Using PowerShell

author: Nathan Acks
date: 2022-08-31

Access the Registry Through PowerShell

You can actually access the registry from PowerShell using the cd command: cd HKLM:\ will take you to the HKEY_LOCAL_MACHINE hive, for instance.

Major hives:

Commands

Accessing Windows Logs

Use the Get-WinEvent cmdlet.

Download a File

# Download to disk
#
Invoke-WebRequest -Uri $URL_OF_FILE -OutFile $FILE_ON_DISK

# Download into a variable (useful for scripts!)
#
$SCRIPT_DATA = `
	(New-Object System.Net.Webclient).DownloadString("$SCRIPT_URL")

# Download and invoke from memory
#
IEX (New-Object System.Net.Webclient).DownloadString("$SCRIPT_URL")

Using Base64 Encoding

Encode a command to base64 in PowerShell:

$Text = "$ONE_LINE_POWERSHELL_COMMAND"
$Bytes = [System.Text.Encoding]::Unicode.GetBytes($Text)
$EncodedText = [Convert]::ToBase64String($Bytes)

Run this using:

powershell.exe -enc $EncodedText

Manipulating Services

Calculating File Hashes

Get-FileHash -Algorithm $ALGORITHM $FILE_PATH

The algorithm can be excluded (in which case SHA-256 is used). Lots of different hashing algorithms are supported - run help Get-FileHash to see a list.

PowerShell Remoting

Many large companies will enable PowerShell Remoting on all machines in order to ease IT support burdens (by default, remoting is only enabled on domain controllers).

Invoke-Command -ComputerName $MACHINE `
	-ScriptBlock {$COMMANDS_TO_RUN}

Remoting can be used to create a reverse shell.

$SESSION_NAME = New-PSSession -ComputerName "$MACHINE"
Enter-PSSession -Session $SESSION_NAME

Run PowerShell from cmd.exe

powershell -c "$COMMAND"