# Powershell

### Basics

{% hint style="info" %}
Use `Get-Member` to list all properties and methods of an object!
{% endhint %}

```bash
get-command set*    # Searches for all cmdlets that start with "set"
alias               # List all aliases in shell
Get-ChildItem       # Same as ls, dir, and gci
Copy-Item           # Same as cp, copy, and cpi
Move-Item           # Same as mv, move, and mi
Select-String       # Same as sls and similar to grep
Get-Help            # Get help!!
Get-Content         # Same as cat, type, gc
Get-Process         # Same as ps, gps
Get-Location        # Same as pwd, gl
Get-Member          # Get properties and methods of objects - USEFUL!!!!
ps | format-list -property name, id, starttime    # Formatted list of process properties
ls env:             # List all PS environment variables
ls variable:        # List all PS variables
```

### Getting Help

```bash
help gci                # displays help for Get-ChildItem
help gci -detailed      # Very verbose help information
help gci -examples      # Examples on how to USE it!!!
help gci -full          # Pretty much everything it has about it
Remove-Item *.* -WhatIf    # Explains what WOULD happen, but not actually do it
```

### Pipeline Objects

Used to help automate between operations in a pipe. The `%` is an alias for `ForEach-Object` command. The current object in an array of objects is referred to as `$_`. Pipeline objects can be filtered with the `?` alias for `Where-Object`. Command below will write out all names and PIDs of processes returned by `ps` alias.

```bash
ps | gm        # Find all properties and methods first
ps | % {write-host "name is" $_.name " and pid is " $_.ID}
ps | ? {write-host "Running PID name is " $_.status -eq "running"}

# Counting loops to move between two sets of numbers
1..10 | % {echo $_}
1..255 | % {ping -n 1 192.168.0.$_ | select-string ttl}
```

### Enumerate Local Users

Enumerate the local users on the machine and print out important information about their accounts.

```powershell
Get-LocalUser | Select-Object Name, LastLogon, PasswordLastSet, Enabled, PasswordRequired, PrincipalSource, Description | Format-Table -AutoSize
```

### Enumerate AD Users

We can import the signed Microsoft ActiveDirectory module into PowerShell directly in memory to enumerate AD users and systems. This leverages the signed module kept at <https://github.com/samratashok/ADModule>. After importing we have access to all AD commands in PowerShell.

```powershell
iex (new-Object Net.WebClient).DownloadString('https://raw.githubusercontent.com/samratashok/ADModule/master/Import-ActiveDirectory.ps1');Import-ActiveDirectory
```

### Searching

Looking for files and directories.

```bash
# Search the entire C:\ dir for anything with "password" in the filename. Put stderr in null where it belongs
gci -recurse C:\ password 2>$null | % {echo $_.fullname}

# Select-string works similar to grep
select-string -path C:\Users\*.txt -pattern password

# Put both together! Look in each file for the string "password"
gci -recurse C:\ | % {select-string -path $_ -pattern password} 2>$null
```

### Navigate Registry

```bash
# Can navigate Reg just like the file system using tab completion
cd HKLM:\
```

Launch Browsers and reach a specific page

```
"C:\Program Files\Internet Explorer\iexplore.exe" m4lwhere.org
"C:\Program Files\Mozilla Firefox\firefox.exe" m4lwhere.org
```

### Networking

Quick and dirty way to check if a port is open on a remote computer

```
New-Object System.Net.Sockets.TCPClient –Argument "10.0.0.1","389"
```

### Speaking to the Users!

This is a hilarious way to download a random cat fact and have it speak to the user through the speaker.

```
Add-Type -AssemblyName System.Speech
$SpeechSynth = New-Object System.Speech.Synthesis.SpeechSynthesizer
$SpeechSynth.SelectVoice("Microsoft Zira Desktop")
$Browser = New-Object System.Net.WebClient
$Browser.Proxy.Credentials = [System.Net.CredentialCache]::DefaultNetworkCredentials
[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12
$CatFact = (ConvertFrom-Json (Invoke-WebRequest -Verbose -Uri https://catfact.ninja/fact -UseBasicParsing))
$CatFact.fact
$SpeechSynth.Speak("Did you know ?")
$SpeechSynth.Speak($CatFact.fact)
```


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://notes.m4lwhere.org/offensive/microsoft-windows-exploits/powershell.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.