weyne/pwnwiki.github.io
1
0
Fork 0
mirror of https://github.com/oXis/pwnwiki.github.io.git synced 2025-10-29 16:56:59 +00:00
Code Issues Packages Projects Releases Wiki Activity

Merge remote-tracking branch 'upstream/master'

Browse Source
This commit is contained in:
tekwizz123 2014-01-24 14:03:00 +00:00
commit 5f0f78cba8
11 changed files with 586 additions and 29 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

9
msf/meterpreter.md
View File

@ -1,3 +1,10 @@
# Meterpreter # Meterpreter
Just the commands built in to meterpreter, post modules and railgun are in their own sections. Commands for the various flavors of meterpreter.
* [Windows](meterpreter_files/windows_meterpreter.md) - Windows Meterpreter
* [Linux](meterpreter_files/linux_meterpreter.md) - Linux Meterpreter
* [Java](meterpreter_files/java_meterpreter.md) - Java Meterpreter
* [PHP](meterpreter_files/php_meterpreter.md) - PHP Meterpreter
* [Python](meterpreter_files/python_meterpreter.md) - Python Meterpreter
* [Android](meterpreter_files/android_meterpreter.md) - Android Meterpreter

83
msf/meterpreter_files/android_meterpreter.md Normal file
View File

@ -0,0 +1,83 @@
Core Commands
----------------------
Command Description
------- -----------
? Help menu
background Backgrounds the current session
bgkill Kills a background meterpreter script
bglist Lists running background scripts
bgrun Executes a meterpreter script as a background thread
channel Displays information about active channels
close Closes a channel
disable_unicode_encoding Disables encoding of unicode strings
enable_unicode_encoding Enables encoding of unicode strings
exit Terminate the meterpreter session
help Help menu
info Displays information about a Post module
interact Interacts with a channel
irb Drop into irb scripting mode
load Load one or more meterpreter extensions
quit Terminate the meterpreter session
read Reads data from a channel
resource Run the commands stored in a file
run Executes a meterpreter script or Post module
use Deprecated alias for 'load'
write Writes data to a channel
Stdapi: File system Commands
----------------------
Command Description
------- -----------
cat Read the contents of a file to the screen
cd Change directory
download Download a file or directory
edit Edit a file
getlwd Print local working directory
getwd Print working directory
lcd Change local working directory
lpwd Print local working directory
ls List files
mkdir Make directory
pwd Print working directory
rm Delete the specified file
rmdir Remove directory
search Search for files
upload Upload a file or directory
Stdapi: Networking Commands
----------------------
Command Description
------- -----------
ifconfig Display interfaces
ipconfig Display interfaces
portfwd Forward a local port to a remote service
route View and modify the routing table
Stdapi: System Commands
----------------------
Command Description
------- -----------
execute Execute a command
getuid Get the user that the server is running as
ps List running processes
shell Drop into a system command shell
sysinfo Gets information about the remote system, such as OS
Stdapi: Webcam Commands
----------------------
Command Description
------- -----------
record_mic Record audio from the default microphone for X seconds
webcam_list List webcams
webcam_snap Take a snapshot from the specified webcam
webcam_stream Play a video stream from the specified webcam

88
msf/meterpreter_files/java_meterpreter.md Normal file
View File

@ -0,0 +1,88 @@
Core Commands
----------------------
Command Description
------- -----------
? Help menu
background Backgrounds the current session
bgkill Kills a background meterpreter script
bglist Lists running background scripts
bgrun Executes a meterpreter script as a background thread
channel Displays information about active channels
close Closes a channel
disable_unicode_encoding Disables encoding of unicode strings
enable_unicode_encoding Enables encoding of unicode strings
exit Terminate the meterpreter session
help Help menu
info Displays information about a Post module
interact Interacts with a channel
irb Drop into irb scripting mode
load Load one or more meterpreter extensions
quit Terminate the meterpreter session
read Reads data from a channel
resource Run the commands stored in a file
run Executes a meterpreter script or Post module
use Deprecated alias for 'load'
write Writes data to a channel
Stdapi: File system Commands
----------------------
Command Description
------- -----------
cat Read the contents of a file to the screen
cd Change directory
download Download a file or directory
edit Edit a file
getlwd Print local working directory
getwd Print working directory
lcd Change local working directory
lpwd Print local working directory
ls List files
mkdir Make directory
pwd Print working directory
rm Delete the specified file
rmdir Remove directory
search Search for files
upload Upload a file or directory
Stdapi: Networking Commands
----------------------
Command Description
------- -----------
ifconfig Display interfaces
ipconfig Display interfaces
portfwd Forward a local port to a remote service
route View and modify the routing table
Stdapi: System Commands
----------------------
Command Description
------- -----------
execute Execute a command
getuid Get the user that the server is running as
ps List running processes
shell Drop into a system command shell
sysinfo Gets information about the remote system, such as OS
Stdapi: User interface Commands
----------------------
Command Description
------- -----------
screenshot Grab a screenshot of the interactive desktop
Stdapi: Webcam Commands
----------------------
Command Description
------- -----------
record_mic Record audio from the default microphone for X seconds

79
msf/meterpreter_files/linux_meterpreter.md Normal file
View File

@ -0,0 +1,79 @@
Core Commands
----------------------
Command Description
------- -----------
? Help menu
background Backgrounds the current session
bgkill Kills a background meterpreter script
bglist Lists running background scripts
bgrun Executes a meterpreter script as a background thread
channel Displays information about active channels
close Closes a channel
disable_unicode_encoding Disables encoding of unicode strings
enable_unicode_encoding Enables encoding of unicode strings
exit Terminate the meterpreter session
help Help menu
info Displays information about a Post module
interact Interacts with a channel
irb Drop into irb scripting mode
load Load one or more meterpreter extensions
quit Terminate the meterpreter session
read Reads data from a channel
resource Run the commands stored in a file
run Executes a meterpreter script or Post module
use Deprecated alias for 'load'
write Writes data to a channel
Stdapi: File system Commands
----------------------
Command Description
------- -----------
cat Read the contents of a file to the screen
cd Change directory
download Download a file or directory
edit Edit a file
getlwd Print local working directory
getwd Print working directory
lcd Change local working directory
lpwd Print local working directory
ls List files
mkdir Make directory
mv Move source to destination
pwd Print working directory
rm Delete the specified file
rmdir Remove directory
upload Upload a file or directory
Stdapi: Networking Commands
----------------------
Command Description
------- -----------
arp Display the host ARP cache
ifconfig Display interfaces
ipconfig Display interfaces
netstat Display the network connections
portfwd Forward a local port to a remote service
route View and modify the routing table
Stdapi: System Commands
----------------------
Command Description
------- -----------
execute Execute a command
getpid Get the current process identifier
getprivs Attempt to enable all privileges available to the current process
getuid Get the user that the server is running as
kill Terminate a process
ps List running processes
rev2self Calls RevertToSelf() on the remote machine
shell Drop into a system command shell
suspend Suspends or resumes a list of processes
sysinfo Gets information about the remote system, such as OS

71
msf/meterpreter_files/php_meterpreter.md Normal file
View File

@ -0,0 +1,71 @@
Core Commands
----------------------
Command Description
------- -----------
? Help menu
background Backgrounds the current session
bgkill Kills a background meterpreter script
bglist Lists running background scripts
bgrun Executes a meterpreter script as a background thread
channel Displays information about active channels
close Closes a channel
disable_unicode_encoding Disables encoding of unicode strings
enable_unicode_encoding Enables encoding of unicode strings
exit Terminate the meterpreter session
help Help menu
info Displays information about a Post module
interact Interacts with a channel
irb Drop into irb scripting mode
load Load one or more meterpreter extensions
quit Terminate the meterpreter session
read Reads data from a channel
resource Run the commands stored in a file
run Executes a meterpreter script or Post module
use Deprecated alias for 'load'
write Writes data to a channel
Stdapi: File system Commands
----------------------
Command Description
------- -----------
cat Read the contents of a file to the screen
cd Change directory
download Download a file or directory
edit Edit a file
getlwd Print local working directory
getwd Print working directory
lcd Change local working directory
lpwd Print local working directory
ls List files
mkdir Make directory
pwd Print working directory
rm Delete the specified file
rmdir Remove directory
search Search for files
upload Upload a file or directory
Stdapi: Networking Commands
----------------------
Command Description
------- -----------
portfwd Forward a local port to a remote service
Stdapi: System Commands
----------------------
Command Description
------- -----------
execute Execute a command
getenv Get one or more environment variable values
getpid Get the current process identifier
getuid Get the user that the server is running as
kill Terminate a process
ps List running processes
shell Drop into a system command shell
sysinfo Gets information about the remote system, such as OS

72
msf/meterpreter_files/python_meterpreter.md Normal file
View File

@ -0,0 +1,72 @@
Core Commands
----------------------
Command Description
------- -----------
? Help menu
background Backgrounds the current session
bgkill Kills a background meterpreter script
bglist Lists running background scripts
bgrun Executes a meterpreter script as a background thread
channel Displays information about active channels
close Closes a channel
disable_unicode_encoding Disables encoding of unicode strings
enable_unicode_encoding Enables encoding of unicode strings
exit Terminate the meterpreter session
help Help menu
info Displays information about a Post module
interact Interacts with a channel
irb Drop into irb scripting mode
load Load one or more meterpreter extensions
quit Terminate the meterpreter session
read Reads data from a channel
resource Run the commands stored in a file
run Executes a meterpreter script or Post module
use Deprecated alias for 'load'
write Writes data to a channel
Stdapi: File system Commands
----------------------
Command Description
------- -----------
cat Read the contents of a file to the screen
cd Change directory
download Download a file or directory
edit Edit a file
getlwd Print local working directory
getwd Print working directory
lcd Change local working directory
lpwd Print local working directory
ls List files
mkdir Make directory
mv Move source to destination
pwd Print working directory
rm Delete the specified file
rmdir Remove directory
search Search for files
upload Upload a file or directory
Stdapi: Networking Commands
----------------------
Command Description
------- -----------
portfwd Forward a local port to a remote service
Stdapi: System Commands
----------------------
Command Description
------- -----------
execute Execute a command
getenv Get one or more environment variable values
getpid Get the current process identifier
getuid Get the user that the server is running as
ps List running processes
shell Drop into a system command shell
sysinfo Gets information about the remote system, such as OS

140
msf/meterpreter_files/windows_meterpreter.md Normal file
View File

@ -0,0 +1,140 @@
Core Commands
----------------------
Command Description
------- -----------
? Help menu
background Backgrounds the current session
bgkill Kills a background meterpreter script
bglist Lists running background scripts
bgrun Executes a meterpreter script as a background thread
channel Displays information about active channels
close Closes a channel
disable_unicode_encoding Disables encoding of unicode strings
enable_unicode_encoding Enables encoding of unicode strings
exit Terminate the meterpreter session
help Help menu
info Displays information about a Post module
interact Interacts with a channel
irb Drop into irb scripting mode
load Load one or more meterpreter extensions
migrate Migrate the server to another process
quit Terminate the meterpreter session
read Reads data from a channel
resource Run the commands stored in a file
run Executes a meterpreter script or Post module
use Deprecated alias for 'load'
write Writes data to a channel
Stdapi: File system Commands
----------------------
Command Description
------- -----------
cat Read the contents of a file to the screen
cd Change directory
download Download a file or directory
edit Edit a file
getlwd Print local working directory
getwd Print working directory
lcd Change local working directory
lpwd Print local working directory
ls List files
mkdir Make directory
mv Move source to destination
pwd Print working directory
rm Delete the specified file
rmdir Remove directory
search Search for files
upload Upload a file or directory
Stdapi: Networking Commands
----------------------
Command Description
------- -----------
arp Display the host ARP cache
getproxy Display the current proxy configuration
ifconfig Display interfaces
ipconfig Display interfaces
netstat Display the network connections
portfwd Forward a local port to a remote service
route View and modify the routing table
Stdapi: System Commands
----------------------
Command Description
------- -----------
clearev Clear the event log
drop_token Relinquishes any active impersonation token.
execute Execute a command
getenv Get one or more environment variable values
getpid Get the current process identifier
getprivs Attempt to enable all privileges available to the current process
getuid Get the user that the server is running as
kill Terminate a process
ps List running processes
reboot Reboots the remote computer
reg Modify and interact with the remote registry
rev2self Calls RevertToSelf() on the remote machine
shell Drop into a system command shell
shutdown Shuts down the remote computer
steal_token Attempts to steal an impersonation token from the target process
suspend Suspends or resumes a list of processes
sysinfo Gets information about the remote system, such as OS
Stdapi: User interface Commands
----------------------
Command Description
------- -----------
enumdesktops List all accessible desktops and window stations
getdesktop Get the current meterpreter desktop
idletime Returns the number of seconds the remote user has been idle
keyscan_dump Dump the keystroke buffer
keyscan_start Start capturing keystrokes
keyscan_stop Stop capturing keystrokes
screenshot Grab a screenshot of the interactive desktop
setdesktop Change the meterpreters current desktop
uictl Control some of the user interface components
Stdapi: Webcam Commands
----------------------
Command Description
------- -----------
record_mic Record audio from the default microphone for X seconds
webcam_list List webcams
webcam_snap Take a snapshot from the specified webcam
webcam_stream Play a video stream from the specified webcam
Priv: Elevate Commands
----------------------
Command Description
------- -----------
getsystem Attempt to elevate your privilege to that of local system.
Priv: Password database Commands
----------------------
Command Description
------- -----------
hashdump Dumps the contents of the SAM database
Priv: Timestomp Commands
----------------------
Command Description
------- -----------
timestomp Manipulate file MACE attributes

26
persistence/windows/general.md
View File

@ -13,21 +13,21 @@ return false;
Commands to run to maintain persistence after you have exploited it and are usually executed from the context of the `cmd.exe` or `command.exe` prompt. Commands to run to maintain persistence after you have exploited it and are usually executed from the context of the `cmd.exe` or `command.exe` prompt.
### Remote Assistance Enable
* **Command with arguments**: `reg add “HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server” /v fAllowToGetHelp /t REG_DWORD /d 1 /f`
* **Description**: **Must be admin to run this.** Enable remote assistance through adding a registry entry on the local system.
* **Output**:
* <div class="slide" style="cursor: pointer;"> **Windows 2008:** Show/Hide</div><div class="view"><code>C:\Windows\system32>reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server" /v fDenyTSConnections /t REG_DWORD /d 0 /f
The operation completed successfully.</code></div>
### Enable `psexec` ### Remote Desktop Enable - Method 1
The [`psexec` tool](http://technet.microsoft.com/en-us/sysinternals/bb897553.aspx) executes processes on other systems over a network. Most systems now disable the "clipbook" which `psexec` required. According to Val Smith's and Colin Ames' [BlackHat 2008 presentation (page 50)](http://www.blackhat.com/presentations/bh-usa-08/Smith_Ames/BH_US_08_Smith_Ames_Meta-Post_Exploitation.pdf), you can re-enable the sub-systems needed to use `psexec` using the `sc` commands below. * **Command with arguments**: `reg add “HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server” /v fDenyTSConnections /t REG_DWORD /d 0 /f`
* **Description**: **Must be admin to run this.** Enable remote desktop through adding a registry entry on the local system.
<pre> * **Output**:
c:\> net use \\[TargetIP]\ipc$ username /user:password * <div class="slide" style="cursor: pointer;"> **Windows 2008:** Show/Hide</div><div class="view"><code>C:\Windows\system32>reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server" /v fDenyTSConnections /t REG_DWORD /d 0 /f
c:\> sc \\[TargetIP] config netdde start= auto The operation completed successfully.</code></div>
c:\> sc \\[TargetIP] config netddedsdm start= auto
c:\> sc \\[TargetIP] config clipsrv start= auto
c:\> sc \\[TargetIP] start netdde
c:\> sc \\[TargetIP] start netddedsdm
c:\> sc \\[TargetIP] start clipsrv
</pre>
### Enable Remote Desktop ### Remote Desktop Enable - Method 2
Remote Desktop allows a remote user to receive a graphical "desktop" of the target (compromised) system. According to Val Smith's and Colin Ames' [BlackHat 2008 presentation (page 53)](http://www.blackhat.com/presentations/bh-usa-08/Smith_Ames/BH_US_08_Smith_Ames_Meta-Post_Exploitation.pdf), you can remotely enable remote desktop using the commands below. Remote Desktop allows a remote user to receive a graphical "desktop" of the target (compromised) system. According to Val Smith's and Colin Ames' [BlackHat 2008 presentation (page 53)](http://www.blackhat.com/presentations/bh-usa-08/Smith_Ames/BH_US_08_Smith_Ames_Meta-Post_Exploitation.pdf), you can remotely enable remote desktop using the commands below.
1. On the compromised system, create a file named `fix_ts_policy.ini` containing the contents below. Change the *"hacked_account"* value to the account you have compromised on the remote system. 1. On the compromised system, create a file named `fix_ts_policy.ini` containing the contents below. Change the *"hacked_account"* value to the account you have compromised on the remote system.

26
pivoting/windows/remote.md
View File

@ -71,19 +71,19 @@ Commands that move data and files between systems on a network and are usually e
* **Output**: * **Output**:
* <div class="slide" style="cursor: pointer;"> **Windows 2008:** Show/Hide</div><div class="view"><code>C:\Users\johndoe>qwinsta<br> SESSIONNAME USERNAME ID STATE TYPE DEVICE<br> services 0 Disc<br>>console johndoe 1 Active<br> rdp-tcp 65536 Listen</code></div> * <div class="slide" style="cursor: pointer;"> **Windows 2008:** Show/Hide</div><div class="view"><code>C:\Users\johndoe>qwinsta<br> SESSIONNAME USERNAME ID STATE TYPE DEVICE<br> services 0 Disc<br>>console johndoe 1 Active<br> rdp-tcp 65536 Listen</code></div>
### Remote Assistance Enable ### psexec
* **Command with arguments**: `reg add “HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server” /v fAllowToGetHelp /t REG_DWORD /d 1 /f` * **Command with arguments**: `psexec \\[computername|IP] [cmd]`
* **Description**: **Must be admin to run this.** Enable remote assistance through adding a registry entry on the local system. * **Description**: The [`psexec` tool](http://technet.microsoft.com/en-us/sysinternals/bb897553.aspx) executes processes on other systems over a network. Most systems now disable the "clipbook" which `psexec` required. According to Val Smith's and Colin Ames' [BlackHat 2008 presentation (page 50)](http://www.blackhat.com/presentations/bh-usa-08/Smith_Ames/BH_US_08_Smith_Ames_Meta-Post_Exploitation.pdf), you can re-enable the sub-systems needed to use `psexec` using the `sc` commands below.
* **Output**: <pre>
* <div class="slide" style="cursor: pointer;"> **Windows 2008:** Show/Hide</div><div class="view"><code>C:\Windows\system32>reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server" /v fDenyTSConnections /t REG_DWORD /d 0 /f c:\> net use \\[computername|IP]\ipc$ username /user:password
The operation completed successfully.</code></div> c:\> sc \\[computername|IP] config netdde start= auto
c:\> sc \\[computername|IP] config netddedsdm start= auto
### Remote Desktop Enable c:\> sc \\[computername|IP] config clipsrv start= auto
* **Command with arguments**: `reg add “HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server” /v fDenyTSConnections /t REG_DWORD /d 0 /f` c:\> sc \\[computername|IP] start netdde
* **Description**: **Must be admin to run this.** Enable remote desktop through adding a registry entry on the local system. c:\> sc \\[computername|IP] start netddedsdm
* **Output**: c:\> sc \\[computername|IP] start clipsrv
* <div class="slide" style="cursor: pointer;"> **Windows 2008:** Show/Hide</div><div class="view"><code>C:\Windows\system32>reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server" /v fDenyTSConnections /t REG_DWORD /d 0 /f </pre>
The operation completed successfully.</code></div> * **Example Command**: `psexec \\1.1.1.1 ipconfig /all` would retrieve the IP settings for the 1.1.1.1 system.
### tasklist ### tasklist
* **Command with arguments**: `tasklist /v /s [computername|IP]` * **Command with arguments**: `tasklist /v /s [computername|IP]`

8
presence/windows/find_files.md
View File

@ -18,7 +18,13 @@ Commands that find files on the filesystem and are usually executed from the con
* **Command with arguments**: `dir /a` * **Command with arguments**: `dir /a`
* **Description**: Displays files with specified attributes. Examples: D=Directories, R=Read-only files, H=Hidden files, A=Files ready for archiving, S=System files * **Description**: Displays files with specified attributes. Examples: D=Directories, R=Read-only files, H=Hidden files, A=Files ready for archiving, S=System files
* **Output**: * **Output**:
* <div class="slide" style="cursor: pointer;"> **Windows 2008:** Show/Hide</div><div class="view"><code>C:\Users\johndoe>dir /a c:\<br> Volume in drive C has no label. Volume Serial Number is 1A09-5F16<br><br> Directory of c:\<br><br>01/19/2008 03:45 AM <DIR> $Recycle.Bin<br>09/18/2006 04:43 PM 24 autoexec.bat<br>10/08/2013 10:27 PM <DIR> Boot<br>04/11/2009 08:00 AM 333,257 bootmgr<br>10/08/2013 10:27 PM 8,192 BOOTSECT.BAK<br>09/18/2006 04:43 PM 10 config.sys<br>01/19/2008 06:47 AM <JUNCTION> Documents and Settings [C:\Users]<br>10/23/2013 07:39 PM 2,460,454,912 pagefile.sys<br>01/19/2008 04:40 AM <DIR> PerfLogs<br>10/08/2013 06:36 PM <DIR> Program Files<br>10/08/2013 06:36 PM <DIR> <br>10/10/2013 07:59 PM <DIR> Users<br>10/23/2013 07:38 PM <DIR> Windows<br> 5 File(s) 2,460,796,395 bytes<br> 10 Dir(s) 33,311,416,320 bytes free</code></div> * <div class="slide" style="cursor: pointer;"> **Windows 2008:** Show/Hide</div><div class="view"><code>C:\Users\johndoe>dir /a c:\<br> Volume in drive C has no label. Volume Serial Number is 1A09-5F16<br><br> Directory of c:\<br><br>01/19/2008 03:45 AM <DIR> $Recycle.Bin<br>09/18/2006 04:43 PM 24 autoexec.bat<br>10/08/2013 10:27 PM <DIR> Boot<br>04/11/2009 08:00 AM 333,257 bootmgr<br>10/08/2013 10:27 PM 8,192 BOOTSECT.BAK<br>09/18/2006 04:43 PM 10 config.sys<br>01/19/2008 06:47 AM <JUNCTION> Documents and Settings [C:\Users]<br>10/23/2013 07:39 PM 2,460,454,912 pagefile.sys<br>01/19/2008 04:40 AM <DIR> PerfLogs<br>10/08/2013 06:36 PM <DIR> Program Files<br>10/08/2013 06:36 PM <DIR> <br>10/10/2013 07:59 PM <DIR> Users<br>10/23/2013 07:38 PM <DIR> Windows<br> 5 File(s) 2,460,796,395 bytes<br> 10 Dir(s) 33,311,416,320 bytes free</code></div>
### Searching Sub-directories
* **Command with arguments**: `dir /s *[term]*`
* **Description**: Searches for the word entered in the [term] section in all sub-directories ofthe current directory.
* **Example Terms**: `pass`, `cred`, `vnc`, `.config`, `sysprep.*`
* **Attribution**: http://www.slideshare.net/mubix/windows-attacks-at-is-the-new-black-26665607
### Recursive ### Recursive
* **Command with arguments**: `dir /b /s [directory or filename]` * **Command with arguments**: `dir /b /s [directory or filename]`

13
privesc/windows/index.md
View File

@ -2,4 +2,15 @@
Command that can be executed from the context of a shell prompt that help escalate or increase attacker privilege of the target. Command that can be executed from the context of a shell prompt that help escalate or increase attacker privilege of the target.
* [UAC](uac.md) - How to bypass UAC. * [UAC](uac.md) - How to bypass UAC.
# General Commands
### at (Scheduler)
* **Command with arguments**: `at [TIME] [cmd]`
* **Description**: This command can be used locally to escalate privilege to SYSTEM or be used across a network to execute commands on another system.
* **Examples**:
* Locally - `at 13:20 /interactive cmd`
* Remotely - From http://www.slideshare.net/mubix/windows-attacks-at-is-the-new-black-26665607
* `net use \\[computername|IP] /user:DOMAIN\username password`
* `net time \\[computername|IP]`
* `at \\[computername|IP] 13:20 c:\temp\evil.bat`