Skip to content

Sending Powershell Messages to Slack using Webhooks

Setting up quick monitoring notifications that are sent via Powershell to Slack channels.

First, if you don't yet have slack installed, we will have to download Slack. To download Slack, go to Slack.com, click on 'Try it for free' and create an account or continue with a Google Account.

This will automatically create a new workspace. Slack will automatically continue with the Slack webclient which is pretty bad. I recommend downloading the Slack App. For that, go to this link and download the App.

Start the app and login with your account. Once you are logged in, give your workspace a name. The step 'add teammates' can be skipped if you don't plan on inviting more people. In the next step you will be asked to name a project you're currently working on. I named it 'Monitoring', since that is a fitting name for what we are going to do.

alt

Click 'Next' once done, this will create the channel.

Since this is a channel for Monitoring purposes, which might contain sensitive information, we might want to switch this channel to private. For this, right click on 'Monitoring' - 'View channel details' - and click on 'Change to a private channel'.

!!! info

You don't have to do this for lab purposes, but it's generally a good security thing to do.

alt

Once this is done, we want to integrate the Webhook into our channel. For that, go to Integrations, add an app and search for 'Webhook' and add the following app:

alt

Add the App to your channel and make sure to note down the Webhook URL of your channel which is shown in the process. We will need this URL to setup the Powershell messages.

alt

Once we successfully added the app, we can look at how to send messages from the system we wish to monitor. So, how do we send messages to the channel now? We can do this in a quick way using Powershell.

From the system you want to monitor/send messages from, open up Powershell. The code will consist of 2 parts. First:

```powershell title="The body variable" $body = ConvertTo-Json @{ username = "Bot" pretext = "Automated Alert" text= "Important Message" }


```powershell title="The actual HTTPS request"
Invoke-RestMethod https://hooks.slack.com/services/<your link> -Method Post -Body $body -ContentType 'application/json'

The final result should look as follows:

alt

Once this is sent, we will receive the message in the corresponding slack channel almost instantly:

alt

From here, we could modify this as we wish.

If we'd want to give the Bot an Icon, we can change the the code as follows:

$body = ConvertTo-Json @{
    username = "Bot"
    pretext = "Automated Alert"
    text= "Important Message"
    icon_emoji= "ghost"
}

There are multiple emoji's you can use, this is just an example. The result should look like this:

alt

!!! info

For this to update correctly, you might have to send a message yourself to the channel and/or send the Bot message multiple times because of caching.

Once we made sure this works, we can look at how to get meaningful information back, since currently we are not getting back any useful monitoring information. What we could do for example, as a start, is getting back the hostname and the current user, from the system the message is coming from.

We can do that as follows:

$msg = "Hostname: ${env:computername}`nUsername: ${env:username}"
$body = ConvertTo-Json @{
    username = "Bot"
    pretext = "Automated Alert"
    text= $msg
    icon_emoji= "ghost"
}

Then, send the message to the channel again:

Invoke-RestMethod https://hooks.slack.com/services/<your link> -Method Post -Body $body -ContentType 'application/json'

This should look as follows:

alt

And we should be receiving the alert instantly:

alt

This sets the base for more indepth and automated monitoring we can set up in the future. In future posts, I will take a look at how to use this in combination with Sysmon to send automated messages upon unwanted actions such as blocking unwanted files which can be super helpful.