This chapter is meant to be a quick and dirty reference for red teamers that want to use PowerShell for their engagements. It is by no means complete but should help you get started.

After a short introduction to the phases of attack, we are going to look at what tools are usually used by red teamers for PowerShell-based engagements. After that, we will provide a PowerShell cookbook that covers most typical red team scenarios when it comes to PowerShell.

In this chapter, we will discuss the following topics:

• Phases of an attack
• Common PowerShell red team tools
• Red team cookbook

To get the most out of this chapter, ensure that you have the following:

• Windows PowerShell 5.1
• PowerShell 7.3 and above
• Visual Studio Code installed
• Access to the GitHub repository for this chapter: https://github.com/PacktPublishing/PowerShell-Automation-and-Scripting-for-Cybersecurity/tree/master/Chapter08

When it comes to an attack, the same pattern is usually repeated over and over again. These phases are also reflected when it comes to a professional penetration test, which is performed by red teamers.

The following diagram illustrates the phases of an attack:

Figure 8.1 – Phases of an attack

In the first phase, known as reconnaissance, the red teamer tries to get as much information as possible about the target. Once this phase has been completed, vulnerabilities are identified (vulnerability identification) that can be used for exploitation and getting access to the target.

Once a target has been successfully exploited, usually, credentials are collected, which can be used for lateral movement and to collect even more identities. Part of post-exploitation is to gain persistence, which means that the red teamer can reconnect without the need to exploit vulnerabilities once more.

Lateral movement can also occur by finding...

Many tools have been released that are written in PowerShell that can help you with your red team engagements – too many for you to make use of every single one. In this section, we will look at some of the most well-known and helpful tools to get you started and provide you with an overview of what is out there to help.

PowerSploit

PowerSploit is a collection of PowerShell modules and scripts that can help red teamers during a penetration testing engagement. It was originally developed by Matt Graeber. It is no longer supported, but there are still many useful tools and scripts that are helpful. PowerSploit can be downloaded from GitHub: https://github.com/PowerShellMafia/PowerSploit.

While most functions work fine in Windows PowerShell, they don’t in PowerShell 7 and above. Some functionalities that PowerSploit made use of from .NET Framework were not ported into .NET Core, on which PowerShell 7 relies. So, when running PowerSploit...

In this section, you will find some handy code snippets for your red team engagement. Please also refer to Chapter 9, Blue Team Tasks and Cookbook, as you will find many blue teamer code snippets and scripts there. These can sometimes also be useful for a red teamer.

Please note that this cookbook is not a complete red team reference as this would fill an entire book. Rather, it intends to be a helpful source to help you get started with PowerShell-related red teaming.

To make it easier to understand for people starting in cybersecurity, this cookbook has been categorized into MITRE ATT&CK areas. Please note that you will not find all the MITRE ATT&CK areas in this cookbook.

You can find the full MITRE ATT&CK enterprise matrix on the official MITRE web page: https://attack.mitre.org/matrices/enterprise/.

Reconnaissance

Usually, every attack starts with reconnaissance, the initial phase in which an adversary gathers information about a target...

In this chapter, you learned about the different phases of an attack. You were provided with an overview of common PowerShell red team tools and were presented with a red team cookbook, which can help you during your next red team engagements.

This red team cookbook contained many helpful code snippets that helped you learn about a bunch of important options when using powershell.exe, how to create obfuscation using Base64, how to download files, and how to execute scripts in memory only. You were reminded of how to execute commands on remote machines, as well as how to open a session.

We looked at several options regarding how persistence can be established using PowerShell and how a downgrade attack can be performed. You also got a refresher on how in-memory injection works and how to open a reverse shell without any of the common red teaming tools. Last but not least, you learned how to clear logs.

Now that we’ve explored various red teamer tasks and recipes...

If you want to explore some of the topics that were mentioned in this chapter, take a look at these resources:

Abusing WMI to build a persistent asynchronous and fileless backdoor:

• https://www.blackhat.com/docs/us-15/materials/us-15-Graeber-Abusing-Windows-Management-Instrumentation-WMI-To-Build-A-Persistent%20Asynchronous-And-Fileless-Backdoor-wp.pdf
• https://www.blackhat.com/docs/us-15/materials/us-15-Graeber-Abusing-Windows-Management-Instrumentation-WMI-To-Build-A-Persistent%20Asynchronous-And-Fileless-Backdoor.pdf

New-GPLink:

• https://learn.microsoft.com/en-us/powershell/module/grouppolicy/new-gplink

PowerUpSQL:

• https://github.com/NetSPI/PowerUpSQL/wiki/PowerUpSQL-Cheat-Sheet
• https://github.com/NetSPI/PowerUpSQL/wiki

You can find all the links mentioned in this chapter in the GitHub repository for Chapter 8 – there’s no need to manually type in every link: https://github.com/PacktPublishing/PowerShell...