{"id":13539360,"url":"https://github.com/bitsadmin/nopowershell","last_synced_at":"2025-05-15T01:09:26.842Z","repository":{"id":42702190,"uuid":"159565017","full_name":"bitsadmin/nopowershell","owner":"bitsadmin","description":"PowerShell rebuilt in C# for Red Teaming purposes","archived":false,"fork":false,"pushed_at":"2025-04-11T09:25:41.000Z","size":1177,"stargazers_count":980,"open_issues_count":1,"forks_count":138,"subscribers_count":22,"default_branch":"master","last_synced_at":"2025-05-13T22:01:47.626Z","etag":null,"topics":["cobaltstrike","powershell","redteaming"],"latest_commit_sha":null,"homepage":null,"language":"C#","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"bsd-3-clause","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/bitsadmin.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":"CONTRIBUTING.md","funding":null,"license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null}},"created_at":"2018-11-28T21:07:51.000Z","updated_at":"2025-05-13T15:44:58.000Z","dependencies_parsed_at":"2022-08-29T13:52:50.653Z","dependency_job_id":"d32cbfbf-8199-4fe6-ab8a-f025d330d20a","html_url":"https://github.com/bitsadmin/nopowershell","commit_stats":null,"previous_names":[],"tags_count":8,"template":false,"template_full_name":null,"repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/bitsadmin%2Fnopowershell","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/bitsadmin%2Fnopowershell/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/bitsadmin%2Fnopowershell/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/bitsadmin%2Fnopowershell/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/bitsadmin","download_url":"https://codeload.github.com/bitsadmin/nopowershell/tar.gz/refs/heads/master","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":254254043,"owners_count":22039792,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["cobaltstrike","powershell","redteaming"],"created_at":"2024-08-01T09:01:24.189Z","updated_at":"2025-05-15T01:09:21.834Z","avatar_url":"https://github.com/bitsadmin.png","language":"C#","readme":"# NoPowerShell\r\nNoPowerShell is a tool implemented in C# which supports executing PowerShell-like commands while remaining invisible to any PowerShell logging mechanisms. This .NET Framework 2 compatible binary can be loaded in Cobalt Strike to execute commands in-memory. No `System.Management.Automation.dll` is used; only native .NET libraries. An alternative usecase for NoPowerShell is to launch it as a DLL via rundll32.exe in a restricted environment: `rundll32 NoPowerShell.dll,main`.\r\n\r\nThis project makes it easy for everyone to extend its functionality using only a few lines of C# code. For more info, see [CONTRIBUTING.md](https://github.com/bitsadmin/nopowershell/blob/master/CONTRIBUTING.md).\r\n\r\nLatest binaries available from the [Releases](https://github.com/bitsadmin/nopowershell/releases) page. Bleeding edge code available in the [DEV](https://github.com/bitsadmin/nopowershell/tree/dev) branch. To kickstart your NoPowerShell skills, make sure to also check out the cmdlet [Cheatsheet](https://github.com/bitsadmin/nopowershell/blob/master/CHEATSHEET.md).\r\n\r\n# Screenshots\r\n## Running in Cobalt Strike\r\n![NoPowerShell supported commands](https://raw.githubusercontent.com/bitsadmin/nopowershell/master/Pictures/CurrentlySupportedCommands.png \"NoPowerShell in Cobalt Strike\")\r\n## Sample execution of commands\r\n![NoPowerShell sample commands](https://raw.githubusercontent.com/bitsadmin/nopowershell/master/Pictures/SampleCommands.png \"NoPowerShell in Cobalt Strike\")\r\n## Rundll32 version\r\n![NoPowerShellDll via rundll32](https://raw.githubusercontent.com/bitsadmin/nopowershell/master/Pictures/NoPowerShellDll.png \"NoPowerShellDll via rundll32\")\r\n\r\n# Why NoPowerShell\r\nNoPowerShell is developed to be used with the `execute-assembly` command of Cobalt Strike or in a restricted environment using `rundll32`.\r\nReasons to use NoPowerShell:\r\n- Executes pretty stealthy\r\n- Powerful functionality\r\n- Provides the cmdlets you are already familiar with in PowerShell, so no need to learn yet another tool\r\n- If you are not yet very familiar with PowerShell, the cmd.exe aliases are available as well (e.g. `ping` instead of `Test-NetConnection`)\r\n- In case via `powerpick` or `powershell` cmdlets are not available, they _are_ available in `nps` (e.g. cmdlets from the ActiveDirectory module)\r\n- Easily extensible with only a few lines of C#\r\n\r\n# Usage\r\n## Examples\r\nSee [CHEATSHEET.md](https://github.com/bitsadmin/nopowershell/blob/master/CHEATSHEET.md).\r\n\r\n## Use in Cobalt Strike via execute-assembly\r\nUse Cobalt Strike's `execute-assembly` command to launch the `NoPowerShell.exe`. For example `execute-assembly /path/to/NoPowerShell.exe Get-Command`.\r\nOptionally `NoPowerShell.cna` can be used to add the `nps` alias to Cobalt Strike.\r\n\r\n## Use in Cobalt Strike via BOF.NET\r\n1. Install the BOF.NET BOF from https://github.com/CCob/BOF.NET\r\n2. Load the BOF.NET runtime: `bofnet_init`\r\n3. Load the NoPowerShell module: `bofnet_load /path/to/NoPowerShell.dll`\r\n4. Execute NoPowerShell cmdlets: `bofnet_execute NoPowerShell.Program Get-Command`\r\n\r\n## Use in Cobalt Strike using @williamknows fork of BOF.NET\r\nThis fork allows running regular .NET executables\r\n1. Obtain and compile @williamknows' fork of the BOF.NET from https://github.com/CCob/BOF.NET\r\n2. Load the BOF.NET runtime: `bofnet_init`\r\n3. Load the NoPowerShell module: `bofnet_load /path/to/NoPowerShell.exe`\r\n4. Execute NoPowerShell cmdlets: `bofnet_executeassembly NoPowerShell Get-Command`\r\n\r\n## Launch via rundll32\r\n1. Create a new shortcut to `NoPowerShell.dll` file (drag using right click -\u003e Create shortcuts here)\r\n2. Update the shortcut prefixing the filename with `rundll32` and appending `,main`\r\n3. The shortcut will now look like `rundll32 C:\\Path\\to\\NoPowerShell.dll,main`\r\n4. Double click the shortcut\r\n\r\n## Note\r\nWhen using NoPowerShell from cmd.exe or PowerShell, you need to escape the pipe character (`|`) with respectively a caret (`^`) or a backtick (`` ` ``), e.g.:\r\n\r\n- cmd.exe: `ls ^| select Name`\r\n- PowerShell: ```ls `| select Name```\r\n\r\n# Known issues\r\n- Pipeline characters need to be surrounded by spaces\r\n- TLS 1.1+ is not supported by .NET Framework 2, so any site enforcing it will result in a connection error\r\n\r\n# Improvements\r\n- Fix above issues\r\n- Improve stability by adding exception handling\r\n- Support for parameter groups\r\n- Add support for .NET code in commandline, e.g.: `[System.Security.Principal.WindowsIdentity]::GetCurrent().Name`\r\n\r\n# Requested NoPowerShell cmdlets\r\n| Cmdlet | Description |\r\n| - | - |\r\n| Invoke-Command | Using PSRemoting execute a command on a remote machine (which in that case will of course be logged) |\r\n| Get-Service | Include option to also show service paths like in `sc qc` |\r\n| * | More \\*-Item\\* commands |\r\n| Search-ADAccount | |\r\n| Get-ADPrincipalGroupMembership | |\r\n| Get-ADOrganizationalUnits | |\r\n| * | More commands from the `ActiveDirectory` PowerShell module |\r\n| * | Sysinternals utilities like `pipelist` and `sdelete` |\r\n\r\n# Contributed NoPowerShell cmdlets\r\nAuthors of additional NoPowerShell cmdlets are added to the table below. Moreover, the table lists commands that are requested by the community to add. Together we can develop a powerful NoPowerShell toolkit!\r\n\r\n| Cmdlet | Contributed by | GitHub | Twitter | Description |\r\n| - | - | - | - | - |\r\n|  |  |  |  |  |\r\n\r\n# Included NoPowerShell cmdlets\r\n| Cmdlet | Module | Notes |\r\n| - | - | - |\r\n| Get-ADGroup | ActiveDirectory | |\r\n| Get-ADGroupMember | ActiveDirectory | |\r\n| Get-ADComputer | ActiveDirectory | |\r\n| Get-ADObject | ActiveDirectory | |\r\n| Get-ADUser | ActiveDirectory | |\r\n| Get-ADTrust | ActiveDirectory | |\r\n| Get-WinStation | Additional | |\r\n| Get-RemoteSmbShare | Additional | |\r\n| Get-Whoami | Additional | whoami.exe /ALL is not implemented yet |\r\n| Expand-Archive | Archive | Requires .NET 4.5+ |\r\n| Compress-Archive | Archive | Requires .NET 4.5+ |\r\n| Where-Object | Core | |\r\n| Get-Help | Core | |\r\n| Get-Command | Core | |\r\n| Resolve-DnsName | DnsClient | |\r\n| Get-LocalGroup | LocalAccounts | |\r\n| Get-LocalGroupMember | LocalAccounts | |\r\n| Get-LocalUser | LocalAccounts | |\r\n| Get-ItemProperty | Management | |\r\n| Invoke-WmiMethod | Management | |\r\n| Remove-Item | Management | |\r\n| Copy-Item | Management | |\r\n| Get-Content | Management | |\r\n| Get-ChildItem | Management | |\r\n| Get-WmiObject | Management | |\r\n| Get-Process | Management | |\r\n| Stop-Process | Management | |\r\n| Get-HotFix | Management | |\r\n| Get-PSDrive | Management | |\r\n| Get-ItemPropertyValue | Management | |\r\n| Set-Clipboard | Management | |\r\n| Get-DnsClientCache | Management | |\r\n| Get-ComputerInfo | Management | |\r\n| Get-Clipboard | Management | |\r\n| Get-NetRoute | NetTCPIP | |\r\n| Get-NetIPAddress | NetTCPIP | |\r\n| Get-NetNeighbor | NetTCPIP | No support for IPv6 yet |\r\n| Test-NetConnection | NetTCPIP | |\r\n| Get-GetNetTCPConnection | NetTCPIP | |\r\n| Get-SmbShare | SmbShare | |\r\n| Get-SmbMapping | SmbShare | |\r\n| Format-Table | Utility | |\r\n| Sort-Object | Utility | |\r\n| Export-Csv | Utility | |\r\n| Format-List | Utility | |\r\n| Select-Object | Utility | |\r\n| Out-File | Utility | |\r\n| Write-Output | Utility | |\r\n| Invoke-WebRequest | Utility | |\r\n| Measure-Object | Utility | |\r\n\r\nAlso make sure to check out the [Cheatsheet](https://github.com/bitsadmin/nopowershell/blob/master/CHEATSHEET.md) for examples on how to use these cmdlets.\r\n\r\n# Acknowledgements\r\nVarious NoPowerShell cmdlets and NoPowerShell DLL include code created by other developers.\r\n\r\n| Who | Website | Notes |\r\n| - | - | - |\r\n| Contributors of pinvoke.net | https://www.pinvoke.net/ | Various cmdlets use snippets from pinvoke |\r\n| Michael Conrad | https://github.com/MichaCo/ | Parts of the Resolve-Dns cmdlet are based on the code of the DnsClient.Net project |\r\n| Rex Logan | https://stackoverflow.com/a/1148861 | Most code of the Get-NetNeighbor cmdlet originates from his StackOverflow post |\r\n| PowerShell developers | https://github.com/PowerShell/ | Code of NoPowerShell DLL is largely based on the code handling the console input of PowerShell |\r\n| Benjamin Delpy | https://github.com/gentilkiwi/ | Code of Get-WinStation is inspired by the code of Mimikatz' ts::sessions command |\r\n| Dan Ports | https://github.com/danports/ | Marshalling code of Get-Winstation is partially copied from the Cassia project |\r\n| Mazdak | https://www.codeproject.com/Articles/2937/Getting-local-groups-and-member-names-in-C | Native function calls for the Get-LocalGroupMember cmdlet |\r\n| Rex Logan | https://stackoverflow.com/a/1148861 | Code of Get-NetNeighbor cmdlet |\r\n\r\n**Authored by Arris Huijgen ([@bitsadmin](https://twitter.com/bitsadmin/) - https://github.com/bitsadmin/)**\r\n","funding_links":[],"categories":["\u003ca id=\"1233584261c0cd5224b6e90a98cc9a94\"\u003e\u003c/a\u003e渗透\u0026\u0026offensive\u0026\u0026渗透框架\u0026\u0026后渗透框架","C# #","C# (212)","\u003ca id=\"5dd93fbc2f2ebc8d98672b2d95782af3\"\u003e\u003c/a\u003e工具"],"sub_categories":["\u003ca id=\"2e40f2f1df5d7f93a7de47bf49c24a0e\"\u003e\u003c/a\u003e未分类-Pentest"],"project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fbitsadmin%2Fnopowershell","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fbitsadmin%2Fnopowershell","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fbitsadmin%2Fnopowershell/lists"}