1
00:00:00,240 --> 00:00:01,210
[Autogenerated] So now that we've looked

2
00:00:01,210 --> 00:00:05,360
at how to review and see the same classes

3
00:00:05,360 --> 00:00:07,790
and the commands, how do we execute

4
00:00:07,790 --> 00:00:11,370
commands using Sim? Well, first off, Sim

5
00:00:11,370 --> 00:00:13,840
commands are based on verbs, just like

6
00:00:13,840 --> 00:00:15,140
they would be with anything. In

7
00:00:15,140 --> 00:00:17,650
PowerShell, we have the get command, the

8
00:00:17,650 --> 00:00:20,630
invoke command, the new command we can

9
00:00:20,630 --> 00:00:23,050
register something we can remove something

10
00:00:23,050 --> 00:00:26,460
or set something. So just like most common

11
00:00:26,460 --> 00:00:28,810
PowerShell commands, they are prefixed

12
00:00:28,810 --> 00:00:32,490
with a verb. So what are the common Sim

13
00:00:32,490 --> 00:00:34,610
commands that we would utilize? Well,

14
00:00:34,610 --> 00:00:36,810
firstly, get Sim instantiate one of the

15
00:00:36,810 --> 00:00:38,910
most common. This will get you the SIM

16
00:00:38,910 --> 00:00:42,240
instances off a class from the same

17
00:00:42,240 --> 00:00:44,780
server. What I mean by the same server is

18
00:00:44,780 --> 00:00:46,680
just the server or the workstation that

19
00:00:46,680 --> 00:00:50,540
you're connected to. New SIM session will

20
00:00:50,540 --> 00:00:53,520
create us a remote session or a SIM

21
00:00:53,520 --> 00:00:56,020
session to the machine that we've

22
00:00:56,020 --> 00:00:58,980
targeted. Then, of course, we have invoked

23
00:00:58,980 --> 00:01:01,910
SIM method which will allow us to invoke

24
00:01:01,910 --> 00:01:04,220
any methods that are associated to a

25
00:01:04,220 --> 00:01:07,060
class. So, for example, if we did win 32

26
00:01:07,060 --> 00:01:09,890
underscore process as the class, we know

27
00:01:09,890 --> 00:01:11,770
that when we retrieve the processes,

28
00:01:11,770 --> 00:01:14,300
we can filter to a specific one. So, for

29
00:01:14,300 --> 00:01:17,400
example, note pad, nor XY. There's also

30
00:01:17,400 --> 00:01:20,560
methods associate ID to that, such as

31
00:01:20,560 --> 00:01:23,630
start, stop, etcetera. So we're able to

32
00:01:23,630 --> 00:01:26,740
invoke the methods. So let's look at the

33
00:01:26,740 --> 00:01:29,730
get Sim instance. The first option we have

34
00:01:29,730 --> 00:01:33,250
is we can query all sim instances by using

35
00:01:33,250 --> 00:01:36,000
the select kind of syntax. So we can

36
00:01:36,000 --> 00:01:38,690
either use a query command or we can. Use

37
00:01:38,690 --> 00:01:41,760
a filter. Cmdlet there will work. If we

38
00:01:41,760 --> 00:01:44,970
use Query, it's a select star from

39
00:01:44,970 --> 00:01:47,740
whatever the class would be, and then

40
00:01:47,740 --> 00:01:49,560
whatever the query would bay. So in this

41
00:01:49,560 --> 00:01:51,450
instance, it's going to get me all the

42
00:01:51,450 --> 00:01:54,330
instances that start with the letter P in

43
00:01:54,330 --> 00:01:58,030
the process class. We could also do the

44
00:01:58,030 --> 00:02:00,400
same by just filtering it to the class

45
00:02:00,400 --> 00:02:04,920
name on, then saying IFilter by specifics.

46
00:02:04,920 --> 00:02:06,860
Now both of these will retrieve the same

47
00:02:06,860 --> 00:02:10,530
values but just be filtered differently.

48
00:02:10,530 --> 00:02:12,180
The next option is we could actually say

49
00:02:12,180 --> 00:02:14,910
retrieve specific properties using that

50
00:02:14,910 --> 00:02:17,580
same instance. So by default, when we

51
00:02:17,580 --> 00:02:20,380
retrieve a sim instantiate were normally

52
00:02:20,380 --> 00:02:22,580
just saying, Get me the class name, maybe

53
00:02:22,580 --> 00:02:24,630
we're filtering, but this way we could

54
00:02:24,630 --> 00:02:26,600
actually get the properties that we would

55
00:02:26,600 --> 00:02:29,050
need. Now, think about this when I say get

56
00:02:29,050 --> 00:02:31,760
Sim instance, and query, I'm literally

57
00:02:31,760 --> 00:02:35,950
just getting the actual class itself. So

58
00:02:35,950 --> 00:02:37,290
there were times where you might want to

59
00:02:37,290 --> 00:02:39,440
get the specific value. So in this example

60
00:02:39,440 --> 00:02:41,730
here I'm using the property value and

61
00:02:41,730 --> 00:02:44,030
saying, Get me the name of the process on

62
00:02:44,030 --> 00:02:45,980
the kernel mode time So the time it's been

63
00:02:45,980 --> 00:02:48,330
executing I can, then retrieve it as a

64
00:02:48,330 --> 00:02:51,560
static kind of list or I can use standard.

65
00:02:51,560 --> 00:02:54,350
PowerShell cmdlet is such as formatted as

66
00:02:54,350 --> 00:02:57,670
a table, etcetera. So let's look at the

67
00:02:57,670 --> 00:03:00,490
new SIM session so we can create a SIM

68
00:03:00,490 --> 00:03:02,150
session just with all the standard

69
00:03:02,150 --> 00:03:04,990
defaults by just saying New SIM session on

70
00:03:04,990 --> 00:03:07,070
that will just create a SIM session that

71
00:03:07,070 --> 00:03:09,880
we need. What we can do is we can create

72
00:03:09,880 --> 00:03:12,600
remote sessions to specific computer

73
00:03:12,600 --> 00:03:14,790
names, and then we can assign a name to

74
00:03:14,790 --> 00:03:16,950
them. So in this instance, even though I'm

75
00:03:16,950 --> 00:03:18,980
connecting to the local host, it would

76
00:03:18,980 --> 00:03:20,690
technically be classed as a remote

77
00:03:20,690 --> 00:03:23,170
connection because I'm not just allowing

78
00:03:23,170 --> 00:03:24,800
the same session to use its default

79
00:03:24,800 --> 00:03:27,840
options. I've specified the computer name

80
00:03:27,840 --> 00:03:30,280
on the name that I would like to assign to

81
00:03:30,280 --> 00:03:34,080
that session. We can also pass credential.

82
00:03:34,080 --> 00:03:35,770
So if you're trying to connect to a

83
00:03:35,770 --> 00:03:38,240
different device. So let's say I want to

84
00:03:38,240 --> 00:03:39,940
connect to a different server or a

85
00:03:39,940 --> 00:03:42,250
different workstation. Then you can pass

86
00:03:42,250 --> 00:03:44,700
credentials using standard get credential

87
00:03:44,700 --> 00:03:46,950
and then new SIM session computer name,

88
00:03:46,950 --> 00:03:48,980
pass the credentials and then the

89
00:03:48,980 --> 00:03:50,400
authentication type, which in this

90
00:03:50,400 --> 00:03:53,210
instance will be negotiate. Now, what

91
00:03:53,210 --> 00:03:56,310
about if we want to invoke a method well,

92
00:03:56,310 --> 00:03:59,590
firstly, we can use invoke sim method and

93
00:03:59,590 --> 00:04:01,260
notice what we're doing here. We're

94
00:04:01,260 --> 00:04:05,380
querying for a specific process, and then

95
00:04:05,380 --> 00:04:07,110
that means we would need to know what the

96
00:04:07,110 --> 00:04:09,310
method name is so that we can do

97
00:04:09,310 --> 00:04:11,310
something. So, for example, I could say

98
00:04:11,310 --> 00:04:14,130
select star from 1 30 to where the name is

99
00:04:14,130 --> 00:04:17,380
like note pad or cmd on then I can either

100
00:04:17,380 --> 00:04:21,180
start, stop, terminate or restart or

101
00:04:21,180 --> 00:04:22,650
whatever the methods that would be

102
00:04:22,650 --> 00:04:24,970
available. So you do need to know what the

103
00:04:24,970 --> 00:04:27,610
methods are are. Before you could execute

104
00:04:27,610 --> 00:04:30,500
this command. Now we could do the same

105
00:04:30,500 --> 00:04:33,930
thing by running a process with specific

106
00:04:33,930 --> 00:04:36,430
arguments. So where where we can do this

107
00:04:36,430 --> 00:04:38,660
is we can use invokes in method. Get the

108
00:04:38,660 --> 00:04:41,150
class the method name. Remember, The key

109
00:04:41,150 --> 00:04:43,540
here is knowing what the method names are,

110
00:04:43,540 --> 00:04:45,230
which in this instance would be create

111
00:04:45,230 --> 00:04:47,000
because I want to create a new instance

112
00:04:47,000 --> 00:04:48,730
off that one, and then we can use

113
00:04:48,730 --> 00:04:51,590
arguments and then we can basically do

114
00:04:51,590 --> 00:04:53,780
like key value pairs. So we can say the

115
00:04:53,780 --> 00:04:57,010
command line is equal to cmd do XY on the

116
00:04:57,010 --> 00:04:59,430
current directory is so and so what that

117
00:04:59,430 --> 00:05:02,570
means is it will launch that process

118
00:05:02,570 --> 00:05:05,150
because we told it to create with those

119
00:05:05,150 --> 00:05:07,430
arguments associated to it. So this is

120
00:05:07,430 --> 00:05:09,600
really powerful because it means that when

121
00:05:09,600 --> 00:05:12,910
we scripting things, maybe a full on

122
00:05:12,910 --> 00:05:15,860
PowerShell script that does X y Zed tasks,

123
00:05:15,860 --> 00:05:20,000
then we can actually pass things like this into it to do things for us.