHERE path like '/opt/microsoft/powershell/%/pwsh' or path like '\Program Files\Powershell\%\pwsh.exe' or path like '/usr/%/bin/pwsh';

 

3 Comments
Community Manager
Community Manager

Hello @ksnihur thank you for another contribution.

Are you testing these prior to submitting?  I am not sure how you could have gotten this submission to run if you are testing before submitting.

Thanks!

Ed

Contributor

Hey @esullivan ,

Yes, it was tested and working in my personal linux VM as we don't have linux machines in our environment, and then merged with a previous one that I know works on windows. After reading your comment I realized I copy/pasted a prior version where I had tried using the incorrect wildcard. I've updated the query accordingly.

 

Carbon Black Employee
Status changed to: Approved