NoPowerShell

NoPowerShell is a tool implemented in C# which supports executing PowerShell-like commands while remaining invisible to any PowerShell logging mechanisms. This .NET Framework 2 compatible binary can be loaded in Cobalt Strike to execute commands in-memory. No System.Management.Automation.dll is used; only native .NET libraries. An alternative usecase for NoPowerShell is to launch it as a DLL via rundll32.exe in a restricted environment: rundll32 NoPowerShell.dll,main.

This project makes it easy for everyone to extend its functionality using only a few lines of C# code. For more info, see CONTRIBUTING.md.

Latest binaries available from the Releases page. Bleeding edge code available in the DEV branch. To kickstart your NoPowerShell skills, make sure to also check out the cmdlet Cheatsheet.

Screenshots

Running in Cobalt Strike

Sample execution of commands

Rundll32 version

Why NoPowerShell

NoPowerShell is developed to be used with the execute-assembly command of Cobalt Strike or in a restricted environment using rundll32. Reasons to use NoPowerShell:

• Executes pretty stealthy
• Powerful functionality
• Provides the cmdlets you are already familiar with in PowerShell, so no need to learn yet another tool
• If you are not yet very familiar with PowerShell, the cmd.exe aliases are available as well (e.g. ping instead of Test-NetConnection)
• In case via powerpick or powershell cmdlets are not available, they are available in nps (e.g. cmdlets from the ActiveDirectory module)
• Easily extensible with only a few lines of C#

Usage

Examples

See CHEATSHEET.md.

Use in Cobalt Strike via execute-assembly

Use Cobalt Strike's execute-assembly command to launch the NoPowerShell.exe. For example execute-assembly /path/to/NoPowerShell.exe Get-Command. Optionally NoPowerShell.cna can be used to add the nps alias to Cobalt Strike.

Use in Cobalt Strike via BOF.NET

1. Install the BOF.NET BOF from https://github.com/CCob/BOF.NET
2. Load the BOF.NET runtime: bofnet_init
3. Load the NoPowerShell module: bofnet_load /path/to/NoPowerShell.dll
4. Execute NoPowerShell cmdlets: bofnet_execute NoPowerShell.Program Get-Command

Use in Cobalt Strike using @williamknows fork of BOF.NET

This fork allows running regular .NET executables

1. Obtain and compile @williamknows' fork of the BOF.NET from https://github.com/CCob/BOF.NET
2. Load the BOF.NET runtime: bofnet_init
3. Load the NoPowerShell module: bofnet_load /path/to/NoPowerShell.exe
4. Execute NoPowerShell cmdlets: bofnet_executeassembly NoPowerShell Get-Command

Launch via rundll32

1. Create a new shortcut to NoPowerShell.dll file (drag using right click -> Create shortcuts here)
2. Update the shortcut prefixing the filename with rundll32 and appending ,main
3. The shortcut will now look like rundll32 C:\Path\to\NoPowerShell.dll,main
4. Double click the shortcut

Note

When using NoPowerShell from cmd.exe or PowerShell, you need to escape the pipe character (|) with respectively a caret (^) or a backtick (`), e.g.:

• cmd.exe: ls ^| select Name
• PowerShell: ls `| select Name

Known issues

• Pipeline characters need to be surrounded by spaces
• TLS 1.1+ is not supported by .NET Framework 2, so any site enforcing it will result in a connection error

Improvements

• Fix above issues
• Improve stability by adding exception handling
• Support for parameter groups
• Add support for .NET code in commandline, e.g.: [System.Security.Principal.WindowsIdentity]::GetCurrent().Name

Requested NoPowerShell cmdlets

Contributed NoPowerShell cmdlets

Authors of additional NoPowerShell cmdlets are added to the table below. Moreover, the table lists commands that are requested by the community to add. Together we can develop a powerful NoPowerShell toolkit!

Included NoPowerShell cmdlets

Also make sure to check out the Cheatsheet for examples on how to use these cmdlets.

Acknowledgements

Various NoPowerShell cmdlets and NoPowerShell DLL include code created by other developers.

Authored by Arris Huijgen (@bitsadmin - https://github.com/bitsadmin/)