Many more examples are in the CHEATSHEET at https://t.co/Bngi8ZEVFC or use the Get-Help/man command followed by the cmdlet, e.g. man iwr. Regularly new cmdlets are added in NoPowerShell's DEV branch so keep an eye there to get the latest and greatest! 🔥 https://t.co/1jlgmhJ4Ks

🔎 Inspecting ACLs and file hashes using the Get-Acl and Get-FileHash cmdlets.

📡 To accomplish persistence, creating a shortcut in the Startup folder using the (unofficial) New-Shortcut cmdlet.

🛜 Checking IP configuration and testing routing using Get-NetIPAddress and Test-NetConnection. 🔐 Checking TLS certificate chain details using Invoke-WebRequest.

🗄️ Running queries on Microsoft SQL Server using the Invoke-Sqlcmd cmdlet.

💻 User/session reconnaissance, on both the local as well as remote machines using the Get-LocalUser and Get-WinStation (unofficial) cmdlet. 📄 Hunting for authentication details of a specific user in the DC Security event log using Get-WinEvent.

Because the last release of #NoPowerShell was 2 years ago and to celebrate the repo has 999 stars, I just merged DEV ➡️ MASTER and published Release 1.50 containing over 60 offensive cmdlets! 🥳 https://t.co/dBOcwRPgSw See examples of some of the cmdlets below 👇

[Research] Starting Chrome Exploitation with Type Confusion 101 ^-^☆ Part 1.(EN) https://t.co/ohHvknIIr1 Ever wondered how Chrome's V8 engine actually runs JavaScript, and how those internals can lead to security issues like Type Confusion? In this post, I break down the V8

🚀 We just released my research on BadSuccessor - a new unpatched Active Directory privilege escalation vulnerability It allows compromising any user in AD, it works with the default config, and.. Microsoft currently won't fix it 🤷‍♂️ Read Here - https://t.co/c969sNjQH0

What if you skipped VirtualAlloc, skipped WriteProcessMemory and still got code execution? We explored process injection using nothing but thread context. Full write-up + PoCs: https://t.co/Sa1oUSYyqU

Blogpost from my colleague about what’s still possible with recently published COM/DCOM toolings, Cross Session Activation and Kerberos relaying 🔥 https://t.co/ggXWsw9ZE8

ProxyBlob is alive ! We’ve open-sourced our stealthy reverse SOCKS proxy over Azure Blob Storage that can help you operate in restricted environments 🔒 🌐 https://t.co/KO4AYUDTmb Blog post for more details right below ⬇️

Cool, novel, lateral movement technique by @william_knows by dropping a .dll file on a remote host obtaining code execution! 💡

I just published a blog post where I try to explain and demystify Kerberos relay attacks. I hope it’s a good and comprehensive starting point for anyone looking to learn more about this topic. ➡️ https://t.co/OztMeuoU5L

The S is for Security. How to use WinRMS as a solid NTLM relay target, and why it’s less secure than WinRM over HTTP. By @Defte_ Writeup: https://t.co/NpKZCmPgdY PR to impacket: https://t.co/Fr8S5HoCbd Demo:

We’re glad to announce we released Soxy!🚀 A Rust-powered suite of services for Citrix, VMware Horizon & Windows RDP. Red teams & pentesters can use it to pivot for deeper access. Get the tool and more details: 🔗

Your laptop was stolen. It’s running Windows 11, fully up-to-date, device encryption (BitLocker) and Secure Boot enabled. Your data is safe, right? Think again! This software-only attack grabs your encryption key. Following up on our #38C3 talk:

How to bypass BitLocker encryption on Windows 11

Just released SCCMHound! A BloodHound collector for SCCM. SCCMHound allows both attackers and defenders to construct BloodHound datasets using the vast amount of information that is stored/retrievable through SCCM. Feel free to take it for a spin! https://t.co/3J1IjEfDmO

A new fun way to set shadow credentials https://t.co/RvkQRa9aNV