• Home
  • SecureDNS
  • WiFi\Router
  • AV
  • Patch
  • Links
  • FAQ
  • Zero Trust
  • Blue TeaM
  • More
    • Home
    • SecureDNS
    • WiFi\Router
    • AV
    • Patch
    • Links
    • FAQ
    • Zero Trust
    • Blue TeaM
  • Home
  • SecureDNS
  • WiFi\Router
  • AV
  • Patch
  • Links
  • FAQ
  • Zero Trust
  • Blue TeaM

List of commands in powershell and command prompt that should be looked at, obviously test, etc.

First, enable powershell and script logging:

https://logrhythm.com/blog/powershell-command-line-logging/


%.invoke%

%add-exfiltration%

%add-persistence%

%add-scrnsavebackdoor%

%add-type%

%base32%

%base64%

%base64tostring%

%bypass%

%check-vm%

%copy-vss%

%create-multiplesessions%

%disable-windowsoptionalfeature%

%discover-psinterestingservices%

%discover-psmsexchangeservers%

%discover-psmssqlservers%

%dllinjection%

%do-exfiltration%

%download-execute-ps%

%downloadfile%

%downloadstring%

%enable-duplicatetoken%

%enable-psremoting%

%-enc%

%encodedcommand%

%enter-pssession%

%execute-command-mssql%

%execute-dnstxt-code%

%execute-ontime%

%expand-archive%

%find-avsignature%

%find-psserviceaccounts%

%get-applicationhost%

%get-clipboardcontents%

%get-gpppassword%

%get-information%

%get-kerberospolicy%

%get-keystrokes%

%get-lsasecret%

%get-module%

%get-passhashes%

%getprocaddress%

%get-procaddress%

%get-psadforestinfo%

%get-psadforestkrbtgtinfo%

%get-regalwaysinstallelevated%

%get-regautologon%

%get-serviceexeperms%

%get-serviceperms%

%get-serviceunquoted%

%get-timedscreenshot%

%get-unattendedinstallfiles%

%get-vaultcredential%

%get-webconfig%

%get-wmiobject%

%gupt-backdoor%

%http-backdoor%

%icm%

%iex%

%install-module%

%invoke-adsbackdoor%

%invoke-allchecks%

%invoke-bruteforce%

%invoke-callbackiex%

%invoke-command%

%invoke-cradlecrafter%

%invoke-createcertificate%

%invoke-credentialinjection%

%invoke-credentialsphish%

%invoke-decode%

%invoke-dllencode%

%invoke-encode%

%invoke-expression%

%invoke-filefinder%

%invoke-finddllhijack%

%invoke-findpathhijack%

%invoke-masscommand%

%invoke-massmimikatz%

%invoke-masssearch%

%invoke-masstemplate%

%invoke-masstokens%

%invoke-mimikatzwdigestdowngrade%

%invoke-module%

%invoke-networkrelay%

%invoke-ninjacopy%

%invoke-obfuscation%

%invoke-poshrathttp%

%invoke-poshrathttps%

%invoke-powershellicmp%

%invoke-powershelltcp%

%invoke-powershelludp%

%invoke-powershellwmi%

%invoke-psgcat%

%invoke-psgcatagent%

%invoke-psinject%

%invoke-rickascii%

%invoke-scriptanalyzer%

%invoke-servicecmd%

%invoke-servicedisable%

%invoke-serviceenable%

%invoke-servicestart%

%invoke-servicestop%

%invoke-serviceuseradd%

%invoke-sharefinder%

%invoke-shellcode%

%invoke--shellcode%

%invoke-shellcodemsil%

%invoke-tokenmanipulation%

%invoke-webrequest%

%invoke-wmimethod%

%invoke-wmiplant%

%mimikatz%

%net.webclient%

%new-elevatedpersistenceoption%

%new-object%

%-nop%

%out-chm%

%out-excel%

%out-hta%

%out-java%

%out-minidump%

%out-shortcut%

%out-word%

%payload%

%port-scan%

%powercat%

%powershellempire%

%powersploit%

%reflectivepeinjection%

%remove-eventlog%

%remove-persistence%

%remove-poshrat%

%remove-update%

%rename-item%

%restore-serviceexe%

%root%

%run-exeonremote%

%set-clipboard%

%set-content%

%set-executionpolicy%

%set-item%

%set-itemproperty%

%set-location%

%set-masterbootrecord%

%set-mppreference%

%set-service%

%set-timezone%

%stringtobase64%

%system.management%

%system.reflection%

%texttoexe%

%wmi%

%wmiclass%

%write-cmdservicebinary%

%write-eventlog%

%writeline%

%write-serviceexe%

%write-serviceexecmd%

%write-useraddmsi%

%write-useraddservicebinary%

%wsman%

%net group "domain controllers"%

.invoke

add-exfiltration

add-persistence

add-scrnsavebackdoor

add-type

base32

base64

base64tostring

bypass

certutil

check-vm

copy

copy-vss

create-multiplesessions

createobject

disable-windowsoptionalfeature

discover-psinterestingservices

discover-psmsexchangeservers

discover-psmssqlservers

dllinjection

dns_txt

dns_txt_pwnage

dnscmd

do-exfiltration

download_execute

download-execute-ps

downloadfile

downloadstring

enable-duplicatetoken

enable-psremoting

-enc

encodedcommand

enter-pssession

-ep

execute-command-mssql

execute-dnstxt-code

execute-ontime

expand-archive

find-avsignature

find-psserviceaccounts

get-accepteddomain

get-adgroupmember

get-adreplaccount

get-aduser

get-applicationhost

get-casmailbox

get-clipboardcontents

get-gpppassword

get-information

get-kerberospolicy

get-keystrokes

get-lsasecret

get-mailbox

get-managementroleassignment

get-module

get-organizationconfig

get-owavirtualdirectory

get-passhashes

getprocaddress

get-procaddress

get-process

get-psadforestinfo

get-psadforestkrbtgtinfo

get-regalwaysinstallelevated

get-regautologon

get-serviceexeperms

get-serviceperms

get-serviceunquoted

get-timedscreenshot

get-unattendedinstallfiles

get-vaultcredential

get-webconfig

get-webservicesvirtualdirectory

get-wmiobject

git

gupt-backdoor

http-backdoor

icm

iex

install-module

invoke-adsbackdoor

invoke-allchecks

invoke-bruteforce

invoke-callbackiex

invoke-command

invoke-cradlecrafter

invoke-createcertificate

invoke-credentialinjection

invoke-credentialsphish

invoke-decode

invoke-dllencode

invoke-encode

invoke-expression

invoke-filefinder

invoke-finddllhijack

invoke-findpathhijack

invoke-masscommand

invoke-massmimikatz

invoke-masssearch

invoke-masstemplate

invoke-masstokens

invoke-mimikatzwdigestdowngrade

invoke-module

invoke-networkrelay

invoke-ninjacopy

invoke-obfuscation

invoke-poshrathttp

invoke-poshrathttps

invoke-powershellicmp

invoke-powershelltcp

invoke-powershelludp

invoke-powershellwmi

invoke-psgcat

invoke-psgcatagent

invoke-psinject

invoke-rickascii

invoke-scriptanalyzer

invoke-servicecmd

invoke-servicedisable

invoke-serviceenable

invoke-servicestart

invoke-servicestop

invoke-serviceuseradd

invoke-sharefinder

invoke-shellcode

invoke--shellcode

invoke-shellcodemsil

invoke-tokenmanipulation

invoke-webrequest

invoke-wmimethod

invoke-wmiplant

ldifde

makecab

mimikatz

net

net group

net.webclient

netsh

new-elevatedpersistenceoption

new-mailboxexportrequest

new-object

nltest

-nop

ntdsutil

out-chm

out-excel

out-hta

out-java

out-minidump

out-shortcut

out-word

parse_keys

payload

port-scan

powercat

powershell

powershellempire

powersploit

rclone

reflectivepeinjection

remove-eventlog

remove-mailboxexportrequest

remove-persistence

remove-poshrat

remove-update

rename-item

req

restore-serviceexe

robocopy

root

run-exeonremote

set-casmailbox

set-clipboard

set-content

set-executionpolicy

set-item

set-itemproperty

set-location

set-masterbootrecord

set-mppreference

set-service

set-timezone

stringtobase64

system.management

system.reflection

systeminfo

tasklist

texttoexe

wevtutil

wmi

wmic

wmiclass

write-cmdservicebinary

write-eventlog

writeline

write-serviceexe

write-serviceexecmd

write-useraddmsi

write-useraddservicebinary

wsman

xcopy

Copyright © 2019 SKRZ Security - All Rights Reserved.