This note was created when I was not very familiar with the Windows environment. I didn't know how to restart the machine from the command line, copy files, or import PowerShell scripts, etc.
Basic PowerShell
Enter powershell with Execution Policy Bypass
powershell -ep bypass
Or, if you already inside powershell session, you can set Execution Policy with this command:
Set-ExecutionPolicy Bypass -Scope CurrentUser
Load powershell script function into memory with dot sourcing:
. .\PowerView.ps1
Import module to powershell:
import-module .\Powerspolit.psd1
Check All Available Powershell Command
Get-Command-Name "*Invoke*"Get-Command
Get-Command
Copy & Move
How to copy file:
How to copy directory:
Explanation:
/E – Copies all subdirectories, including empty ones.
/I – If the destination does not exist and copying more than one file, this option assumes that the destination must be a directory.
/Y – Suppresses prompting to confirm you want to overwrite an existing destination file.
How to Move File or Directory
Rename
Sometimes, after found service run as SYSTEM user and writable by low user, you can drop payload to the directory and rename the payload to match the service name.
Download
certutil.exe
powershell.exe: Invoke-WebRequest
Download and Execute
powershell.exe: Invoke-Expression
Or, from cmd.exe to powershell.exe
Or, use start /B to run the command in background.
