NoPowerShell is a tool implemented in C# which supports executing PowerShell-like commands while remaining invisible to any PowerShell logging mechanisms. This .NET Framework 2 compatible binary can be loaded in Cobalt Strike to execute commands in-memory. No System.Management.Automation.dll is used; only native .NET libraries.

Moreover, this project makes it easy for everyone to extend its functionality using only a few lines of C# code.

Running in Cobalt Strike.

When using NoPowerShell from cmd.exe or PowerShell, you need to escape the pipe character (|) with respectively a caret (^) or a backtick (`), i.e.:

• cmd.exe: ls ^| select Name
• PowerShell: ls `| select Name

1. Copy both NoPowerShell.exe and NoPowerShell.cna to the scripts subfolder of Cobalt Strike
2. Launch Cobalt Strike and load the .cna script in the Script Manager
3. Interact with a beacon and execute commands using the nps command

• Pipeline characters need to surrounded by spaces
• TLS 1.1+ is not supported by .NET Framework 2, so any site enforcing it will result in a connection error

• Fix above issues
• Improve stability by adding exception handling
• Support for parameter groups
• Add support for ArrayArgument parameter
• Add support for .NET code in commandline, i.e.: [System.Security.Principal.WindowsIdentity]::GetCurrent().Name

Add your own cmdlets by submitting a pull request.

• Maintain .NET 2.0 compatibility in order to support the broadest range of operating systems

Use the TemplateCommand.cs file in the Commands folder to construct new cmdlets. The TemplateCommand cmdlet is hidden from the list of available cmdlets, but can be called in order to understand its workings. This command looks as follows: Get-TemplateCommand [-MyFlag] -MyInteger [Int32] -MyString [Value] and is also accessible via alias gtc.

Execute the following steps to implement your own cmdlet:

1. Create a copy of the TemplateCommand.cs file.
   • In case you are implementing a native PowerShell command, place it in folder the corresponding to the Source attribute when executing in PowerShell: Get-Command My-Commandlet. Example of a native command: Get-Command Get-Process -> Source: Microsoft.PowerShell.Management -> Place the .cs file in the Management subfolder.
   • In case it is a non-native command, place it in the Additional folder.
2. Update the TemplateCommand classname and its constructor name.
3. Update the static Aliases variable to the command and aliases you want to use to call this cmdlet. For native PowerShell commands you can lookup the aliases using Get-Alias | ? ResolvedCommandName -EQ My-Commandlet to obtain the list of aliases. Always make sure the full command is the first "alias", for example: Get-Alias | ? ResolvedCommandName -EQ Get-Process -> Aliases are: Get-Process, gps, ps
4. Update the static Synopsis variable to a small text that describes the command. This will be shown in the help.
5. Update the arguments supported by the command by adding StringArguments, BoolArguments and IntegerArguments to the static SupportedArguments variable.
6. In the Execute function:
   1. Fetch the values of the StringArguments, BoolArguments and IntegerArguments as shown in the examples;
   2. Based on the parameters provided by the user, perform your actions;
   3. Make sure all results are stored in the _results variable.
7. Remove all of the template sample code and comments from the file to keep the source tidy.

Authors of additional NoPowerShell cmdlets are added to the table below. Moreover, the table lists commands that are requested by the community to add. Together we can develop a powerful NoPowerShell toolkit!