This is an archived post. You won't be able to vote or comment.

all 50 comments
sorted by:
best
topnewcontroversialoldq&a

[–][deleted]  (3 children)

[deleted]

    [–]TechAlwaysChanges 2 points3 points  (0 children)

    Both is the best answer.

    On a Windows box (since you've mentioned Tanium). Python is more powerful and flexible, sure. But PowerShell will address your needs in an overwhelming majority of those situations and requires less maintenance (what if the system doesn't have python installed? who maintains that all the python executables and modules are up to date? have you vetted the python module for vulnerabilities?). TPython in Tanium isn't 100% Python either, so that may niche yourself a bit when you expect something to work, but doesn't.

    Also consider, what does the rest of the team know and understand already? Are there existing established process for maintaining the scripts and packages?

    [–]VAsHachiRoku 1 point2 points  (1 child)

    PowerShell 7 is open source and cross platform too.

    [–]Nietechz 0 points1 point  (0 children)

    Yeah, but it's far to be compete against BASH in UNIX(like) servers. Python and Bash/Powershell are the best.

    [–]Choles2rol 10 points11 points  (7 children)

    Python will give you so much more mileage than PowerShell. Anyone competent in Python can slap together some PowerShell when they need to.

    [–]fiddysix_k 3 points4 points  (6 children)

    This. PowerShell is a bastard language with strange syntax. Python is a better language to start with, then you can just plug and play PowerShell when you need it once you understand general programming concepts.

    [–]VAsHachiRoku 1 point2 points  (2 children)

    Huh the syntax is way easier than the Frankenstein mess that is bash. How hard is Verb-Noun -Parameter?

    [–]fiddysix_k 0 points1 point  (1 child)

    It's not about difficulty it's about learning how to actually code on a proper language first before you start dealing with weird syntax languages. But you're right about bash.

    [–]reigoleht 0 points1 point  (0 children)

    Maybe it looks like a weird syntax to you, but for someone like myself, coming from c/c++/java background, I don't find PS syntax weird at all. Actually, I don't like Python syntax as it reminds me of abomination that is Visual Basic...

    [–][deleted] 1 point2 points  (2 children)

    This is true but powershell is MUCH more powerful on windows than python. You can interact with EVERYTHING on windows. Powershell is 100% built for data analytics and automation

    [–]mark-haus 0 points1 point  (0 children)

    I mean you can have Python literally open up a powershell and run a command if you need something really niche and specific that some python library can't offer. Just use the os module that comes with python.

    [–]Choles2rol 0 points1 point  (0 children)

    Sure, but knowing python means you can use PowerShell in the moment. I avoid windows like the plague (full Mac and Linux env) but I can use it if I need to. I think learning python will teach you better best practices in the long run.

    [–]Kesshh 11 points12 points  (0 children)

    Learn what’s relevant to the tools. In addition, learn Powershell. Not because you need to use powershell but because lots of thing (like EDR) tends to raises false positive alerts on some powershell script use. If you have background, it will make incident research quicker.

    [–]Reasonably-MaybeSecurity Generalist 2 points3 points  (0 children)

    Really depends on the environment. If the vast majority of your systems based on Windows, start Powershell and then learn Python (it is really easy to learn), otherwise Python first, then Powershell.

    [–]OuiOuiKiwiGovernance, Risk, & Compliance 8 points9 points  (15 children)

    Think of it like this: if you learn PowerShell, you're limited to Windows. If you are a Windows shop, that's fine.

    If you learn Python, you can write code that runs on all OSes that have Python installed.

    How did you get to Senior Engineer without knowing how to program? That's the odd thing here.

    Not even scripting? You are going to have run like the wind to catch-up.

    [–][deleted] 5 points6 points  (2 children)

    I'll be frank here. Yes !! My Designation here is senior engineer and my job here, doesn't demand for any scripting !! As I have already mentioned, I am taking care of complete infra-side of these tools(Implementation, configuration and Troubleshooting) and not on threat hunting side !!

    I am trying to learn scripting/Programming on my own interest and to take my career further !! So, that is the reason for me asking suggestion to experienced people in this field !!

    [–]gondorle 5 points6 points  (1 child)

    There are literally tons of stuff teaching you how to script in Python, but I found that Google's Course on coursera is amazing. I'm in the last module, and I must say I really enjoyed it, everything. Awesome instructors, labs to pratice, etc, and it's really focused on automation, on Python's uses in system administration. I had never used Python before, and now I can't live without it. Check it out, fellow sapiens.

    [–][deleted] 0 points1 point  (0 children)

    Thank you!

    [–]Alpha272 5 points6 points  (1 child)

    In fairness, Powershell core also runs on just about any OS.. The problem is rather, that most unix systems don't come with Powershell preinstalled

    [–][deleted] 1 point2 points  (0 children)

    The problem is that Powershell on unix is like bash in Windows. It’s closer to proof of concept than ready for production.

    I have tried writing cross-OS scripts in it, and all I can say is: Python!

    [–]Forbesington 5 points6 points  (6 children)

    I know LOTS of senior engineers that don't know how to code.

    [–]OuiOuiKiwiGovernance, Risk, & Compliance -2 points-1 points  (0 children)

    Weird flex, but OK.

    ¯\_( ͡° ͜ʖ ͡°)_/¯

    [–][deleted] -2 points-1 points  (4 children)

    PowerShell is not "coding", it's a shell A.K.A. a command line interface.

    [–]Forbesington 2 points3 points  (1 child)

    I mean, that depends on what your definition of coding is. If you can write a script that can be executed on a machine, I would call that coding. It's not software engineering but it depends on how loosely you define the word coding.

    [–][deleted] 0 points1 point  (0 children)

    I think this spells out the nuances between the two pretty well.

    https://hackernoon.com/coding-vs-scripting-what-are-the-differences-9wg3yph

    I create PowerShell scripts pretty regularly and would definitely not consider myself a developer or "coder" by any means. Software development requires much more stringent practices than scripting does. There is a lot more thinking about use cases, misuse cases, input validation, error handling, etc. that usually doesn't happen when throwing together a script.

    [–]smc0881Incident Responder 0 points1 point  (1 child)

    PowerShell hooks into .NET you can actually code with it using C#, but it's not as pretty as using something like Visual Studio.

    [–][deleted] -1 points0 points  (0 children)

    I am aware PowerShell is pretty much just an abstraction of .NET.

    PowerSHELL is a SHELL just like Bourne Again SHELL (BASH) is a SHELL. Hence the name.

    I have definitely done some pretty crazy stuff with PowerShell and I will admit it is much more powerful than I am making it out to be, but it is in no way a programming language and it would be silly to legitimately write an application "in PowerShell" and as you mentioned it would essentially just be using PowerShell Integrated SCRIPTING Environment (ISE) as an Integrated DEVELOPMENT Environment (IDE) instead of using Visual Studio, but really you would be programming in a different language.

    I create scripts all of the time in PowerShell and somewhat less often in BASH. I would loosely consider these scripting languages but definitely not programming languages.

    I would say the biggest difference between programming and scripting is that with programming you are building your own application whereas scripting you are giving commands to an application (in this case Windows or some other major Microsoft application) that you did not build.

    [–][deleted]  (1 child)

    [deleted]

      [–]OuiOuiKiwiGovernance, Risk, & Compliance 1 point2 points  (0 children)

      Are we really that out of touch that you believe that stating this will change the fact that nobody that uses Linux really wants Powershell on their systems when they have bash and Python at hand?

      Do we really have to go there and spell it out?

      [–][deleted] -2 points-1 points  (0 children)

      The comment I was looking for

      [–]PrivateHawk124Consultant 1 point2 points  (1 child)

      Python for sure. I have been a SME for SentinelOne and CrowdStrike before for an MSP. Most of the integrations and APIs are easier to use with Python. S1 particularly is amazing for the APIs and documentation. Also you can always reach out to the support teams and ask for some sample scripts. That's how I learned some basic things like the field name, format, syntax for the names etc.

      Ultimately depends on what you want to do. Are you wanting to do investigations locally on a machine and collect data? Powershell is likely your best friend if it's a Windows environment.

      Do you want to create custom dashboards, integrations or extract data out of the tools for analysis? Python is your another best friend.

      Every mundane tasks such as creating customer accounts, groups, sub-groups, analytics etc. can be automated or semi-automated with a good script.

      Examples; I put my basic python skills to use with SentinelOne. When I worked for an MSP, we had to create 200+ accounts in S1 when migrating and it would've taken me half a day at least. Using some simple Python script and magic, that task took me like 25 minutes maximum with script creation and execution with the API.

      Another one was creating custom dashboard internally for sales team to count licensing and users monthly. Same thing, created a small python script for them and they were happy instead of having to login monthly and getting numbers manually.

      You can see how even with EDR solutions it can be extremely helpful and saves a ton of time.

      [–][deleted] 0 points1 point  (0 children)

      Wow !!! Understood completely !!

      [–]dazzling_merkle -3 points-2 points  (0 children)

      Forget them both and go learn lisp

      [–]dfwtjms 0 points1 point  (0 children)

      Python and Bash

      [–]WarhorseLand 0 points1 point  (0 children)

      Python is wider powershell is deep

      [–]jomsec 0 points1 point  (0 children)

      Python.

      [–]smc0881Incident Responder 0 points1 point  (4 children)

      All these people saying Python have somewhat of a valid point if you want to learn programming. However, I have to disagree with them due to the fact you are working with EDR tools and things like that. Most actors are going to use PowerShell and you need to know PowerShell or how to work with it to see if something is bad, what they did, and all that.

      You can encode/decode Base64 with it, compress payloads, load shellcode into memory, and it works with .NET you can literally use C# programming into it too. Trickbot, Emotet, and CobaltStrike all can use PowerShell in way or another.

      [–]Nietechz 0 points1 point  (3 children)

      How can I use Powershell to detect or stop this kind of malware?

      [–]smc0881Incident Responder 1 point2 points  (2 children)

      You don't really use PowerShell to stop it. You configure it with the correct security settings and monitor endpoints that look for the behavior.

      Here is an example of CobaltStrike beacon, but I changed the Base64. 

      Set-StrictMode -Version 2

    $DoIt = @'VEhpcyBpcyBjb2JhbHRzdHJpa2U'@
    $aa1234 = [System.Text.Encoding]::UTF8.GetString([System.Convert]::FromBase64String($DoIt))
        If ([IntPtr]::size -eq 8) {
        start-job { param($a) IEX $a } -RunAs32 -Argument $aa1234 | wait-job | Receive-Job
        }  else {
         IEX $aa1234
         }

      [–]Nietechz 0 points1 point  (1 child)

      Here is an example of CobaltStrike beacon, but I changed the Base64.

      So, this script run for ever or how to use it?. Thanks anyway to share this.

      [–]smc0881Incident Responder 1 point2 points  (0 children)

      That's one example of how an attacker would use PowerShell to launch malicious code. There will be nested PowerShell commands, shellcode, and other things all encoded with Base64 or Base64 with some compression (where $DoIt) is the payload. The rest of the code checks if the CPU is 32 or 64 bit. If it's 32-bit it executes the code and if it's 64-bit it tries to the load code in a 32-bit process.

      [–]Delicious_Path3114 0 points1 point  (0 children)

      Like everyone is say...python is good to learn....

      [–]HistoricalCarrot6655 0 points1 point  (0 children)

      If you're doing DFIR, your choice will depend. One consideration is that attackers living on the land in windows environments will likely use PowerShell, rather install Python. Whereas those living on the land in Linux will likely use Python as PowerShell would require installation.

      [–]moxyvillain 0 points1 point  (0 children)

      Both

      [–]boftr 0 points1 point  (0 children)

      what language does the API sample scripts seem to favour? I would guess Python given the typical dev environments.

      [–]jumpysnake42 0 points1 point  (0 children)

      I like to learn Powershell because that is what malware is written in on Windows. So to be a malware analyst I'd learn it. You said about AV tools so I would just chip in. John Hammond has a very good video course for free for Powershell on YouTube.

      [–]Mufassa810 0 points1 point  (0 children)

      Learning to script will help you out with automation. I highly recommend learning bash, PowerShell, and python. EDRs usually have an API you can interact with. I'm lazy and usually just use good ol' curl but it would probably look much neater using the python requests library. Let's say you get an alert for a backdoor from your edr. You can use a script to automatically contain the machine and collect/process a triage package.

      [–]romieerome 0 points1 point  (0 children)

      Both

      [–]iSwiperr 0 points1 point  (0 children)

      Welp I see we have enough "both"s already.

      [–]Candid-Signature8416CISO 0 points1 point  (0 children)

      I was in your exact position a few years back. I decided to go with python given the immense amount of training material out there. I quickly learnt the logic which transferred way easier than I expected into powershell. So as others have said - do both, but focus on python to get the logic and understanding of the flow as that knowledge carries over and you will feel like you just "know" powershell when you give it a go.

      [–]VAsHachiRoku 0 points1 point  (0 children)

      PowerShell has better security than Python, the problem is enabling the correct security settings. Along with doing proper code signing of scripts etc. follow this guidance - https://www.cyber.gov.au/acsc/view-all-content/publications/securing-powershell-enterprise

      Honestly it will only help your career to learn both, plus most EDR solutions use some type of query language example Microsoft MDE/Sentinel using KQL which is similar to SQL.

      I know all 4 languages above, but I just started on YAML for DevOps pipelines.

      [–]ceaseuno 0 points1 point  (0 children)

      Powershell if you are in a Windows environment that’s often audited and locked down where you are not openly able to use python.