https://www.infosecmatter.com/powershell-commands-for-pentesters/
This article contains a list of PowerShell commands collected from various corners of the Internet which could be helpful during penetration tests or red team exercises.
The list includes various post-exploitation one-liners in pure PowerShell without requiring any offensive (= potentially flagged as malicious) 3rd party modules, but also a bunch of handy administrative commands.
Let’s get to it!
The following PowerShell commands can be handy during post-exploitation phase for locating files on disk that may contain credentials, configuration details and other sensitive information.
With this command we can identify files with potentially sensitive data such as account information, credentials, configuration files etc. based on their filename:
gci c:\\ -Include *pass*.txt,*pass*.xml,*pass*.ini,*pass*.xlsx,*cred*,*vnc*,*.config*,*accounts* -File -Recurse -EA SilentlyContinue
Although this can produce a lot of noise, it can also yield some very interesting results.
Recommended to do this for every disk drive, but you can also just run it on the c:\users folder for some quick wins.
This command will look for remnants from automated installation and auto-configuration, which could potentially contain plaintext passwords or base64 encoded passwords:
gci c:\\ -Include *sysprep.inf,*sysprep.xml,*sysprep.txt,*unattended.xml,*unattend.xml,*unattend.txt -File -Recurse -EA SilentlyContinue
This is one of the well known privilege escalation techniques, as the password is typically local administrator password.
Recommended to do this for every disk drive.
With this command we can locate files containing a certain pattern, e.g. here were are looking for a “password” pattern in various textual configuration files: