NoPowerShell is a tool implemented in C# which supports executing PowerShell-like commands while remaining invisible to any PowerShell logging mechanisms. This .NET Framework 2 compatible binary can be loaded in Cobalt Strike to execute commands in-memory. No System.Management.Automation.dll is used; only native .NET libraries. An alternative usecase for NoPowerShell is to launch it as a DLL via rundll32.exe: rundll32 NoPowerShell.dll,main.
This project makes it easy for everyone to extend its functionality using only a few lines of C# code. For more info, see CONTRIBUTING.md.
Latest binaries available from the Releases page. Bleeding edge code available in the DEV branch. To kickstart your NoPowerShell skills, make sure to also check out the cmdlet Cheatsheet.
NoPowerShell is developed to be used with the execute-assembly command of Cobalt Strike.
Reasons to use NoPowerShell:
- Executes pretty stealthy
- Powerful functionality
- Provides the cmdlets you are already familiar with in PowerShell, so no need to learn yet another tool
- If you are not yet very familiar with PowerShell, the cmd.exe aliases are available as well (i.e.
pinginstead ofTest-NetConnection) - In case via
powerpickorpowershellcmdlets are not available, they are available innps(i.e. cmdlets from the ActiveDirectory module) - Easily extensible with only a few lines of C#
See CHEATSHEET.md.
- Copy both
NoPowerShell.exeandNoPowerShell.cnato the scripts subfolder of Cobalt Strike - Launch Cobalt Strike and load the
NoPowerShell.cnascript in the Script Manager - Interact with a beacon and execute commands using the
npscommand
- Create a new shortcut to
NoPowerShell.dllfile (drag using right click -> Create shortcuts here) - Update the shortcut prefixing the filename with
rundll32and appending,main - The shortcut will now look like
rundll32 C:\Path\to\NoPowerShell.dll,main - Double click the shortcut
When using NoPowerShell from cmd.exe or PowerShell, you need to escape the pipe character (|) with respectively a caret (^) or a backtick (`), i.e.:
- cmd.exe:
ls ^| select Name - PowerShell:
ls `| select Name
- Pipeline characters need to surrounded by spaces
- TLS 1.1+ is not supported by .NET Framework 2, so any site enforcing it will result in a connection error
- Fix above issues
- Improve stability by adding exception handling
- Support for parameter groups
- Add support for ArrayArgument parameter
- Add support for .NET code in commandline, i.e.:
[System.Security.Principal.WindowsIdentity]::GetCurrent().Name
| Cmdlet | Description |
|---|---|
| Get-ADTrusts | Unofficial command showing equivalent of nltest /domain_trusts /all_trusts /v |
| Get-QWinsta | Unofficial command showing equivalent of qwinsta / query session |
| Invoke-Command | Using PSRemoting execute a command on a remote machine (which in that case will of course be logged) |
| Get-Service | Include option to also show service paths like in sc qc |
| * | Sysinternals utilities like pipelist and sdelete |
| * | More *-Item* commands |
| * | More commands from the ActiveDirectory PowerShell module |
Authors of additional NoPowerShell cmdlets are added to the table below. Moreover, the table lists commands that are requested by the community to add. Together we can develop a powerful NoPowerShell toolkit!
| Cmdlet | Contributed by | GitHub | Description | |
|---|---|---|---|---|
| Cmdlet | Category | Notes |
|---|---|---|
| Get-ADGroup | ActiveDirectory | |
| Get-ADGroupMember | ActiveDirectory | |
| Get-ADUser | ActiveDirectory | |
| Get-ADComputer | ActiveDirectory | |
| Compress-Archive | Archive | Requires .NET 4.5+ |
| Expand-Archive | Archive | Requires .NET 4.5+ |
| Get-Whoami | Additional | whoami.exe /ALL is not implemented yet |
| Get-RemoteSmbShare | Additional | |
| Get-Command | Core | |
| Get-Help | Core | |
| Where-Object | Core | |
| Resolve-DnsName | DnsClient | |
| Get-LocalGroup | LocalAccounts | |
| Get-LocalGroupMember | LocalAccounts | |
| Get-LocalUser | LocalAccounts | |
| Copy-Item | Management | |
| Get-ChildItem | Management | |
| Get-Content | Management | |
| Get-ItemProperty | Management | |
| Get-Process | Management | |
| Stop-Process | Management | |
| Get-PSDrive | Management | |
| Get-WmiObject | Management | |
| Get-HotFix | Management | |
| Invoke-WmiMethod | Management | Quick & dirty implementation |
| Remove-Item | Management | |
| Get-ComputerInfo | Management | Few fields still need to be added to mimic systeminfo.exe |
| Get-NetIPAddress | NetTCPIP | |
| Get-NetRoute | NetTCPIP | |
| Test-NetConnection | NetTCPIP | |
| Get-NetNeighbor | NetTCPIP | No support for IPv6 yet |
| Get-SmbMapping | SmbShare | |
| Format-List | Utility | |
| Format-Table | Utility | |
| Invoke-WebRequest | Utility | |
| Measure-Object | Utility | |
| Select-Object | Utility |
Various NoPowerShell cmdlets and NoPowerShell DLL include code created by other developers.
| Who | Website | Notes |
|---|---|---|
| Contributors of pinvoke.net | https://www.pinvoke.net/ | Various cmdlets use snippets from pinvoke |
| Michael Conrad | https://github.com/MichaCo/ | Parts of the Resolve-Dns cmdlet are based on the code of the DnsClient.Net project |
| Rex Logan | https://stackoverflow.com/a/1148861 | Most code of the Get-NetNeighbor cmdlet originates from his StackOverflow post |
| PowerShell developers | https://github.com/PowerShell/ | Code of NoPowerShell DLL is largely based on the code handling the console input of PowerShell |
Authored by Arris Huijgen (@bitsadmin - https://github.com/bitsadmin/)
React
Typescript
Django
Laravel
Facebook
Microsoft
Google
Alibaba
D3
Tencent