Chapter 5: PowerShell
PowerCat
A Netcat replacement for PowerShell
PowerUp
A collection of scripts focused on privilege escalation
Add-ADGroupMember Cmdlet
Adds members to group
New-ADGroup Cmdlet
Creates new group
New-ADUser Cmdlet
Creates user accounts
Filter
Defines a filter using PowerShell syntax
SearchScope
Defines at what level below the SearchBase a search should be performed
SearchBase
Defines the AD DS path to begin searching
Properties
Defines which object properties to return and display
Remove-ADGroup Cmdlet
Deletes group
Remove-ADUser Cmdlet
Deletes user accounts
Get-ADPrincipalGroupMembership Cmdlet
Displays group membership of objects
Get-ADGroupMember Cmdlet
Displays membership of group
-examples command
Displays only the name, synopsis, and examples
-detailed command
Displays the help article's detailed view that includes parameter descriptions and examples
-full command
Displays the help article's full view that includes parameter descriptions, examples, input and output object types, and additional notes
-online command
Displays the online version of a help article in the default browser
RemoteSigned Execution Policy
Downloaded scripts must be signed by a trusted publisher before they can be run
Enable-ADAccount Cmdlet
Enables a user account
-eq, -ne, -lt, -le, -gt, -ge, -like
Equal to, not equal to, less than, less than or equal to, greater than, greater than or equal to, wild card pattern
EnterPSSession cmdlet
It allows you to establish a remote connection and run PowerShell commands on a single remote computer. One can only have a single interactive session at a time.
Nishang
Metasploit for PowerShell, with more scripts than PowerSploit
Set-ADGroup Cmdlet
Modifies properties of group
Set-ADUser Cmdlet
Modifies properties of user accounts
Unrestricted Execution Policy
No restrictions; all scripts can be run by any user
Restricted Execution Policy
No scripts can be run. Windows PowerShell can be used only in interactive mode.
AllSigned Execution Policy
Only scripts signed by a trusted publisher can be run.
Set-ADAccountPassword Cmdlet
Resets the password of a user account
Invoke-Command
This cmdlet allows you to run commands on both local and remote machines and returns all output, including errors.
Unlock-ADAccount Cmdlet
Unlocks a user account after it was locked because the number of incorrect login attempts was exceeded
Keylogger
a tool that records keystroke logging on a keyboard
Import-Module cmdlet
adds one or more modules to the current session, which can later be used to execute module commands. The modules that one imports must first be installed.
Name parameter
by which you can filter process objects by their name.
PowerShell
is a Microsoft command line interface used for task automation, configuration management, and script creation. It provides a rich and wide set of capabilities to manage a system, including Active Directory, for the performance of administrative tasks. Includes a dynamic type scripting language that allows complex operations using PowerShell command lets (cmdlets),
PowerSploit
is one of many PowerShell modules used by penetration testers and attackers. It is an open-source, offensive security framework made up of PowerShell modules and scripts that perform a wide range of tasks related to penetration testing, such as code execution, persistence, reconnaissance, and exfiltration
Bulk action
methods allow you to perform tasks and apply changes to multiple objects in a single action. This is useful in domain administration, when you want to apply the same change to several objects.
PowerShell Integrated Scripting Environment (ISE)
one can run commands as well as write, test, and debug PowerShell scripts. PowerShell cmdlet functions and scripts can be written in any text editor or word processor and then executed by PowerShell or imported to ISE for additional edits. The ISE provides multiline editing, auto-completion, syntax coloring, selective execution, and more. All of these features and more simplify script writing and debugging using the ISE.
Get-Process command
provides you with information about running processes. The object in this case is of process type, and it has some properties associated with it.
