powershell-cheatsheet

Powershell

Powershell Downgrade Attack

Logging in Powershell past v2.0 is insane. To limit this logging perform a version switch to 2.0

powershell.exe -Version 2.0 -NoLogo -NoProfile

Verify with

Resources

https://learnxinyminutes.com/docs/powershell/

Basic Enumeration

systeminfo

Hotfixes

Get-HotFix | Format-List
Get-Hotfix -Id KB4023834
Get-Hotfix | measure

Creating Objects From Previous cmdlets

Get-ChildItem | Select-Object -Property Mode, Name

You can also use the following flags to select particular information:
first - gets the first x object
last - gets the last x object
unique - shows the unique objects
skip - skips x objects

Checking the Stopped Processes

Get-Service | Where-Object -Property Status -eq Stopped

Sort Object

Get-ChildItem | Sort-Object

Find File Recursive

Get-Childitem –Path C:\ -Recurse -Force -ErrorAction SilentlyContinue | findstr /i "interesting-file.txt"
Get-ChildItem -Path C:\ -Include *.doc,*.docx -File -Recurse -ErrorAction SilentlyContinue

Hash File

Get-FileHash -Algorithm md5 .\interesting-file.txt.txt

Will default to SHA-256

See all Cmdlets Installed

Get-Command | Where-Object -Property CommandType -eq Cmdlet | measure

Users

See users on the sytem

net users
Get-LocalUser

See what user a SID belongs to

Get-LocalUser -SID "S-1-5-21-1394777289-3961777894-1791813945-501"

Pull value from users

get-localuser * | select * #find parameter you want and then pass into second command value
get-localuser * | select * | findstr /i "Passwordrequired"

Groups

See Groups

Get-LocalGroup

IP Address Information / TCP/UDP Connections

Get-NetIPAddress
Get-NetTCPConnections
GEt-NetTCPConnection | Where-Object -Property State -Match Listen
Get-Net-UDPEndpoints

View all TCP ports Listen

Get-NetTCPConnection | Select RemoteAddress, State | findstr /i "Listen"

Base64 Powershell Decode

certutil -decode "C:\Users\Administrator\Desktop\b64.txt" decode.txt
Get-Content decode.txt

Find backup Files

Get-ChildItem -Path C:\ -Include *.bak* -File -Recurse -ErrorAction SilentlyContinue

Find specific string inside a file

Get-ChildItem C:\* -Recurse | Select-String -pattern API_KEY

Services and Processes

Get-Service
Get-Process

Scheduled Tasks

Get-ScheduleTask -TaskName new-sched-task
Get-ScheduleTask

See Owner and Access

Get-ACL C:\

Scanners

Localhost port scanner

 1..1024 | % {echo ((new-object Net.Sockets.TcpClient).Connect("127.0.0.1",$_)) "Port $_ is open!"} 2>$null

PowerShell port scanner:

1..1024 | % {echo ((new-object Net.Sockets.TcpClient).Connect("10.0.0.100",$_)) "Port $_ is open!"} 2>$null

Test-Netconnection scan a range of IPs for a single port:

foreach ($ip in 1..20) {Test-NetConnection -Port 80 -InformationLevel "Detailed" 192.168.1.$ip}

PS IP range & port range scanner:

1..20 | % { $a = $_; 1..1024 | % {echo ((new-object Net.Sockets.TcpClient).Connect("10.0.0.$a",$_)) "Port $_ is open!"} 2>$null}

PS test egress filtering:

1..1024 | % {echo ((new-object Net.Sockets.TcpClient).Connect("allports.exposed",$_)) "Port $_ is open!"

PreviousWindows NextWindows Privlage Escalation

Last updated 2 years ago

hashtagPowershell

hashtagPowershell Downgrade Attack

hashtagResources

hashtagBasic Enumeration

hashtagHotfixes

hashtagCreating Objects From Previous cmdlets

hashtagChecking the Stopped Processes

hashtagSort Object

hashtagFind File Recursive

hashtagSee all Cmdlets Installed

hashtagUsers

hashtagGroups

hashtagIP Address Information / TCP/UDP Connections

hashtagBase64 Powershell Decode

hashtagFind backup Files

hashtagFind specific string inside a file

hashtagServices and Processes

hashtagScheduled Tasks

hashtagSee Owner and Access

hashtagScanners

Powershell

Powershell Downgrade Attack

Resources

Basic Enumeration

Hotfixes

Creating Objects From Previous cmdlets

Checking the Stopped Processes

Sort Object

Find File Recursive

See all Cmdlets Installed

Users

Groups

IP Address Information / TCP/UDP Connections

Base64 Powershell Decode

Find backup Files

Find specific string inside a file

Services and Processes

Scheduled Tasks

See Owner and Access

Scanners