Windows
ActiveDirectory PowerShell Module
# Discover Modules
Get-Module
# Load ActiveDirectory Module
Import-Module ActiveDirectory
Get-Module
# Get Domain Info
Get-ADDomain
# Get-ADUser with SPN to get accounts that may be susceptible to a Kerberoasting attack
Get-ADUser -Filter {ServicePrincipalName -ne "$null"} -Properties ServicePrincipalName
# Checking For Trust Relationships
Get-ADTrust -Filter *
# Group Enumeration
Get-ADGroup -Filter * | select name
# Detailed Group Info
Get-ADGroup -Identity "Backup Operators"
# Group Membership
Get-ADGroupMember -Identity "Backup Operators"
PowerView
# load the module
.\powerview.ps1
# Domain User Information
Get-DomainUser -Identity mmorgan -Domain inlanefreight.local | Select-Object -Property name,samaccountname,description,memberof,whencreated,pwdlastset,lastlogontimestamp,accountexpires,admincount,userprincipalname,serviceprincipalname,useraccountcontrol
# Recursive Group Membership
Get-DomainGroupMember -Identity "Domain Admins" -Recurse
# Trust Enumeration
Get-DomainTrustMapping
# Testing for Local Admin Access
Test-AdminAccess -ComputerName ACADEMY-EA-MS01
# Finding Users With SPN Set
Get-DomainUser -SPN -Properties samaccountname,ServicePrincipalName
#############--- Domain Enumeration domains, users, groups, shares ---##############
# Get current Domain
Get-NetDomain
# Get domain SID
Get-DomainSID
# Get Domain Policy for current Domain
Get-DomainPolicy
(Get-DomainPloicy)."system access"
(Get-DomainPloicy)."Kerberos access"
# Get Domain Controllers for current Domain
Get-NetDomainController
# Get a list of users in current Domain
Get-NetUser
Get-NetUser | select cn # or any property you want to check
Get-NetUser -Username student1
# Get list of all properties for users in the current Domain
Get-UserProperty
Get-UserProperty -Properties pwdlastset
Get-UserProperty -Properties badpwdcount
Get-UserProperty -Properties logoncount
# Search for a particular string in a user's attributes
Find-UserField -SearchField Description -SearchTerm "built"
# Get a list of Computers in Current Domain
Get-NetComputer
Get-NetComputer -OperatingSystem "*Server 2016"
Get-NetComputer -Ping
Get-NetComputer -FullData
Get-NetComputer -FullData | select operatinsystem
# Get all the groups in the current Doamin
Get-NetGroup
Get-NetGroup -Domain <targetdomain>
Get-NetGroup -FullData
Get-NetGroup 'Domain Admins' -FullData
# Get all groups containing the word "admin" in group name
Get-NetGroup -GroupName *admin*
# Get all the members of Domain Admins Group
Get-NetGroupMember -GroupName "Domain Admins" -Recurse
Get-NetGroupMember -GroupName "Enterprise Admins" -Domain dashcorp.local
# Get the group membership for a user
Get-NetGroup -UserName "studen1"
# list all the local groups on a machine (needs administrator priv on non-dc machines)
Get-NetLocalGroup -ComputerName dcorp-dc.dlr.moneycorp.local -ListGroups
# get members of all the local groups on a machine (needs administrator priv on non-dc machines)
Get-NetLocalGroup -ComputerName dcorp-dc.dlr.moneycorp.local -Recurse
# Get actively logged users on a computer (need local admin rights on the target )
Get-NetLoggedon -ComputerName <servername>
# Get locally logged users on a computer (needs remote registry on the target- started by default on server OS )
Get-LoggedonLocal -ComputerName dcorp-dc.dlrcorp.moneycorp.local
# Get the last logged user on a computer (needs administrative rights and remote registry on the target)
Get-LastLoggedOn -ComputerName <servername>
# Find shares on hosts in current domain
Invoke-ShareFinder -Verbose
Invoke-ShareFinder -Verbose -ExcludeStandard -ExcludePrint -ExcludeTPC
# Find Sensitive files on computers in the domain
Invoke-FileFinder -Verbose
# Get all fileservers of the domain
Get-NetFileServer
######################------ Domain Enumeration - GPO ------######################
# Get list of GPO in curree=nt Domain
Get-NetGPO
Get-NetGPO | select displayname
Get-NetGPO -ComputerName dcorp-sc.student1.dlrcorp.mcorp.local
# Get GPO(s) which use Restricted Groups or groups.xml for interesting users
Get-NetGPOGroup
# Get users which are in a local group of a machine using GPO
Find-GPOComputerAdmin -ComputerName dcorp-stadmin.dlrcrp.mcrp.local
# Get machines where the given user is member of a specific group
Find-GPOLocation -Username student1 -Verbose
######################------ Domain Enumeration - OU ------######################
# Get OUs in a domain
Get-NetOU
Get-NetOU -FullData
# Get GPO applied on an OU. Read GPOname from gplink attribute from Get-NetOU
Get-NetGPO -GPOname "{AD68---881}"
######################------ Domain Enumeration - ACL ------######################
# Get the ACLs associated with the specified object
Get-ObjectAcl -SamAccountName student1 -ResolvesGUIDs
# Get the ACLs associatedd with the specified prefix to be used for search
Get-ObjectAcl -ADSprefix 'CN=Administrator,CN=Users' -Verbose
# Get the ACLs associated with the specified LDAP path to be used for search
Get-ObjectAcl -ADSpath "LDAP://CN=Domain Admins,CN=Users,Dc=dlrcorp,DC=mcorp,DC=local" -ResolveGUIDs -Verbose
# Search for Interesting ACEs
Invoke-ACLScanner -ResolveGUIDs
# Get the ACls associated with the specified path
Get-PathAcl -Path "\\dcorpdc.dlrcrp.mcrp.local\sysvol"
# Snaffler Execution
Snaffler.exe -s -d domain.local -o snaffler.log -v data
Sharphound
Last updated