Hello,
I’m fairly new to Jupyter and have had been creating various Python playbooks which have worked very well. However, for Incident Response, I need to call PowerShell as well to access remote computers. To do this, I installed PowerShell on CentOS and started getting some basic commands working within Jupyter. Below is working code.
%%bash
pwsh -c '$computer_name = "xxxxx.domain.com";
new-item -ItemType Directory -Force -path /home/centos/Investigations/$computer_name/;
$credentials = Import-Clixml -Path "/home/centos/cred.xml";
Invoke-Command -ComputerName $computer_name -Authentication Negotiate -Credential $credentials -ScriptBlock {Get-Service} | Where-Object {$_.status -eq "running"} | select-object Name, DisplayName, Status | out-file /home/centos/Investigations/$computer_name/Services.csv;
Invoke-Command -ComputerName $computer_name -Authentication Negotiate -Credential $credentials -ScriptBlock {schtasks /query /fo list /v} | out-file /home/centos/Investigations/$computer_name/ScheduledTasks.txt;
Invoke-Command -ComputerName $computer_name -Authentication Negotiate -Credential $credentials -ScriptBlock {tasklist /v} | out-file /home/centos/Investigations/$computer_name/TaskList.txt;
Invoke-Command -ComputerName $computer_name -Authentication Negotiate -Credential $credentials -ScriptBlock {netstat -naob} | out-file /home/centos/Investigations/$computer_name/Netstat.txt;
Invoke-Command -ComputerName $computer_name -Authentication Negotiate -Credential $credentials -ScriptBlock {Get-WmiObject Win32_NetworkConnection} | out-file /home/centos/Investigations/$computer_name/OutboundSessions.txt'
The issue I have with this is keeping the cred.xml file stored on the computer. I would like to make it where I interactively put in the username/password, but I"m not sure how to do that. I looked at using Python’s getpass module and moving these bash commands into os.system or subprocess, but I’m having some issues with that since I need to put in the username, password, and computer name variable and have them inserted into one long Powershell command.
Any help would be greatly appreciated.