PowerShell

ABOUT

PowerShell is a powerful task automation and configuration management framework developed by Microsoft, built on the .NET framework. It includes a command-line shell and a scripting language designed to automate tasks across Windows systems, such as managing processes, services, files, and configurations. PowerShell is more powerful and flexible than the traditional Command Prompt (cmd) and integrates deeply with system administration tools.

ALSO WE COULD USE CMD COMMANDS WITH CMD /C {COMMAND}

TO CHECK AVAILABLE MODULES JUST USE Get-Module

ALIASES

Many cmdlets in PowerShell also have aliases. For example, the aliases for the cmdlet Set-Location, to change directories, is either cd or sl. We can view all available aliases by typing Get-Alias.

PS C:\> get-alias

CommandType     Name                               Version    Source
-----------     ----                               -------    ------
Alias           % -> ForEach-Object
Alias           ? -> Where-Object
Alias           ac -> Add-Content
Alias           asnp -> Add-PSSnapin
Alias           cat -> Get-Content
Alias           cd -> Set-Location

We can also set up our own aliases with New-Alias and get the alias for any cmdlet with Get-Alias -Name.

PS C:\> New-Alias -Name "Show-Files" Get-ChildItem
PS C:\> Get-Alias -Name "Show-Files"

CommandType     Name                                               Version    Source
-----------     ----                                               -------    ------
Alias           Show-Files

RUNNING SCRIPTS

PowerShell ISE (Integrated Scripting Environment) allows users to write PowerShell scripts on the fly. It also has an autocomplete/lookup function for PowerShell commands. The PowerShell ISE allows us to write and run scripts in the same console, which allows for quick debugging.

Examples:

PS C:\> .\PowerView.ps1; Get-LocalGroup | fl

Import scripts so that all functions could be used in our PowerShell session

PS C:\> Import-Module .\PowerView.ps1

EXECUTION POLICY

Execution Policy, is security feature to control script execution and prevent the execution of malicious scripts.

Execution policy is not a security boundary and can be bypassed by

• Typing the script directly into the console.

• Using encoded commands or adjusting policy temporarily.

Changing the execution policy for the current process (session).

PS C:\> Set-ExecutionPolicy Bypass -Scope Process

View execution policy

PS C:\> Get-ExecutionPolicy -List

Policy	Description
AllSigned	Scripts need a trusted publisher's signature. Prompts for untrusted publishers.
Bypass	No restrictions; no warnings or prompts.
Default	Default: Restricted for desktops, RemoteSigned for servers.
RemoteSigned	Local scripts can run; downloaded scripts require a digital signature.
Restricted	Blocks script execution; allows individual commands.
Undefined	No policy set; defaults to Restricted.
Unrestricted	Allows unsigned scripts; warns for non-local intranet scripts.

CMDLETS

Cmdlets are specialized commands in PowerShell. They follow a consistent verb-noun naming (Get-Process) to indicate their action and the object they operate on.

DOWNGRADE POWERSHELL

PowerShell event logging became a thing after 3.0 and later version. BUT if we want to be sneaky we'll better try to downgrade to older versions of Powershell so we can use commands without detection.

PS C:\> Get-host # Shows current powershell host
PS C:\> powershell.exe -version 2

AM I ALONE

Check if there are another user in your sessions because otherwise they could notice your actions and call administrator.

PS C:\> qwinsta

USEFUL COMMANDS

Usually in all sections there are hacking-specific or enumeration commands, but here is just commands that is helped me and I think is quite useful

Delete File

Remove-Item C:\Users\solomon.reed\Documents\SharpHound.ps1