# RTFM  ## Metadata - Author: [[Ben Clark and Nick Downer]] - Full Title: RTFM - Category: #books ## Highlights - dir /a /s /b C:\*pdf* Search for all PDFs ([Location 750](https://readwise.io/to_kindle?action=open&asin=B0B7H8X3XY&location=750)) - makecab <INPUT_PATH> <OUTPUT_PATH> Compress dsquery results ([Location 907](https://readwise.io/to_kindle?action=open&asin=B0B7H8X3XY&location=907)) - Remote Desktop Protocol (RDP) Configuration ([Location 963](https://readwise.io/to_kindle?action=open&asin=B0B7H8X3XY&location=963)) - Windows 10 .DLL Hijack (WPTSEXTENSIONS) Upload malicous.dll named WptsExtensions.dll (works with default Cobalt Strike .dll) anywhere in system path, reboot machine, and the schedule service will load the malicious WptsExtensions.dll ([Location 1121](https://readwise.io/to_kindle?action=open&asin=B0B7H8X3XY&location=1121)) - powershell -ep bypass -nop -File <FILE_PATH> Launch file with PowerShell ([Location 1162](https://readwise.io/to_kindle?action=open&asin=B0B7H8X3XY&location=1162)) - Enumerate PATH and then .DLL hijack (wlbsctrl or scheduler) if applicable.   Run open-source tool "SharpUp" to enumerate potential privilege escalation opportunities such as vulnerable paths, weak service information, and more.   Enumerate startup folder, user scheduled tasks, etc. Attempt to poison global shared scripts set to run at login. ([Location 1306](https://readwise.io/to_kindle?action=open&asin=B0B7H8X3XY&location=1306)) - Crack Excel Password Protected Document ([Location 3122](https://readwise.io/to_kindle?action=open&asin=B0B7H8X3XY&location=3122))