Powershell Command Syntax
PowerShell is a task automation and configuration management program from Microsoft, consisting of a command-line shell and the associated scripting language.
Table of Contents
[!NOTE] Some of these commands can only be used after a (meterpreter) shell has been made to another machine. These will be marked with a đ˛. Others must be used outside of these shells.
Basic Powershell Syntax
Powershell uses a verb-noun structure in its commands
Common verbs:
The Pipeline | is used to pass output from one cmdlet to another.
View details/members of the output of a certain cmdlet you can use Get-Member.
Pull out the properties from the output of a cmdlet and create a new object using Select-Object.
Usefull Commands/Cmdlets
Get-Acl
Get security (permissions, owner) descriptors of a file or folder.
Get-ChildItem
List the contents of the current directory.
Get-ChildItem -File -Hidden -ErrorAction SilentlyContinue
> Use this command to search for files in a specified directory
Get-ChildItem -Path C:\ -File -Recurse -Include *<term>* -ErrorAction SilentlyContinue
> Remove '-File' to also look for directories
Get-Command
List all available commands.
Get-Command
Get-Command Verb-* > List command with the specified verb
Get-Command *-Noun > List command with the specified noun
Get-Content
Read the contents of a file.
Get-Content -Path file.txt
(Get-Content -Path file.txt)[index] > Get string on provided index
Get-Content -Path file.txt | Measure-Object -Word > Get the number of words in the file
Get-FileHash
Get the hash of a specific file.
Get-Help
Get help for a specific cmdlet.
Get-Help <Command-name>
Get-Help Get-Contents > Get help for the Get-Contents cmdlet
Get-Help <Command-name> -Examples > How to use the command examples
Get-Hotfix
View all applied patches to the machine.
Get-Hotfix -ID <KB nr.> > Two different ways of looking up a specific patch
Get-Hotfix | Where-Object -Property HotFixID -eq <KB nr.> > Two different ways of looking up a specific patch
Get-LocalUser
View the users on the current machine.
Verb-Noun | ft colum names
> Format the output with specified columns (use Get-Member to find valid entries)
Get-LocalGroup
View the groups on the current machine.
Verb-Noun | ft colum names
> Format the output with specified columns (use Get-Member to find valid entries)
Get-Member
View details/members of the output of a certain cmdlet.
Verb-Noun | Get-Member
Get-Command | Get-Member -MemberType Method > View the members of Get-Command
Get-NetTCPConnection
View all connection to the machine.
Get-ScheduledTask
View the existing scheduled tasks on the machine.
Launch the hidden executable hiding within ADS
Measure-Object
Measure various metrics of an output.
| đ° Measure-Object argument | âšī¸ Function |
|---|---|
-Word |
Count the number of words |
-Line |
Count the number of lines |
Select-Object
Pull out the properties from the output of a cmdlet and create a new object.
Verb-Noun | Select-Object -Property
Get-ChildItem | Select-Object -Property Mode, Name > Get the Mode and name from Get-ChildItem
| đ° Select-Object argument | âšī¸ Function |
|---|---|
-First <x> |
Select the first x from the result |
-Last <x> |
Select the last x from the result |
-Unique |
Select only unique values |
-Skip <x> |
Skip the first x from the result |
Set-Location
Navigate to a specific directory.
Select-String
Search a file for a pattern.
Sort-Object
Sort the output of a cmdlet.
View Alternate Data Streams (ADS)
Where-Object
Filter objects.
Verb-Noun | Where-Object -Property <Propertyname> -<operator> <Value> > Filter object
Verb-Noun | Where-Object {$_.<Propertyname> -<operator> <Value> > Iterate through every object
-<operator> > Contains, eq, gt
https://docs.microsoft.com/en-us/powershell/module/microsoft.powershell.core/where-object?view=powershell-6