Skip to content
New issue

Have a question about this project? # for a free GitHub account to open an issue and contact its maintainers and the community.

#

By clicking “#”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? # to your account

Jump to bottom

PowerShell Remoting Usage #143

Open
mr-burnse opened this issue Oct 14, 2016 · 3 comments
Open

PowerShell Remoting Usage #143

mr-burnse opened this issue Oct 14, 2016 · 3 comments

Comments

@mr-burnse
Copy link

This is a really great project! I'm looking at potentially incorporating some of it's functionality in a project I've been working on. In my case I need to execute these functions on a remote endpoints (via PS Remoting) that will not have the module locally imported. Any thoughts on how I might accomplish this? The PS Remoting session is established with C# & the System.Management.Automation library. Cheers!
@mr-burnse
Copy link
Author

I should add that, in my scenario...implicit module importing will not work as the target endpoint cannot be aware of any credentials to connect back to the remote server.

@jaredcatkinson
Copy link
Member

jaredcatkinson commented Oct 17, 2016
edited
Loading

Hey Evan,

Thanks for the kind words! I'm glad you are enjoying the project.

I've created a Github project called PowerForensics Portable (https://github.com/Invoke-IR/PowerForensicsPortable), that leverages PowerForensics' public API. One of the cool things about PowerForensics being a .NET assembly is that it is truly a "forensics" library complete with publicly exposed classes and methods.

PowerForensics Portable loads the PowerForensics assembly in memory using the System.Reflection.Assembly class' Load method. The basic idea is that you pass a .NET DLL as a byte array to the Load method and it will load that DLL in memory and expose all public functions. I then wrote a function to replicate each PowerForensics cmdlet's functionality by calling the corresponding public API. For instance, if we want to parse the UsnJrnl, then I can call [PowerForensics.Ntfs.UsnJrnl]::GetInstances('.\C:') which parses the UsnJrnl on the Logical C: volume.

A little known feature (at least something that I just learned about) of Invoke-Command is the ability to run locally defined functions on a remote host. So by importing the PowerForensicsPortable module, you are defining all of the "Portable" functions locally. You can then use Invoke-Command to execute them on a remote system over PowerShell Remoting.

Example:
Invoke-Command -ScriptBlock ${function:Get-ForensicUsnJrnlPortable} -ArgumentList '\\.\C:' -ComputerName infected.invoke-ir.com -Credential invoke-ir.com\jared

My colleague Matt Graeber also wrote a proxy function for Invoke-Command that leverages PowerShell's AST to dynamically resolve function dependencies. This helps the syntax become a little more straight forward. The Invoke-Command proxy function is included in PowerForensics Portable, so it is there once the module is loaded locally.

Example:
Invoke-Command -ScriptBlock {Get-ForensicUsnJrnlPortable -VolumeName \\.\C:} -ComputerName infected.invoke-ir.com -Credential invoke-ir.com\jared

@sahar55
Copy link

sahar55 commented May 7, 2017
edited
Loading

Hi jared, is your PowerForensicsPortable still ongoing project?
I see the last update was 10month ago and some of the artifact acquisition is not there, are you planning on adding it?
Amazing jobs on those tools, truly very helpful

# for free to join this conversation on GitHub. Already have an account? # to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@jaredcatkinson @mr-burnse @sahar55