Searching multiple remote hosts via PSSESSION for indicators of compromise

PowerShell Help
1

good morning!

I am less than a month new to PS, and im looking for a script that can access three remote machines and search their directories for certain indicators of compromise (IOC). I started by compiling all of the IPs, URLs, and files i was searching for in a one-column text document that i placed on the desktop.

Then i ping sweep to identify the infected systems:

for ($1-2; $i -le 254; $i++)
{

ping -n 1 -w 5 10.10.10.$i

}

i discovered the three ip addresses: 10.10.10.56, .83, and .107, the username/password is the same for all systems (Student/P@ssw0rd1), i then created :

$IOC = Get-Content - Path “C:\Users\DCI Student\Desktop\IOC.txt”
Start-Service winrm
Set-Item WSMan:\localhost\Client\TrustedHosts -Value *
$password1 = ConvertTo-SecureString “P@ssword1” -AsPlainText -Force
$Cred1 = New-Object System.Management.Automation.PSCredential (“Student”, $password1)
$Cred2 = New-Object System.Management.Automation.PSCredential (“Student”, $password1)
$Cred3 = New-Object System.Management.Automation.PSCredential (“Student”, $password1)
$session1 = New-PSSession -ComputerName 10.10.10.56 [System.Management.Automation.PSCredential]$Credential1)
$session2 = New-PSSession -ComputerName 10.10.10.83 [System.Management.Automation.PSCredential]$Credential2)
$session3 = New-PSSession -ComputerName 10.10.10.107 [System.Management.Automation.PSCredential]$Credential3)
Invoke-Command -Session $session1 {Get-ChildItem -Recurse $IOC}
Invoke-Command -Session $session2 {Get-ChildItem -Recurse $IOC}
Invoke-Command -Session $session3 {Get-ChildItem -Recurse $IOC}

The script was completing but i just got extra arrows next to my prompt “PS C:\Users\Student\Desktop>>>”

Ideally, id love for the outputs to be saved to a .txt document on the desktop, i.e. “IOC scan results 1.txt”, “IOC scan results 2.txt”

if anyone could take look at my script and give me feedback i would love you forever! (o.O)

2

I though I remember seeing a response to this post earlier, but it’s gone now. Anyway, here are some observations:

  1. Are you required to use PSSession? If not, I'd recommend just passing the credential object to Invoke-Command. If you must use PSSession, remember to close it when done (you should always code this).
  2. The -ComputerName parameter of New-PSSession will take an array of computernames, so no need for 3 PSSessions when one will do. This would also apply if you just used Invoke-Command with -Computername and -Credential parameters.
  3. Local variables are not accessible inside the Invoke-Command scriptblock. You'll need to preface with $using: or set them as parameters/arguments.
  4. If you want to export the results to a file use an Export-Csv or other Export-* cmdlet
Recommend reviewing the following:

Get-Help Invoke-Command
Get-Help New-PSSession
Get-Help Export-Csv
Get-Help about_scopes (see example 5)

3

It’s still there …

https://powershell.org/forums/topic/request-help-with-script-to-search-multiple-infected-computers-remotely/#post-292129

4

Must be duplicate post again…I’m wondering if this is due to users getting an error when they post/reply and thinking it didn’t really take but it actually did. At least that’s been my experience.

5

Thanks everyone! yea i was notified that my first post was removed as spam, so i reposted, sorry, i guess the first post got un-spammed by a mod or something.

Ironically, our VM server has shit itself for two days now so i havent had a chance to try the script yet, i did go ahead and order a mini PC to emulate the network at home to keep working, so ill let you know the results later! thanks again