Manual
  • BluSapphire Manuals
  • BluSapphire
    • Detections
      • Creating "Detections" Using BluSapphire Portal
    • Roles & Permissions
    • Knowledge Base
  • BluGenie
    • Full Function List
      • Add-BluGenieFirewallRule
      • Clear-BlugenieMemory
      • Connect-BluGenieToSystem
      • Convert-BluGenieSID2UserName
      • Convert-BluGenieSize
      • Convert-BluGenieUserName2SID
      • Convert-BluGenieUTCtoLocal
      • ConvertFrom-Yaml
      • ConvertTo-BluGenieDate
      • ConvertTo-Yaml
      • Disable-BluGenieAllFirewallRules
      • Disable-BluGenieFirewallRule
      • Enable-BluGenieAllFirewallRules
      • Enable-BluGenieFirewallRule
      • Enable-BluGenieWinRMoverWMI
      • Expand-BluGenieArchivePS2
      • Format-BluGenieEvent
      • Get-BluGenieADGroupMembers
      • Get-BluGenieADGroups
      • Get-BluGenieADMachineInfo
      • Get-BluGenieAuditProcessTracking
      • Get-BluGenieAutoRuns
      • Get-BluGenieChildItemList
      • Get-BluGenieCOMObjectInfo
      • Get-BluGenieCurrentSessionAliases
      • Get-BluGenieCurrentSessionFunctions
      • Get-BluGenieCurrentSessionVariables
      • Get-BluGenieErrorAction
      • Get-BluGenieFileADS
      • Get-BluGenieFilePermissions
      • Get-BluGenieFileSnapshot
      • Get-BluGenieFileStreams
      • Get-BluGenieFirewallRules
      • Get-BluGenieHashInfo
      • Get-BluGenieHelp
      • Get-BluGenieHostingVersion
      • Get-BluGenieIPrange
      • Get-BluGenieLiteralPath
      • Get-BluGenieLoadedRegHives
      • Get-BluGenieLockingProcess
      • Get-BluGenieMRUActivityView
      • Get-BluGenieProcessList
      • Get-BluGenieRegistry
      • Get-BluGenieRegistryProcessTracking
      • Get-BluGenieRegSnapshot
      • Get-BluGenieRunSpaceSessionAliases
      • Get-BluGenieRunSpaceSessionFunctions
      • Get-BluGenieRunSpaceSessionVariables
      • Get-BluGenieSchTaskInfo
      • Get-BluGenieScriptDirectory
      • Get-BluGenieServiceList
      • Get-BluGenieServiceStatus
      • Get-BluGenieSessionAliasList
      • Get-BluGenieSessionFunctionList
      • Get-BluGenieSessionVariableList
      • Get-BluGenieSettings
      • Get-BluGenieSignature
      • Get-BluGenieSystemInfo
      • Get-BluGenieToolsDirectory
      • Get-BluGenieTranscriptsDir
      • Get-BluGenieTranscriptsFile
      • Get-BluGenieTrapData
      • Get-BluGenieWindowsTitle
      • Get-BluGenieWindowsUpdates
      • Install-BluGenieHarvester
      • Install-BluGenieSysMon
      • Invoke-BluGenieAnalyzer
      • Invoke-BluGenieFileBrowser
      • Invoke-BluGenieLoadAllProfileHives
      • Invoke-BluGenieNetStat
      • Invoke-BluGenieParallel
      • Invoke-BluGenieProcess
      • Invoke-BluGenieProcessHash
      • Invoke-BluGeniePSQuery
      • Invoke-BluGeniePython
      • Invoke-BluGenieSQLLQuery
      • Invoke-BluGenieThreadLock
      • Invoke-BluGenieUnLoadAllProfileHives
      • Invoke-BluGenieWalkThrough
      • Invoke-BluGenieWipe
      • Invoke-BluGenieYara
      • Invoke-PSipcalc
      • Invoke-PSnmap
      • Invoke-SQLiteBulkCopy
      • Invoke-SqliteQuery
      • Invoke-WalkThrough
      • Join-BluGenieObjects
      • New-BluGenieCommand
      • New-BluGenieHelpMenu
      • New-BluGenieService
      • New-BluGenieSessionInfo
      • New-BluGenieTimeStamp
      • New-BluGenieUID
      • New-SQLiteConnection
      • Open-BluGenieLog
      • Open-BluGenieLogDir
      • Open-BluGenieScriptDir
      • Open-BluGenieToolDir
      • Open-BluGenieTransDir
      • Out-DataTable
      • Publish-BluGenieArtifact
      • Publish-BluGenieFirewallRules
      • Remove-BluGenieFile
      • Remove-BluGenieFirewallRule
      • Remove-BluGenieModule
      • Remove-BluGenieService
      • Resolve-BluGenieDnsName
      • Send-BluGenieItem
      • Set-BluGenieAuditProcessPol
      • Set-BluGenieCommands
      • Set-BluGenieCores
      • Set-BluGenieDebugger
      • Set-BluGenieFirewallGPOStatus
      • Set-BluGenieFirewallStatus
      • Set-BluGenieJobId
      • Set-BluGenieJobMemory
      • Set-BluGenieJobTimeout
      • Set-BluGenieNoBanner
      • Set-BluGenieNoExit
      • Set-BluGenieNoSetRes
      • Set-BluGenieParallelCommands
      • Set-BluGeniePostCommands
      • Set-BluGeniePrefetch
      • Set-BluGenieProcessCPUAffinity
      • Set-BluGenieProcessPriority
      • Set-BluGenieRange
      • Set-BluGenieRemoteDesktopProcess
      • Set-BluGenieScriptCredentials
      • Set-BluGenieServiceJob
      • Set-BluGenieSessionInfo
      • Set-BluGenieSettingsPriority
      • Set-BluGenieSystems
      • Set-BluGenieThreadCount
      • Set-BluGenieTrapping
      • Set-BluGenieUpdateMods
      • Set-BluGenieVerbose
      • Show-BluGenieGUI
      • Show-BluGenieMore
      • Start-BluGenieNewProcess
      • Start-BluGenieRunSpace
      • Stop-BluGenieService
      • Test-BluGenieIsFileLocked
      • Test-BluGenieIsMutexAvailable
      • Trace-BluGenieFireWallStatus
      • Update-BluGenieFirewallProfileStatus
      • Update-BluGenieSysinternals
      • Update-Sqlite
      • Write BluGenieVerboseMsg
    • Functions by Category
      • Discovery
        • Registry
        • File/Folder
        • Process
        • System
        • Network
        • ActiveDirectory
      • Execution
        • Registry
        • File/Folder
        • Process
        • System
        • Network
        • Tools
      • Support
    • Artifacts
      • Example Template
      • Tactical Artifacts by Category
        • Combination Query
          • Query Autorun locations for any item nested that is not digitally signed
        • EventLog Query
          • Query for Process execution from unusual directories
          • Query suspicious programs processed by the Task Scheduler using the Event Log
          • Query for unusual instances of rundll32.exe via the Event Log
          • Query for Unusual Instances of rundll32.exe making outbound network connections using SysMon Data
          • Query Suspicious Powershell Command Line Executions
          • Query the Windows System Log for 104, 517, 1102
        • File and Folder Query
          • Query for malicious file types in all users and system temp directories
          • Query Malicious file types from any directory not including the default OS and Install directories
          • Query all users for their Powershell Profile content for Powershell, Powershell_ISE, and VS Code
          • Query to Determine if any lolbin files are installed outside the normal OS and Program Files dir's
        • Network Query
          • Query for Unusual Windows Network Activity
        • Process Query
          • Query for all Processes not running from the Windows and Program Files.* Directories
        • Registry Query
          • Query Information from the Registry on Recentdocs, Recentapps
          • Query Registry for a list of mounted USB storage devices, including external memory cards
          • Query the Most Recently Used items from the Registry
          • Query the Most Recently Open and Saved File information from the Registry
          • Query all Run, RunOnce, and RunOnceEx Registry Keys
          • Query Command list from the MRU Registry List
          • Query Startup Services from the Registry
          • Query Map Network Drives from the Registry
          • Query Shell Folders and User Shell Folders from both the HKLM and HKU Registry Information
          • Query Typed Urls from the Registry
          • Query Current Control Set Services information from the Registry
          • Query Accessibility Features from Image File Execution Options from the Registry
          • Query the Registry for Commands that are automatically executed each time cmd.exe is run
          • Query the Registry for Mounted Device information
          • Query the Registry for Browser Helper Objects (BHO)
          • Query the Registry for Explore Run commands
          • Query the Registry for Winlogon Helper Dll's
          • Query the Registry for Active Setup information
          • Query the Registry for Bypassing UAC Mechanisms from the User-Accessible information
          • Query the Registry for User-Logon, and Startup Scripts
          • Query the Registry for the most common MRU information for All User Hives, including offline users
          • Query the Registry for any user, using the SysInternals Tools
Powered by GitBook
On this page
  • Invoke-BluGeniePSQuery
  • SYNOPSIS
  • SYNTAX
  • DESCRIPTION
  • EXAMPLES
  • PARAMETERS
  1. BluGenie
  2. Full Function List

Invoke-BluGeniePSQuery



Invoke-BluGeniePSQuery

SYNOPSIS

Invoke-BluGeniePSQuery will sweep one or more IP addresses to determine if PowerShell 3 or higher is installed.

SYNTAX

Invoke-BluGeniePSQuery [[-System] <String[]>] [[-Range] <String[]>] [[-PassThrough]] [[-PingTimeOut] <Int32>] [[-Force]] [[-JSONJob] <String>] [[-FilterType] <String>] [[-Pattern] <Object>] [[-Run]] [[-LogPath] 
<String>] [[-LogName] <String>] [[-Walkthrough]] [<CommonParameters>]

DESCRIPTION

Invoke-BluGeniePSQuery will query system information over WMI for one or more IP addresses to determine if PowerShell 3 or higher is installed. A report is generated by default in the Transcripts directory called "PingReport_D_TG.CSV"

Captured Data fields Address - Remote IP Address ( 10.20.136.121 ) ComputerName - Remote Host Name ( win7sp1001 ) FQDN - Fully Qualified Domain Name ( WIN7SP1001.TestLab.Com ) FreePhysicalMemoryGB - Free Physical Memory Quote in GB ( .54 ) FreePhysicalMemoryMB - Free Physical Memory Quote in MB ( 558 ) Online - Online Status ( True or False ) OS - Operating System Name ( Microsoft Windows 7 Enterprise ) OSVersion - Operating Version ( 6.1.7601 ) Compliant - PowerShell Version 3 or Higher ( True ) PowerShellVer - Installed PowerShell Version ( 2.0 ) TotalPhysicalMemoryGB - Total Physical Memory Quote in GB ( 6 ) TotalPhysicalMemoryMB - Total Physical Memory Quote in MB ( 6291000 ) TotalVirtualMemorySizeGB - Total Virtual Memory Quote in GB ( 12 ) TotalVirtualMemorySizeMB - Total Virtual Memory Quote in MB ( 12285 )

EXAMPLES

EXAMPLE 1

Command: Invoke-BluGeniePSQuery -System 10.20.136.51
Description: Scan the ip address specified and pull System and PowerShell information if the computer is Online!
Notes: A report is generated by default in the Transcripts directory called "PingReport_D<DATE>_T<TIME>G<GUID>.CSV"

EXAMPLE 2

Command: Invoke-BluGeniePSQuery -Range "10.20.136.50-10.20.136.100"
Description: Scan the ip address range specified and pull System and PowerShell information if the computer is Online!
Notes: A report is generated by default in the Transcripts directory called "PingReport_D<DATE>_T<TIME>G<GUID>.CSV"

EXAMPLE 3

Command: Invoke-BluGeniePSQuery -System "10.20.136.1","10.20.136.2","10.20.136.3","10.20.136.4","10.20.136.5","10.20.136.10","10.20.136.11","10.20.136.50","10.20.136.51","10.20.136.52"
Description: Scan multiple ip addresses specified and pull System and PowerShell information if the computer is Online!
Notes: A report is generated by default in the Transcripts directory called "PingReport_D<DATE>_T<TIME>G<GUID>.CSV"

EXAMPLE 4

Command: Invoke-BluGeniePSQuery -System 'TestPC001','TestPC002','TestPC003' -Force
Description: Scan the hosts and pull System and PowerShell information. Do not process an [ICMP / Ping] request prior to trying to connect.
Notes:

EXAMPLE 5

Command: Invoke-BluGeniePSQuery -System 'TestPC001','TestPC002','TestPC003' -PassThrough
Description: Scan the hosts and updates the BluGenie Systems list with any remote computer that is PowerShell 3 or higher (Default Filter)
Notes:

EXAMPLE 6

Command: Invoke-BluGeniePSQuery -Range "10.20.136.50-10.20.136.100" -PingTimeOut 5
Description: Scan the ip address range specified, and update the Ping Time Out to 5 ms.
Notes: This speeds up the process for systems that are not online.  The default value is 15 which is still very fast.

EXAMPLE 7

\Job.JSON'
Description: Import settings from a JSON job file and Scan the specified systems from the JSON file and pull System and PowerShell information if the computer is Online!
Notes:

EXAMPLE 8

\Job.JSON' -PassThrough
Description: Import settings from a JSON job file, Scan the specified systems from the JSON file, and update the BluGenie Systems list with any remote computer that is PowerShell 3 or higher
Notes: -FilterType is set to filter (Compliant) by default and -Pattern is set to (True) so only machines with PowerShell 3 or higher will be found.

EXAMPLE 9

\Job.JSON' -PassThrough -FilterType OS -Patter 'Windows\s10'
Description: Import settings from a JSON job file, Scan the specified systems from the JSON file, and update the BluGenie Systems list with any remote computer that is (Windows 10)
Notes:

EXAMPLE 10

\Job.JSON' -PassThrough -FilterType OS -Patter 'Windows\s10' -Run
Description: Import settings from a JSON job file, Scan the specified systems from the JSON file, update the BluGenie Systems list with any remote computer that is (Windows 10) and Run all remote commands on the updates computer list
Notes:

EXAMPLE 11

\Job.JSON' -LogName 'BG_System_Query'
Description: Import settings from a JSON job file, Scan the specified systems from the JSON file, and save a report named (BG_System_Query.CSV and BG_System_Query.JSON) to the Current Transcript Directory
Notes:

EXAMPLE 12

\Job.JSON' -LogName 'BG_System_Query' -LogPath 'C:\Temp'
Description: Import settings from a JSON job file, Scan the specified systems from the JSON file, and save a report named (BG_System_Query.CSV and BG_System_Query.JSON) to the Current Transcript Directory
Notes:

EXAMPLE 13

Command: Invoke-BluGeniePSQuery -Help
Description: Call Help Information
Notes: If Help / WalkThrough is setup as a parameter, this script will be called to setup the Dynamic Help Menu if not the normal Get-Help will be called with the -Full parameter

EXAMPLE 14

Command: Invoke-BluGeniePSQuery -WalkThrough
Description: Call Help Information [2]
Notes: If Help / WalkThrough is setup as a parameter, this script will be called to setup the Dynamic Help Menu if not the normal Get-Help will be called with the -Full parameter

PARAMETERS

System

-System <String[]>
   Description: IP Address or Host name to Query
   Notes: System names can also be called from BluGenie's system list if the System parameter is not set.
   Alias:
   ValidateSet:
   
   Required?                    false
   Position?                    1
   Default value                $global:ConsoleSystems
   Accept pipeline input?       false
   Accept wildcard characters?  false

Range

-Range <String[]>
   Description: Range of IP Addresses to Query 
   Notes: Range information can also be called from BluGenie's range list if the Range parameter is not set.
   Alias:
   ValidateSet:
   
   Required?                    false
   Position?                    2
   Default value                $global:ConsoleRange
   Accept pipeline input?       false
   Accept wildcard characters?  false

PassThrough

-PassThrough [<SwitchParameter>]
   Description: Update the BGConsole System Array list with all systems that match the filtered information
   Notes:  
   Alias:
   ValidateSet:
   
   Required?                    false
   Position?                    3
   Default value                False
   Accept pipeline input?       false
   Accept wildcard characters?  false

PingTimeOut

-PingTimeOut <Int32>
   Description: [TTL] - Time to live ping setting 
   Notes: The default is 15ms 
   Alias:
   ValidateSet:
   
   Required?                    false
   Position?                    4
   Default value                15
   Accept pipeline input?       false
   Accept wildcard characters?  false

Force

-Force [<SwitchParameter>]
   Description: Force connect without trying to run an ICMP (Internet Control Message Protocol)
   Notes:  
   Alias:
   ValidateSet:
   
   Required?                    false
   Position?                    5
   Default value                False
   Accept pipeline input?       false
   Accept wildcard characters?  false

JSONJob

-JSONJob <String>
   Description: Use a JSON job file to import settings
   Notes:  
   Alias:
   ValidateSet:
   
   Required?                    false
   Position?                    6
   Default value                
   Accept pipeline input?       false
   Accept wildcard characters?  false

FilterType

-FilterType <String>
   Description:  Which property to filter by
   Notes:  
           Filter Option = Address                     - Remote IP Address                   ( 10.20.136.121 )
           Filter Option = ComputerName                - Remote Host Name                    ( win7sp1001 )
           Filter Option = FQDN                        - Fully Qualified Domain Name         ( WIN7SP1001.TestLab.Com )
           Filter Option = FreePhysicalMemoryGB        - Free Physical Memory Quote in GB    ( .54 )
           Filter Option = FreePhysicalMemoryMB        - Free Physical Memory Quote in MB    ( 558 )
           Filter Option = Online                      - Online Status                       ( True or False )
           Filter Option = OS                          - Operating System Name               ( Microsoft Windows 7 Enterprise )
           Filter Option = OSVersion                   - Operating Version                   ( 6.1.7601 )
           Filter Option = Compliant                 - PowerShell Version 3 or Higher      ( True or False ) **Default Search Field**
           Filter Option = PowerShellVer               - Installed PowerShell Version        ( 2.0 )
           Filter Option = TotalPhysicalMemoryGB       - Total Physical Memory Quote in GB   ( 6 )
           Filter Option = TotalPhysicalMemoryMB       - Total Physical Memory Quote in MB   ( 6291000 )
           Filter Option = TotalVirtualMemorySizeGB    - Total Virtual Memory Quote in GB    ( 12 )
           Filter Option = TotalVirtualMemorySizeMB    - Total Virtual Memory Quote in MB    ( 12285 )
   Alias:
   ValidateSet: 'Name','Address','ComputerName','FQDN','FreePhysicalMemoryGB','FreePhysicalMemoryMB','Online','OS','OSVersion','Compliant','PowerShellVer','TotalPhysicalMemoryGB','TotalPhysicalMemoryMB','TotalVir
   tualMemorySizeGB','TotalVirtualMemorySizeMB'
   
   Required?                    false
   Position?                    7
   Default value                Compliant
   Accept pipeline input?       false
   Accept wildcard characters?  false

Pattern

-Pattern <Object>
   Description: Search Pattern using RegEx
   Notes: Using -SearchHidden will convert the Pattern to RegEx Automatically but without the comma or the -SearchHidden the -Pattern is viewed as as a Command Console Search pattern.  You can use (*) wildcards. 
   Alias:
   ValidateSet:
   
   Required?                    false
   Position?                    8
   Default value                True
   Accept pipeline input?       false
   Accept wildcard characters?  false

Run

-Run [<SwitchParameter>]
   Description: Process any command(s) from the JSON Job file on any of the systems filtered by PSQuery.
   Notes: 
   Alias:
   ValidateSet:
   
   Required?                    false
   Position?                    9
   Default value                False
   Accept pipeline input?       false
   Accept wildcard characters?  false

LogPath

-LogPath <String>
   Description: Path to save the Log File
   Notes: Default is the ( $TranscriptsDir ) Transcript Directory
   Alias:
   ValidateSet:
   
   Required?                    false
   Position?                    10
   Default value                $TranscriptsDir
   Accept pipeline input?       false
   Accept wildcard characters?  false

LogName

-LogName <String>
   Description: Name of the Report(s)
   Notes: There are 2 reports that get generated (*.CSV, and *.JSON).  The default file name is ( PingReport_D<Current Date>_T<Current Time>G_<5 Digit UID> )
   Alias:
   ValidateSet:
   
   Required?                    false
   Position?                    11
   Default value                $($('PingReport_D{0}G_{1}' -f $(New-TimeStamp), $(New-UID -NumPerSet 5 -NumOfSets 1)) -replace '(\d)_(\d)','$1_T$2')
   Accept pipeline input?       false
   Accept wildcard characters?  false

Walkthrough

-Walkthrough [<SwitchParameter>]
   Description:  Start the dynamic help menu system to help walk through the current command and all of the parameters
   Notes:  
   Alias: Help
   ValidateSet:
   
   Required?                    false
   Position?                    12
   Default value                False
   Accept pipeline input?       false
   Accept wildcard characters?  false

CommonParameters

PreviousInvoke-BluGenieProcessHashNextInvoke-BluGeniePython

Last updated 3 years ago

This cmdlet supports the common parameters: -Debug, -ErrorAction, -ErrorVariable, -InformationAction, -InformationVariable, -OutVariable, -OutBuffer, -PipelineVariable, -Verbose, -WarningAction, and -WarningVariable. For more information, see .

about_CommonParameters