The VMware Carbon Black Tech Zone is live! Checkout this great resource: Mastering Carbon Black Audit & Remediation.

Check for Powershell Core

Description: Checks to see if the Cross Platform Powershell Core is installed. 

What The Data Shows: Some AV's where Powershell Console use is blocked does not block powershell core, this will show what machines/users may be trying to bypass restrictions. 

SQL:

SELECT filename,attributes,
    datetime(mtime,"unixepoch","localtime") AS "Modified", 
    datetime(ctime,"unixepoch","localtime") AS "Created",
    datetime(atime,"unixepoch","localtime") AS "Accessed"
FROM file 
WHERE path = '\Program Files\Powershell\6\pwsh.exe';

 

 

6 Comments
jnelson
Carbon Black Employee
Status changed to: Under Review

@ksnihur the path in the file table does not contain C: so this query will always fail. Can you please edit the query to fix this? 

Also, would you consider converting the timestamps to human readable? Here is an example of what the query would look like:

SELECT filename,attributes,
    datetime(mtime,"unixepoch","localtime") AS Modified,
    datetime(ctime,"unixepoch","localtime") AS Created,
    datetime(atime,"unixepoch","localtime") AS Accessed
FROM file
WHERE path = '\Program Files\Powershell\6\pwsh.exe';

 

ksnihur
Contributor II

Fixed, Thanks @jnelson 

jnelson
Carbon Black Employee
Status changed to: Approved
 
jnelson
Carbon Black Employee
Status changed to: Under Review

@ksnihur I made a mistake on my suggestion. :-( Please edit it and put Modified, Accessed, and Created in quotes. 

SELECT filename,attributes,
    datetime(mtime,"unixepoch","localtime") AS "Modified", 
    datetime(ctime,"unixepoch","localtime") AS "Created",
    datetime(atime,"unixepoch","localtime") AS "Accessed"
FROM file 
WHERE path = '\Program Files\Powershell\6\pwsh.exe';

Sorry!

ksnihur
Contributor II

@jnelson  Updated as requested, I should have caught that as well. 

kbrawley
Community Manager
Community Manager
Status changed to: Approved

Thanks for updating @ksnihur