Gnereral

Tools

PowerView

. C:\AD\Tools\PowerView.ps1

AD module - MS singed

Import-Module C:\AD\Tools\ADModule-master\Microsoft.ActiveDirectory.Management.dll
Import-Module C:\AD\Tools\ADModule-master\ActiveDirectory\ActiveDirectory.psd1

BloodHound

BloodHound Versions:

• BloodHound Legacy

• BloodHound

# start db server
sudo neo4j console

# run bloodhound
bloodhound 

SharpHound collector:

• SharpHound PowerShell

• SharpHound executable

# PowerShell
. SharpHound.ps1

Invoke-BloodHound -CollectionMethod All 
Invoke-BloodHound –Steatlh # Remove noisy collections like RDP,DCOM,PSRemote and Local Admin
Invoke-BloodHound -ExcludeDCs # Avoid MDI


# executable
SharpHound.exe
SharpHound.exe –-steatlh # Remove noisy collections like RDP,DCOM,PSRemote and Local Admin

Domain

PowerView

Get Current domain

Get-Domain

Get Object of another domain

Get-Domain -Domain moneycorp.local

Get domain SID for the current domain

Get-DomainSID

Get domain policy for the current domain

Get-DomainPolicyData
(Get-DomainPolicyData).systemaccess

Get domain policy for another domain

(Get-DomainPolicyData -domain moneycorp.local).systemaccess

AD module

Domain controller

PowerView

Get domain controllers for the current domain

Get-DomainController

Get domain controllers for another domain

Get-DomainController -Domain moneycorp.local

AD module

Domain users

PowerView

Get a list of users in the current domain

Get-DomainUser
Get-DomainUser -Identity student1

Get list of all properties for users in the current domain

Get-DomainUser -Identity student1 -Properties * 
Get-DomainUser -Properties samaccountname,logonCount

Search for a particular string in a user's attributes

Get-DomainUser -LDAPFilter "Description=*built*" | Select name,Description

Get actively logged users on a computer (requires local admin privileges)

Get-NetLoggedon -ComputerName dcorp-adminsrv

Get locally logged users on a computer (requires remote registry)

Get-LoggedonLocal -ComputerName dcorp-adminsrv

Get the last logged user on a computer (requires admin privileges and remote registry)

Get-LastLoggedOn -ComputerName dcorp-adminsrv

AD module

Domain Computers

PowerView

Get a list of computers in the current domain

Get-DomainComputer | select Name
Get-DomainComputer -OperatingSystem "*Server 2022*"
Get-DomainComputer -Ping

AD Module

Domain Groups

PowerView

Get all the groups

Get-DomainGroup | select Name
Get-DomainGroup -Domain <targetdomain>

Get all groups containing the word "admin" in group name

Get-DomainGroup *admin*

Get all the members of the Domain Admins group

Get-DomainGroupMember -Identity "Domain Admins" -Recurse

Get the group membership for a user

Get-DomainGroup -UserName "student1"

AD Module

Group Policy

PowerView

Get list of GPO in current domain

Get-DomainGPO
Get-DomainGPO -ComputerIdentity dcorp-student1

Get GPO(s) which use Restricted Groups

Get-DomainGPOLocalGroup

Get users which are in a local group of a machine using GPO

Get-DomainGPOComputerLocalGroupMapping -ComputerIdentity dcorp-student1

Get machines where the given user is member of a specific group

Get-DomainGPOUserLocalGroupMapping -Identity student1 -Verbose 

Organization Units

PowerView

Get OUs in a domain

# Get all domain OUs
Get-DomainOU

# Get all computers inside an OU
(Get-DomainOU -Identity StudentMachines).distinguishedname | %{Get-DomainComputer -SearchBase $_} | select name

Using Get-NetOU

# Get all computers inside an OU
(Get-NetOU -Identity StudentMachines).distinguishedname | %{Get-DomainComputer -SearchBase $_} | select name

# Get GPO applied on an OU 
Get-NetOU -Identity "StudentMachines" | select gplink # Get GPO ID
Get-DomainGPO -Identity "{0D1CC23D-1F20-4EEE-AF64-D99597AE2A6E}" # Get GPO Info

AD Module

Local Groups

PowerView

List all the local groups on a machine (requires admin privileges)

Get-NetLocalGroup -ComputerName dcorp-dc

Get members of the local group "Administrators" on a machine (requires admin privileges)

Get-NetLocalGroupMember -ComputerName dcorp-dc -GroupName Administrators

Shares

PowerView

Find shares on hosts in current domain.

Invoke-ShareFinder -Verbose

Find sensitive files on computers in the domain

Invoke-FileFinder -Verbose

Get all file servers of the domain

Get-NetFileServer

User Hunting

PowerView

Find Local group members of RDP or WinRM of specific machine

Get-NetLocalGroupMember -ComputerName COMPUTER_NAME -GroupName "Remote Desktop Users"
Get-NetLocalGroupMember -ComputerName COMPUTER_NAME -GroupName "Remote Management Users"

Find all machines on the current domain where the current user has local admin access

# Very noisy
Find-LocalAdminAccess -Verbose

# Very noisy
# When SMB and RPC are blocked

# Load
. C:\AD\Tools\Find-WMILocalAdminAccess.ps1
# execute
Find-WMILocalAdminAccess

#Load
. C:\AD\Tools\Find-PSRemotingLocalAdminAccess.ps1
# execute
Find-PSRemotingLocalAdminAccess.ps1

Find machines where a domain admin has sessions

# Very noisy
Find-DomainUserLocation -Verbose
Find-DomainUserLocation -UserGroupIdentity "RDPUsers"
Find-DomainUserLocation -CheckAccess 
Find-DomainUserLocation -Stealth # less noisy, targeting file servers

List sessions on remote machines (source)

# Doesn’t need admin access on remote machines. 
# Uses Remote Registry and queries HKEY_USERS hive.
Invoke-SessionHunter -FailSafe

# Opsec friendly
Invoke-SessionHunter -NoPortScan -Targets C:\AD\Tools\servers.txt