Powershell bypasses the execution

powershell -ep bypass

Enumerate the domain users

Get-NetUser | select cn

Enumerate the domain groups

Get-NetGroup -GroupName *admin*


# ls | dir
  • -Path Specifies a path to one or more locations. Wildcards are accepted.
  • -File / -Directory To get a list of files, use the File parameter. To get a list of directories, use the Directory parameter. You can use the Recurse parameter with File and/or Directory parameters.
  • -Filter Specifies a filter to qualify the Path parameter.
  • -Recurse Gets the items in the specified locations and in all child items of the locations.
  • -Hidden To get only hidden items, use the Hidden parameter.
  • -ErrorAction SilentlyContinue Specifies what action to take if the command encounters an error.

For example, if you want to view all of the hidden files in the current directory you are in, you can issue the following command:

Get-ChildItem -File -Hidden -ErrorAction SilentlyContinue

Another useful cmdlet is Get-Content. This will allow you to read the contents of a file. You can run this command as follows:

Get-Content -Path file.txt

Measure-Object in PowerShell is used to measure the property of the command. There are various measurement parameters are available.

To change directories


Search a particular file for a pattern


When you stucked


Search for the lines

(Get-Content -Path .\[file_name])[line_number] 

search for the words

Select-String -Path '2.txt' -Pattern 'Redryder' -AllMatches
Get-Content -Path .\[file_name] | Select-String -Pattern 'my_word'

hash of a file

Get-FileHash -Algorithm MD5 file.txt

view ADS using

Get-Item -Path file.exe -Stream *

run to launch the hidden executable hiding within ADS

wmic process call create $(Resolve-Path file.exe:streamname)

cmd History

type %userprofile%\AppData\Roaming\Microsoft\Windows\PowerShell\PSReadline\ConsoleHost_history.txt

PowerShell History

type $Env:userprofile\AppData\Roaming\Microsoft\Windows\PowerShell\PSReadline\ConsoleHost_history.txt

Users credentials

cmdkey /list

Password login

runas /savecred /user:admin cmd.exe

Password Files

  • C:\inetpub\wwwroot\web.config
  • C:\Windows\Microsoft.NET\Framework64\v4.0.30319\Config\web.config
type C:\Windows\Microsoft.NET\Framework64\v4.0.30319\Config\web.config | findstr connectionString

proxy credentials - ProxyPassword

reg query HKEY_CURRENT_USER\Software\SimonTatham\PuTTY\Sessions\ /f "Proxy" /s