nopowershell

by bitsadmin

bitsadmin / nopowershell

PowerShell rebuilt in C# for Red Teaming purposes

487 Stars 89 Forks Last release: over 1 year ago (1.23) BSD 3-Clause "New" or "Revised" License 20 Commits 7 Releases

Available items

No Items, yet!

The developer of this repository has not created any items for sale yet. Need a bug fixed? Help with integration? A different license? Create a request here:

NoPowerShell

NoPowerShell is a tool implemented in C# which supports executing PowerShell-like commands while remaining invisible to any PowerShell logging mechanisms. This .NET Framework 2 compatible binary can be loaded in Cobalt Strike to execute commands in-memory. No

System.Management.Automation.dll
is used; only native .NET libraries. An alternative usecase for NoPowerShell is to launch it as a DLL via rundll32.exe:
rundll32 NoPowerShell.dll,main
.

This project makes it easy for everyone to extend its functionality using only a few lines of C# code. For more info, see CONTRIBUTING.md.

Latest binaries available from the Releases page. Bleeding edge code available in the DEV branch. To kickstart your NoPowerShell skills, make sure to also check out the cmdlet Cheatsheet.

Screenshots

Running in Cobalt Strike

NoPowerShell supported commands

Sample execution of commands

NoPowerShell sample commands

Rundll32 version

NoPowerShellDll via rundll32

Why NoPowerShell

NoPowerShell is developed to be used with the

execute-assembly
command of Cobalt Strike. Reasons to use NoPowerShell: - Executes pretty stealthy - Powerful functionality - Provides the cmdlets you are already familiar with in PowerShell, so no need to learn yet another tool - If you are not yet very familiar with PowerShell, the cmd.exe aliases are available as well (i.e.
ping
instead of
Test-NetConnection
) - In case via
powerpick
or
powershell
cmdlets are not available, they are available in
nps
(i.e. cmdlets from the ActiveDirectory module) - Easily extensible with only a few lines of C#

Usage

Examples

See CHEATSHEET.md.

Install in Cobalt Strike

  1. Copy both
    NoPowerShell.exe
    and
    NoPowerShell.cna
    to the scripts subfolder of Cobalt Strike
  2. Launch Cobalt Strike and load the
    NoPowerShell.cna
    script in the Script Manager
  3. Interact with a beacon and execute commands using the
    nps
    command

Launch via rundll32

  1. Create a new shortcut to
    NoPowerShell.dll
    file (drag using right click -> Create shortcuts here)
  2. Update the shortcut prefixing the filename with
    rundll32
    and appending
    ,main
  3. The shortcut will now look like
    rundll32 C:\Path\to\NoPowerShell.dll,main
  4. Double click the shortcut

Note

When using NoPowerShell from cmd.exe or PowerShell, you need to escape the pipe character (

|
) with respectively a caret (
^
) or a backtick (
`
), i.e.:
  • cmd.exe:
    ls ^| select Name
  • PowerShell:
    ls `| select Name

Known issues

  • Pipeline characters need to surrounded by spaces
  • TLS 1.1+ is not supported by .NET Framework 2, so any site enforcing it will result in a connection error

Improvements

  • Fix above issues
  • Improve stability by adding exception handling
  • Support for parameter groups
  • Add support for ArrayArgument parameter
  • Add support for .NET code in commandline, i.e.:
    [System.Security.Principal.WindowsIdentity]::GetCurrent().Name

Requested NoPowerShell cmdlets

| Cmdlet | Description | | - | - | | Get-ADTrusts | Unofficial command showing equivalent of

nltest /domain_trusts /all_trusts /v
| | Get-QWinsta | Unofficial command showing equivalent of
qwinsta
/
query session
| | Invoke-Command | Using PSRemoting execute a command on a remote machine (which in that case will of course be logged) | | Get-Service | Include option to also show service paths like in
sc qc
| | * | Sysinternals utilities like
pipelist
and
sdelete
| | * | More *-Item* commands | | * | More commands from the
ActiveDirectory
PowerShell module |

Contributed NoPowerShell cmdlets

Authors of additional NoPowerShell cmdlets are added to the table below. Moreover, the table lists commands that are requested by the community to add. Together we can develop a powerful NoPowerShell toolkit!

| Cmdlet | Contributed by | GitHub | Twitter | Description | | - | - | - | - | - | | | | | | |

Included NoPowerShell cmdlets

| Cmdlet | Category | Notes | | - | - | - | | Get-ADGroup | ActiveDirectory | | | Get-ADGroupMember | ActiveDirectory | | | Get-ADUser | ActiveDirectory | | | Get-ADComputer | ActiveDirectory | | | Compress-Archive | Archive | Requires .NET 4.5+ | | Expand-Archive | Archive | Requires .NET 4.5+ | | Get-Whoami | Additional | whoami.exe /ALL is not implemented yet | | Get-RemoteSmbShare | Additional | | | Get-Command | Core | | | Get-Help | Core | | | Where-Object | Core | | | Resolve-DnsName | DnsClient | | | Get-LocalGroup | LocalAccounts | | | Get-LocalGroupMember | LocalAccounts | | | Get-LocalUser | LocalAccounts | | | Copy-Item | Management | | | Get-ChildItem | Management | | | Get-Content | Management | | | Get-ItemProperty | Management | | | Get-Process | Management | | | Stop-Process | Management | | | Get-PSDrive | Management | | | Get-WmiObject | Management | | | Get-HotFix| Management | | | Invoke-WmiMethod | Management | Quick & dirty implementation | | Remove-Item | Management | | | Get-ComputerInfo | Management | Few fields still need to be added to mimic systeminfo.exe | | Get-NetIPAddress | NetTCPIP | | | Get-NetRoute | NetTCPIP | | | Test-NetConnection | NetTCPIP | | | Get-NetNeighbor | NetTCPIP | No support for IPv6 yet | | Get-SmbMapping | SmbShare | | | Format-List | Utility | | | Format-Table | Utility | | | Invoke-WebRequest | Utility | | Measure-Object | Utility | | Select-Object | Utility |

Acknowledgements

Various NoPowerShell cmdlets and NoPowerShell DLL include code created by other developers.

| Who | Website | Notes | | - | - | - | | Contributors of pinvoke.net | https://www.pinvoke.net/ | Various cmdlets use snippets from pinvoke | | Michael Conrad | https://github.com/MichaCo/ | Parts of the Resolve-Dns cmdlet are based on the code of the DnsClient.Net project | | Rex Logan | https://stackoverflow.com/a/1148861 | Most code of the Get-NetNeighbor cmdlet originates from his StackOverflow post | | PowerShell developers | https://github.com/PowerShell/ | Code of NoPowerShell DLL is largely based on the code handling the console input of PowerShell |

Authored by Arris Huijgen (@bitsadmin - https://github.com/bitsadmin/)

We use cookies. If you continue to browse the site, you agree to the use of cookies. For more information on our use of cookies please see our Privacy Policy.