PowerShell rebuilt in C# for Red Teaming purposes
NoPowerShell is a tool implemented in C# which supports executing PowerShell-like commands while remaining invisible to any PowerShell logging mechanisms. This .NET Framework 2 compatible binary can be loaded in Cobalt Strike to execute commands in-memory. No System.Management.Automation.dll
is used; only native .NET libraries. An alternative usecase for NoPowerShell is to launch it as a DLL via rundll32.exe in a restricted environment: rundll32 NoPowerShell.dll,main
.
This project makes it easy for everyone to extend its functionality using only a few lines of C# code. For more info, see CONTRIBUTING.md.
Latest binaries available from the Releases page. Bleeding edge code available in the DEV branch. To kickstart your NoPowerShell skills, make sure to also check out the cmdlet Cheatsheet.
NoPowerShell is developed to be used with the execute-assembly
command of Cobalt Strike or in a restricted environment using rundll32
.
Reasons to use NoPowerShell:
ping
instead of Test-NetConnection
)powerpick
or powershell
cmdlets are not available, they are available in nps
(e.g. cmdlets from the ActiveDirectory module)See CHEATSHEET.md.
Use Cobalt Strike's execute-assembly
command to launch the NoPowerShell.exe
. For example execute-assembly /path/to/NoPowerShell.exe Get-Command
.
Optionally NoPowerShell.cna
can be used to add the nps
alias to Cobalt Strike.
bofnet_init
bofnet_load /path/to/NoPowerShell.dll
bofnet_execute NoPowerShell.Program Get-Command
This fork allows running regular .NET executables
bofnet_init
bofnet_load /path/to/NoPowerShell.exe
bofnet_executeassembly NoPowerShell Get-Command
NoPowerShell.dll
file (drag using right click -> Create shortcuts here)rundll32
and appending ,main
rundll32 C:\Path\to\NoPowerShell.dll,main
When using NoPowerShell from cmd.exe or PowerShell, you need to escape the pipe character (|
) with respectively a caret (^
) or a backtick (`
), e.g.:
ls ^| select Name
ls `| select Name
[System.Security.Principal.WindowsIdentity]::GetCurrent().Name
Cmdlet | Description |
---|---|
Invoke-Command | Using PSRemoting execute a command on a remote machine (which in that case will of course be logged) |
Get-Service | Include option to also show service paths like in sc qc |
* | More *-Item* commands |
Search-ADAccount | |
Get-ADPrincipalGroupMembership | |
Get-ADOrganizationalUnits | |
* | More commands from the ActiveDirectory PowerShell module |
* | Sysinternals utilities like pipelist and sdelete |
Authors of additional NoPowerShell cmdlets are added to the table below. Moreover, the table lists commands that are requested by the community to add. Together we can develop a powerful NoPowerShell toolkit!
Cmdlet | Contributed by | GitHub | Description | |
---|---|---|---|---|
Cmdlet | Module | Notes |
---|---|---|
Get-ADGroup | ActiveDirectory | |
Get-ADGroupMember | ActiveDirectory | |
Get-ADComputer | ActiveDirectory | |
Get-ADObject | ActiveDirectory | |
Get-ADUser | ActiveDirectory | |
Get-ADTrust | ActiveDirectory | |
Get-WinStation | Additional | |
Get-RemoteSmbShare | Additional | |
Get-Whoami | Additional | whoami.exe /ALL is not implemented yet |
Expand-Archive | Archive | Requires .NET 4.5+ |
Compress-Archive | Archive | Requires .NET 4.5+ |
Where-Object | Core | |
Get-Help | Core | |
Get-Command | Core | |
Resolve-DnsName | DnsClient | |
Get-LocalGroup | LocalAccounts | |
Get-LocalGroupMember | LocalAccounts | |
Get-LocalUser | LocalAccounts | |
Get-ItemProperty | Management | |
Invoke-WmiMethod | Management | |
Remove-Item | Management | |
Copy-Item | Management | |
Get-Content | Management | |
Get-ChildItem | Management | |
Get-WmiObject | Management | |
Get-Process | Management | |
Stop-Process | Management | |
Get-HotFix | Management | |
Get-PSDrive | Management | |
Get-ItemPropertyValue | Management | |
Set-Clipboard | Management | |
Get-DnsClientCache | Management | |
Get-ComputerInfo | Management | |
Get-Clipboard | Management | |
Get-NetRoute | NetTCPIP | |
Get-NetIPAddress | NetTCPIP | |
Get-NetNeighbor | NetTCPIP | No support for IPv6 yet |
Test-NetConnection | NetTCPIP | |
Get-GetNetTCPConnection | NetTCPIP | |
Get-SmbShare | SmbShare | |
Get-SmbMapping | SmbShare | |
Format-Table | Utility | |
Sort-Object | Utility | |
Export-Csv | Utility | |
Format-List | Utility | |
Select-Object | Utility | |
Out-File | Utility | |
Write-Output | Utility | |
Invoke-WebRequest | Utility | |
Measure-Object | Utility |
Also make sure to check out the Cheatsheet for examples on how to use these cmdlets.
Various NoPowerShell cmdlets and NoPowerShell DLL include code created by other developers.
Who | Website | Notes |
---|---|---|
Contributors of pinvoke.net | https://www.pinvoke.net/ | Various cmdlets use snippets from pinvoke |
Michael Conrad | https://github.com/MichaCo/ | Parts of the Resolve-Dns cmdlet are based on the code of the DnsClient.Net project |
Rex Logan | https://stackoverflow.com/a/1148861 | Most code of the Get-NetNeighbor cmdlet originates from his StackOverflow post |
PowerShell developers | https://github.com/PowerShell/ | Code of NoPowerShell DLL is largely based on the code handling the console input of PowerShell |
Benjamin Delpy | https://github.com/gentilkiwi/ | Code of Get-WinStation is inspired by the code of Mimikatz' ts::sessions command |
Dan Ports | https://github.com/danports/ | Marshalling code of Get-Winstation is partially copied from the Cassia project |
Mazdak | https://www.codeproject.com/Articles/2937/Getting-local-groups-and-member-names-in-C | Native function calls for the Get-LocalGroupMember cmdlet |
Rex Logan | https://stackoverflow.com/a/1148861 | Code of Get-NetNeighbor cmdlet |
Authored by Arris Huijgen (@bitsadmin - https://github.com/bitsadmin/)