powershell-cheatsheet

Powershell

Powershell Downgrade Attack

• Logging in Powershell past v2.0 is insane. To limit this logging perform a version switch to 2.0

powershell.exe -Version 2.0 -NoLogo -NoProfile

• Verify with

• 

Resources

• https://learnxinyminutes.com/docs/powershell/

Basic Enumeration

systeminfo

Hotfixes

Get-HotFix | Format-List
Get-Hotfix -Id KB4023834
Get-Hotfix | measure

Creating Objects From Previous cmdlets

Zdxicjj

Get-ChildItem | Select-Object -Property Mode, Name

• You can also use the following flags to select particular information:

• first - gets the first x object

• last - gets the last x object

• unique - shows the unique objects

• skip - skips x objects

Checking the Stopped Processes

Get-Service | Where-Object -Property Status -eq Stopped

Sort Object

Get-ChildItem | Sort-Object

Find File Recursive

Get-Childitem –Path C:\ -Recurse -Force -ErrorAction SilentlyContinue | findstr /i "interesting-file.txt"
Get-ChildItem -Path C:\ -Include *.doc,*.docx -File -Recurse -ErrorAction SilentlyContinue

• 
• Hash File

Get-FileHash -Algorithm md5 .\interesting-file.txt.txt

• Will default to SHA-256

See all Cmdlets Installed

Get-Command | Where-Object -Property CommandType -eq Cmdlet | measure

Users

• See users on the sytem

• 

net users
Get-LocalUser

• See what user a SID belongs to

Get-LocalUser -SID "S-1-5-21-1394777289-3961777894-1791813945-501"

• Pull value from users

get-localuser * | select * #find parameter you want and then pass into second command value
get-localuser * | select * | findstr /i "Passwordrequired"

Groups

• See Groups

Get-LocalGroup

IP Address Information / TCP/UDP Connections

Get-NetIPAddress
Get-NetTCPConnections
GEt-NetTCPConnection | Where-Object -Property State -Match Listen
Get-Net-UDPEndpoints

• View all TCP ports Listen

Get-NetTCPConnection | Select RemoteAddress, State | findstr /i "Listen"

Base64 Powershell Decode

certutil -decode "C:\Users\Administrator\Desktop\b64.txt" decode.txt
Get-Content decode.txt

Find backup Files

Get-ChildItem -Path C:\ -Include *.bak* -File -Recurse -ErrorAction SilentlyContinue

• 

Find specific string inside a file

Get-ChildItem C:\* -Recurse | Select-String -pattern API_KEY

Services and Processes

Get-Service
Get-Process

Scheduled Tasks

Get-ScheduleTask -TaskName new-sched-task
Get-ScheduleTask

See Owner and Access

Get-ACL C:\

• 

Scanners

• Localhost port scanner

 1..1024 | % {echo ((new-object Net.Sockets.TcpClient).Connect("127.0.0.1",$_)) "Port $_ is open!"} 2>$null

• PowerShell port scanner:

1..1024 | % {echo ((new-object Net.Sockets.TcpClient).Connect("10.0.0.100",$_)) "Port $_ is open!"} 2>$null

• Test-Netconnection scan a range of IPs for a single port:

foreach ($ip in 1..20) {Test-NetConnection -Port 80 -InformationLevel "Detailed" 192.168.1.$ip}

• PS IP range & port range scanner:

1..20 | % { $a = $_; 1..1024 | % {echo ((new-object Net.Sockets.TcpClient).Connect("10.0.0.$a",$_)) "Port $_ is open!"} 2>$null}

• PS test egress filtering:

1..1024 | % {echo ((new-object Net.Sockets.TcpClient).Connect("allports.exposed",$_)) "Port $_ is open!"