PowerShell

Creating Alternative Data Streams and Hashes

| stahler.2

Was exploring Alternative Data Streams (ADS) when it occurred to me that hashing might be a good way to detect if an ADS has been created.
Lets explore:

# Create a file
$path = 'C:\temp\test_ADS.txt'
$null = New-Item -Path $path -ItemType File -Force

# Add some content 
Add-Content -Path $path -Value "No hidden text" 

# verify content
Get-Content -Path $path

# Check hash
$hash1 = (Get-FileHash -Path $path -Algorithm MD5).Hash

# Create the ADS
Add-Content -Stream HIDDEN -Path $path -Value "Hidden Stuff"

# Check ADS
Get-Content -Path $path -Stream HIDDEN

# Check hash
$hash2 = (Get-FileHash -Path $path -Algorithm MD5).Hash

"{0} - No ADS" -f $hash1
"{0} - With ADS" -f $hash2

As you can see the hash does not change.  Detecting ADS is still possible if you are using sysmon.

Hope this helps!

Compress-Archive, ForEach-Object and extra goodness

| stahler.2

Was recently asked if zipping up a directory was something PowerShell could do.  Before version 5.0, you could do it using the ZipFile class ([System.IO.Compression.ZipFile]::CreateFromDirectory().  Thankfully, with PowerShell version 5+ we have the Compress-Archive cmdlet.

Below is an example that creates a few files in a directory and compresses.

<#  Compress-Archive example

    Demonstrating how to use the Compress-Archive cmdlet.

    We alse demonstrate a few other techinques:

    * getting content from a web site (Invoke-WebRequest)

    * use of the Foreach-Object

    * using the Measure-Object cmdlet to see the size of a directory

#>


# Create a folder and retrieve some data, happens once before the for-loop

$begin = {

    Set-Location -Path C:\TEMP

    # Create a new directory to hold our text files

    New-Item -Path . -Name ArchiveTest -ItemType Directory -Force | Out-Null

    # Go fetch the data!

    $url = ‘https://www.ams.usda.gov/mnreports/md_da800.txt’

    $value = (Invoke-WebRequest -Uri $url).content

}


# Create the files, this is the looping section

$process = {

    $name = “test$PSItem.txt”

    # Create a new file

    New-Item -Path .\ArchiveTest -Name $name -ItemType File -Force | Out-Null

    # add the content we snagged from above

    Add-Content “.\ArchiveTest\$name -Value $value

}


# Compress and compare, happens at the end of the looping

$end = {

    “Before compression: {0}” -f (Get-ChildItem .\ArchiveTest -Recurse | Measure-Object -property length -sum).sum

    Compress-Archive -Path .\ArchiveTest -DestinationPath .\ArchiveTest.zip -Force

    “After compression: {0}” -f (Get-ChildItem .\ArchiveTest.zip | Measure-Object -property length -sum).sum

}

# Magic happens

1..250 | ForEach-Object -Begin $begin -Process $process -End $end

Getting fancy with Get-Clipboard

| stahler.2

Most of us know how to use Get-Clipboard to fill variables in PowerShell, but did you know you can get information about specific ClipboardFormat Types?
[Enum]::GetValues([Microsoft.PowerShell.Commands.ClipboardFormat])

Check out the video below for a demonstration.