logo

Query Exchange

Built off the open source project Osquery

The VMware Carbon Black Tech Zone is live! Checkout this great resource: Mastering Carbon Black Audit & Remediation.

All versions of Powershell Core

Status: Approved Submitted by on ‎10-09-2019 07:45 PM

Description: This query looks for all versions (6,7, preview versions) of PowerShell Core installed on Linux and Windows. PowerShell can be used maliciously used and should be monitored as some AV products only block the PowerShell.exe and PowerShell_ISE.exe not the PowerShell dll (system.management_automation.dll). Another way hackers can bypass the PowerShell blocking is by installing PowerShell Core.

What The Data Shows:  Shows all versions of PowerShell Core on Windows and Linux (tested on CentOS and Ubuntu).

SQL: SELECT filename,path,attributes,
datetime(mtime,"unixepoch","localtime") AS "Modified",
datetime(ctime,"unixepoch","localtime") AS "Created",
datetime(atime,"unixepoch","localtime") AS "Accessed"
FROM file WHERE path like '/opt/microsoft/powershell/%/pwsh' or path like '\Program Files\Powershell\%\pwsh.exe' or path like '/usr/%/bin/pwsh';

 

Comment
3 Comments
esullivan
Carbon Black Employee
‎10-10-2019 08:51 AM
‎10-10-2019 08:51 AM

Hello @ksnihur thank you for another contribution.

Are you testing these prior to submitting?  I am not sure how you could have gotten this submission to run if you are testing before submitting.

Thanks!

Ed

ksnihur
Contributor II
‎10-10-2019 09:23 AM
‎10-10-2019 09:23 AM

Hey @esullivan ,

Yes, it was tested and working in my personal linux VM as we don't have linux machines in our environment, and then merged with a previous one that I know works on windows. After reading your comment I realized I copy/pasted a prior version where I had tried using the incorrect wildcard. I've updated the query accordingly.

 

jnelson
Carbon Black Employee
‎12-05-2019 02:03 PM
‎12-05-2019 02:03 PM
Status changed to: Approved
 
logo