PowerShell rebuilt in C# for Red Teaming purposes
NoPowerShell is a tool implemented in C# which supports executing PowerShell-like commands while remaining invisible to any PowerShell logging mechanisms. This .NET Framework 2 compatible binary can be loaded in Cobalt Strike to execute commands in-memory. No
System.Management.Automation.dllis used; only native .NET libraries. An alternative usecase for NoPowerShell is to launch it as a DLL via rundll32.exe:
This project makes it easy for everyone to extend its functionality using only a few lines of C# code. For more info, see CONTRIBUTING.md.
NoPowerShell is developed to be used with the
execute-assemblycommand of Cobalt Strike. Reasons to use NoPowerShell: - Executes pretty stealthy - Powerful functionality - Provides the cmdlets you are already familiar with in PowerShell, so no need to learn yet another tool - If you are not yet very familiar with PowerShell, the cmd.exe aliases are available as well (i.e.
Test-NetConnection) - In case via
powershellcmdlets are not available, they are available in
nps(i.e. cmdlets from the ActiveDirectory module) - Easily extensible with only a few lines of C#
NoPowerShell.cnato the scripts subfolder of Cobalt Strike
NoPowerShell.cnascript in the Script Manager
NoPowerShell.dllfile (drag using right click -> Create shortcuts here)
When using NoPowerShell from cmd.exe or PowerShell, you need to escape the pipe character (
|) with respectively a caret (
^) or a backtick (
ls ^| select Name
ls `| select Name
| Cmdlet | Description | | - | - | | Get-ADTrusts | Unofficial command showing equivalent of
nltest /domain_trusts /all_trusts /v| | Get-QWinsta | Unofficial command showing equivalent of
query session| | Invoke-Command | Using PSRemoting execute a command on a remote machine (which in that case will of course be logged) | | Get-Service | Include option to also show service paths like in
sc qc| | * | Sysinternals utilities like
sdelete| | * | More *-Item* commands | | * | More commands from the
ActiveDirectoryPowerShell module |
Authors of additional NoPowerShell cmdlets are added to the table below. Moreover, the table lists commands that are requested by the community to add. Together we can develop a powerful NoPowerShell toolkit!
| Cmdlet | Contributed by | GitHub | Twitter | Description | | - | - | - | - | - | | | | | | |
| Cmdlet | Category | Notes | | - | - | - | | Get-ADGroup | ActiveDirectory | | | Get-ADGroupMember | ActiveDirectory | | | Get-ADUser | ActiveDirectory | | | Get-ADComputer | ActiveDirectory | | | Compress-Archive | Archive | Requires .NET 4.5+ | | Expand-Archive | Archive | Requires .NET 4.5+ | | Get-Whoami | Additional | whoami.exe /ALL is not implemented yet | | Get-RemoteSmbShare | Additional | | | Get-Command | Core | | | Get-Help | Core | | | Where-Object | Core | | | Resolve-DnsName | DnsClient | | | Get-LocalGroup | LocalAccounts | | | Get-LocalGroupMember | LocalAccounts | | | Get-LocalUser | LocalAccounts | | | Copy-Item | Management | | | Get-ChildItem | Management | | | Get-Content | Management | | | Get-ItemProperty | Management | | | Get-Process | Management | | | Stop-Process | Management | | | Get-PSDrive | Management | | | Get-WmiObject | Management | | | Get-HotFix| Management | | | Invoke-WmiMethod | Management | Quick & dirty implementation | | Remove-Item | Management | | | Get-ComputerInfo | Management | Few fields still need to be added to mimic systeminfo.exe | | Get-NetIPAddress | NetTCPIP | | | Get-NetRoute | NetTCPIP | | | Test-NetConnection | NetTCPIP | | | Get-NetNeighbor | NetTCPIP | No support for IPv6 yet | | Get-SmbMapping | SmbShare | | | Format-List | Utility | | | Format-Table | Utility | | | Invoke-WebRequest | Utility | | Measure-Object | Utility | | Select-Object | Utility |
Various NoPowerShell cmdlets and NoPowerShell DLL include code created by other developers.
| Who | Website | Notes | | - | - | - | | Contributors of pinvoke.net | https://www.pinvoke.net/ | Various cmdlets use snippets from pinvoke | | Michael Conrad | https://github.com/MichaCo/ | Parts of the Resolve-Dns cmdlet are based on the code of the DnsClient.Net project | | Rex Logan | https://stackoverflow.com/a/1148861 | Most code of the Get-NetNeighbor cmdlet originates from his StackOverflow post | | PowerShell developers | https://github.com/PowerShell/ | Code of NoPowerShell DLL is largely based on the code handling the console input of PowerShell |
Authored by Arris Huijgen (@bitsadmin - https://github.com/bitsadmin/)