Windows

ActiveDirectory PowerShell Module

# Discover Modules
Get-Module

# Load ActiveDirectory Module
Import-Module ActiveDirectory
Get-Module

# Get Domain Info
Get-ADDomain

# Get-ADUser with SPN to get accounts that may be susceptible to a Kerberoasting attack
Get-ADUser -Filter {ServicePrincipalName -ne "$null"} -Properties ServicePrincipalName

# Checking For Trust Relationships
Get-ADTrust -Filter *

# Group Enumeration
Get-ADGroup -Filter * | select name

# Detailed Group Info
Get-ADGroup -Identity "Backup Operators"

# Group Membership
Get-ADGroupMember -Identity "Backup Operators"

PowerView

 # load the module
.\powerview.ps1

# Domain User Information
Get-DomainUser -Identity mmorgan -Domain inlanefreight.local | Select-Object -Property name,samaccountname,description,memberof,whencreated,pwdlastset,lastlogontimestamp,accountexpires,admincount,userprincipalname,serviceprincipalname,useraccountcontrol

# Recursive Group Membership
Get-DomainGroupMember -Identity "Domain Admins" -Recurse

# Trust Enumeration
Get-DomainTrustMapping

# Testing for Local Admin Access
Test-AdminAccess -ComputerName ACADEMY-EA-MS01

# Finding Users With SPN Set
Get-DomainUser -SPN -Properties samaccountname,ServicePrincipalName


#############---  Domain Enumeration domains, users, groups, shares   ---##############

# Get current Domain
Get-NetDomain

# Get domain SID
Get-DomainSID

# Get Domain Policy for current Domain
Get-DomainPolicy
(Get-DomainPloicy)."system access"
(Get-DomainPloicy)."Kerberos access"

# Get Domain Controllers for current Domain
Get-NetDomainController

# Get a list of users in current Domain
Get-NetUser
Get-NetUser | select cn # or any property you want to check
Get-NetUser -Username student1

# Get list of all properties for users in the current Domain
Get-UserProperty 
Get-UserProperty -Properties pwdlastset
Get-UserProperty -Properties badpwdcount 
Get-UserProperty -Properties logoncount 

# Search for a particular string in a user's attributes 
Find-UserField -SearchField Description -SearchTerm "built"

# Get a list of Computers in Current Domain
Get-NetComputer
Get-NetComputer -OperatingSystem "*Server 2016"
Get-NetComputer -Ping
Get-NetComputer -FullData
Get-NetComputer -FullData | select operatinsystem

# Get all the groups in the current Doamin
Get-NetGroup
Get-NetGroup -Domain <targetdomain>
Get-NetGroup -FullData
Get-NetGroup 'Domain Admins' -FullData

# Get all groups containing the word "admin" in group name
Get-NetGroup -GroupName *admin*

# Get all the members of Domain Admins Group
Get-NetGroupMember -GroupName "Domain Admins" -Recurse
Get-NetGroupMember -GroupName "Enterprise Admins" -Domain dashcorp.local

# Get the group membership for a user
Get-NetGroup -UserName "studen1"

# list all the local groups on a machine (needs administrator priv on non-dc machines)
Get-NetLocalGroup -ComputerName dcorp-dc.dlr.moneycorp.local -ListGroups

# get members of all the local groups on a machine (needs administrator priv on non-dc machines)
Get-NetLocalGroup -ComputerName dcorp-dc.dlr.moneycorp.local -Recurse

# Get actively logged users on a computer (need local admin rights on the target )
Get-NetLoggedon -ComputerName <servername>

# Get locally logged users on a computer (needs remote registry on the target- started by default on server OS )
Get-LoggedonLocal -ComputerName dcorp-dc.dlrcorp.moneycorp.local 

# Get the last logged user on a computer (needs administrative rights and remote registry on the target)
Get-LastLoggedOn -ComputerName <servername>

# Find shares on hosts in current domain
Invoke-ShareFinder -Verbose 
Invoke-ShareFinder -Verbose -ExcludeStandard -ExcludePrint -ExcludeTPC

# Find Sensitive files on computers in the domain
Invoke-FileFinder -Verbose

# Get all fileservers of the domain
Get-NetFileServer


######################------  Domain Enumeration - GPO   ------######################

# Get list of GPO in curree=nt Domain
Get-NetGPO
Get-NetGPO | select displayname
Get-NetGPO -ComputerName dcorp-sc.student1.dlrcorp.mcorp.local

# Get GPO(s) which use Restricted Groups or groups.xml for interesting users
Get-NetGPOGroup

# Get users which are in a local group of a machine using GPO 
Find-GPOComputerAdmin -ComputerName dcorp-stadmin.dlrcrp.mcrp.local

# Get machines where the given user is member of a specific group

Find-GPOLocation -Username student1 -Verbose


######################------  Domain Enumeration - OU    ------######################

# Get OUs in a domain
Get-NetOU 
Get-NetOU  -FullData 

# Get GPO applied on an OU. Read GPOname from gplink attribute from Get-NetOU
Get-NetGPO -GPOname "{AD68---881}"


######################------  Domain Enumeration - ACL    ------######################

# Get the ACLs associated with the specified object
Get-ObjectAcl -SamAccountName student1 -ResolvesGUIDs

# Get the ACLs associatedd with the specified prefix to be used for search
Get-ObjectAcl -ADSprefix 'CN=Administrator,CN=Users' -Verbose

# Get the ACLs associated with the specified LDAP path to be used for search
Get-ObjectAcl -ADSpath "LDAP://CN=Domain Admins,CN=Users,Dc=dlrcorp,DC=mcorp,DC=local" -ResolveGUIDs -Verbose

# Search for Interesting ACEs 
Invoke-ACLScanner -ResolveGUIDs

# Get the ACls associated with the specified path
Get-PathAcl -Path "\\dcorpdc.dlrcrp.mcrp.local\sysvol"

Snaffler

# Snaffler Execution
Snaffler.exe -s -d domain.local -o snaffler.log -v data

Sharphound

PreviousLinux NextLiving Off the Land

Last updated 3 years ago

# load the module .\powerview.ps1 # Domain User Information Get-DomainUser -Identity mmorgan -Domain inlanefreight.local | Select-Object -Property name,samaccountname,description,memberof,whencreated,pwdlastset,lastlogontimestamp,accountexpires,admincount,userprincipalname,serviceprincipalname,useraccountcontrol # Recursive Group Membership Get-DomainGroupMember -Identity "Domain Admins" -Recurse # Trust Enumeration Get-DomainTrustMapping # Testing for Local Admin Access Test-AdminAccess -ComputerName ACADEMY-EA-MS01 # Finding Users With SPN Set Get-DomainUser -SPN -Properties samaccountname,ServicePrincipalName #############--- Domain Enumeration domains, users, groups, shares ---############## # Get current Domain Get-NetDomain # Get domain SID Get-DomainSID # Get Domain Policy for current Domain Get-DomainPolicy (Get-DomainPloicy)."system access" (Get-DomainPloicy)."Kerberos access" # Get Domain Controllers for current Domain Get-NetDomainController # Get a list of users in current Domain Get-NetUser Get-NetUser | select cn # or any property you want to check Get-NetUser -Username student1 # Get list of all properties for users in the current Domain Get-UserProperty Get-UserProperty -Properties pwdlastset Get-UserProperty -Properties badpwdcount Get-UserProperty -Properties logoncount # Search for a particular string in a user's attributes Find-UserField -SearchField Description -SearchTerm "built" # Get a list of Computers in Current Domain Get-NetComputer Get-NetComputer -OperatingSystem "*Server 2016" Get-NetComputer -Ping Get-NetComputer -FullData Get-NetComputer -FullData | select operatinsystem # Get all the groups in the current Doamin Get-NetGroup Get-NetGroup -Domain <targetdomain> Get-NetGroup -FullData Get-NetGroup 'Domain Admins' -FullData # Get all groups containing the word "admin" in group name Get-NetGroup -GroupName *admin* # Get all the members of Domain Admins Group Get-NetGroupMember -GroupName "Domain Admins" -Recurse Get-NetGroupMember -GroupName "Enterprise Admins" -Domain dashcorp.local # Get the group membership for a user Get-NetGroup -UserName "studen1" # list all the local groups on a machine (needs administrator priv on non-dc machines) Get-NetLocalGroup -ComputerName dcorp-dc.dlr.moneycorp.local -ListGroups # get members of all the local groups on a machine (needs administrator priv on non-dc machines) Get-NetLocalGroup -ComputerName dcorp-dc.dlr.moneycorp.local -Recurse # Get actively logged users on a computer (need local admin rights on the target ) Get-NetLoggedon -ComputerName <servername> # Get locally logged users on a computer (needs remote registry on the target- started by default on server OS ) Get-LoggedonLocal -ComputerName dcorp-dc.dlrcorp.moneycorp.local # Get the last logged user on a computer (needs administrative rights and remote registry on the target) Get-LastLoggedOn -ComputerName <servername> # Find shares on hosts in current domain Invoke-ShareFinder -Verbose Invoke-ShareFinder -Verbose -ExcludeStandard -ExcludePrint -ExcludeTPC # Find Sensitive files on computers in the domain Invoke-FileFinder -Verbose # Get all fileservers of the domain Get-NetFileServer ######################------ Domain Enumeration - GPO ------###################### # Get list of GPO in curree=nt Domain Get-NetGPO Get-NetGPO | select displayname Get-NetGPO -ComputerName dcorp-sc.student1.dlrcorp.mcorp.local # Get GPO(s) which use Restricted Groups or groups.xml for interesting users Get-NetGPOGroup # Get users which are in a local group of a machine using GPO Find-GPOComputerAdmin -ComputerName dcorp-stadmin.dlrcrp.mcrp.local # Get machines where the given user is member of a specific group Find-GPOLocation -Username student1 -Verbose ######################------ Domain Enumeration - OU ------###################### # Get OUs in a domain Get-NetOU Get-NetOU -FullData # Get GPO applied on an OU. Read GPOname from gplink attribute from Get-NetOU Get-NetGPO -GPOname "{AD68---881}" ######################------ Domain Enumeration - ACL ------###################### # Get the ACLs associated with the specified object Get-ObjectAcl -SamAccountName student1 -ResolvesGUIDs # Get the ACLs associatedd with the specified prefix to be used for search Get-ObjectAcl -ADSprefix 'CN=Administrator,CN=Users' -Verbose # Get the ACLs associated with the specified LDAP path to be used for search Get-ObjectAcl -ADSpath "LDAP://CN=Domain Admins,CN=Users,Dc=dlrcorp,DC=mcorp,DC=local" -ResolveGUIDs -Verbose # Search for Interesting ACEs Invoke-ACLScanner -ResolveGUIDs # Get the ACls associated with the specified path Get-PathAcl -Path "\\dcorpdc.dlrcrp.mcrp.local\sysvol"