First release of AutoRuns module

September 22, 2016


You may remember the excellent PowerShell Security series from PowerShell Magazine where I presented a Get-PSAutoRun function to investigate malware persistence ala “Sysinternals autoruns”.

I’ve actually revised its content during the last Christmas holidays and transformed it as a module.

I’ve updated the launch points the original Sysinternals autoruns utility checks and tried to do my best to keep track of what new launch points were added or removed between versions:
You may have noticed that there’s a new category for Office plugins.
I’ve also added some code about the PoweLiks malware although I hadn’t had yet a sample to fully test my detection code:

The code has also undergone a major “quality review” to reduce the number of warnings or issues reported by the PSScriptAnalyzer module.
As you can see, it still complains about using the Get-WmiObject cmdlet and the fact that I sometimes use an empty catch…

View original post 50 more words

First release of AutoRuns module

September 22, 2016

You may remember the excellent PowerShell Security series from PowerShell Magazine where I presented a Get-PSAutoRun function to investigate malware persistence ala “Sysinternals autorunsR…

Source: First release of AutoRuns module

Open source PowerShell and OMI

September 6, 2016

Richard Siddaway's Blog

OMI – the Open Source CIM server is available on github

This appears to be a later version than currently shown on the open group web site

Combine this with open source PowerShell

and the DSC on Linux

And you have your basis for managing Linux machines

View original post

Create a GPO for PowerShell 5.0 settings

July 28, 2016

I’ve written the following piece of code to automate the creation of a Group Policy that would configure all the new PowerShell 5 settings – ScriptBlock Logging, Protected EventLog and …

Source: Create a GPO for PowerShell 5.0 settings

Safely storing credentials and other things with PowerShell

July 14, 2016

storing Credentials

Hey guys,

This post is mostly going to be me sharing an answer I wrote on StackOverflow, about a technique I use in my PowerShell modules on Github to safely store credentials, and things like REST Credentials.  This is something I’ve had on my blogging ‘To-Do’ list in OneNote for a while now, so it feels nice to get it written out.

I hope you like it, feel free to comment if you think I’m wrong!

The Original Question

I currently have a project in powershell which interacts with a REST API, and the first step after opening a new powershell session is to authenticate myself which creates a websession object which is then used for subsequent API calls. I was wondering what the best way of going about storing this token object across all Powershell sessions, because right now if I authenticate myself and then close & reopen powershell I need to re-authenticate which is rather inconvenient. I would like the ability to in theory authenticate once and then whenever I open up powershell be able to use my already saved websession object. At the moment I store this websession object in $MyInvocation.MyCommand.Module.PrivateData.Session Original Question

My Take on Safely Storing objects on a machine with PowerShell

Since I’ve written a number of PowerShell Modules which interact with REST APIs on the web, I’ve had to tackle this problem before. The technique I liked to use involves storing the object within the user’s local credential store, as seen in my PSReddit PowerShell Module.

First, to export your password in an encrypted state. We…

View original post 301 more words

Building Better PowerShell Dashboards

April 11, 2016

First off, YUUGE props to Flynn Bundy for shining lights on the possibility with his post Making DSC Beautiful and @Neeco of for these gorgeous HTML5 and CSS templates.

If you check out, there are a ton of absolutely beautiful templates, for free! (Well, you have to leave a link to the site, unless you pay $20, then you can edit it to your heart’s content).


Some of them REALLY lend themselves well to a dashboard system for consumption of data.

…you know, PowerShell makes an excellent data collection and processing system.

It even has  native HTML capabilities, as we’ve covered previously in our post: Using ConvertTo-HTML and CSS to create useful web reports from PowerShell.  If you’re lost and don’t even know where to start, begin here.  I’ll bet we could make some REALLY cool looking dashboards using PowerShell and Neeco’s templates!

Let’s make a cool…

View original post 1,422 more words

Breaking CIM sessions

April 8, 2016

Richard Siddaway's Blog

A CIM session is analogous to a PowerShell remoting session but for CIM based cmdlets – the CIM cmdlets themselves and any CDXML based cmdlets e.g. the networking cmdlets

By default a CIM session uses WSMAN as its transport protocol – the same as remoting. You do have the choice to create a CIM session using DCOM for transport (same as the WMI cmdlets use)

I’ve always maintained that DCOM based sessions could be broken if the remote machine was re-started. This was based on the testing I did when writing PowerShell and WMI.

Some recent information cast doubt on that assertion though. I’ve digging into CIM sessions recently and have what I think is a definitive statement on DCOM based CIM sessions.

If you create a DCOM based CIM session to a machine running PowerShell 2.0 from a machine running PowerShell 3.0 (or PowerShell 4.0 – I haven’t tested…

View original post 249 more words