The VMware Carbon Black Tech Zone is live! Checkout this great resource: Mastering Carbon Black Audit & Remediation.

All versions of Powershell Core

Description: This query looks for all versions (6,7, preview versions) of PowerShell Core installed on Linux and Windows. PowerShell can be used maliciously used and should be monitored as some AV products only block the PowerShell.exe and PowerShell_ISE.exe not the PowerShell dll (system.management_automation.dll). Another way hackers can bypass the PowerShell blocking is by installing PowerShell Core.

What The Data Shows:  Shows all versions of PowerShell Core on Windows and Linux (tested on CentOS and Ubuntu).

SQL: SELECT filename,path,attributes,
datetime(mtime,"unixepoch","localtime") AS "Modified",
datetime(ctime,"unixepoch","localtime") AS "Created",
datetime(atime,"unixepoch","localtime") AS "Accessed"
FROM file WHERE path like '/opt/microsoft/powershell/%/pwsh' or path like '\Program Files\Powershell\%\pwsh.exe' or path like '/usr/%/bin/pwsh';


Carbon Black Employee

Hello @ksnihur thank you for another contribution.

Are you testing these prior to submitting?  I am not sure how you could have gotten this submission to run if you are testing before submitting.



Contributor II

Hey @esullivan ,

Yes, it was tested and working in my personal linux VM as we don't have linux machines in our environment, and then merged with a previous one that I know works on windows. After reading your comment I realized I copy/pasted a prior version where I had tried using the incorrect wildcard. I've updated the query accordingly.


Carbon Black Employee
Status changed to: Approved