Gnereral

Tools

. C:\AD\Tools\PowerView.ps1

AD module - MS singed

Import-Module C:\AD\Tools\ADModule-master\Microsoft.ActiveDirectory.Management.dll
Import-Module C:\AD\Tools\ADModule-master\ActiveDirectory\ActiveDirectory.psd1

BloodHound

BloodHound Versions:

# start db server
sudo neo4j console

# run bloodhound
bloodhound

SharpHound collector:

# PowerShell
. SharpHound.ps1
Invoke-BloodHound -CollectionMethod All 
Invoke-BloodHound –Steatlh # Remove noisy collections like RDP,DCOM,PSRemote and Local Admin
Invoke-BloodHound -ExcludeDCs # Avoid MDI

# executable
SharpHound.exe
SharpHound.exe –-steatlh # Remove noisy collections like RDP,DCOM,PSRemote and Local Admin

Domain

Get Current domain

Get-Domain

Get Object of another domain

Get-Domain -Domain moneycorp.local

Get domain SID for the current domain

Get-DomainSID

Get domain policy for the current domain

Get-DomainPolicyData
(Get-DomainPolicyData).systemaccess

Get domain policy for another domain

(Get-DomainPolicyData -domain moneycorp.local).systemaccess

Get Current domain

Get-ADDomain

Get Object of another domain

Get-ADDomain -Identity moneycorp.local

Get domain SID for the current domain

(Get-ADDomain).DomainSID

Domain controller

Get domain controllers for the current domain

Get-DomainController

Get domain controllers for another domain

Get-DomainController -Domain moneycorp.local

Get domain controllers for the current domain

Get-ADDomainController

Get domain controllers for another domain

Get-ADDomainController -DomainName moneycorp.local -Discover

Domain users

Get a list of users in the current domain

Get-DomainUser
Get-DomainUser -Identity student1

Get list of all properties for users in the current domain

Get-DomainUser -Identity student1 -Properties * 
Get-DomainUser -Properties samaccountname,logonCount

Search for a particular string in a user's attributes

Get-DomainUser -LDAPFilter "Description=*built*" | Select name,Description

Get actively logged users on a computer (requires local admin privileges)

Get-NetLoggedon -ComputerName dcorp-adminsrv

Get locally logged users on a computer (requires remote registry)

Get-LoggedonLocal -ComputerName dcorp-adminsrv

Get the last logged user on a computer (requires admin privileges and remote registry)

Get-LastLoggedOn -ComputerName dcorp-adminsrv

Get a list of users in the current domain

Get-ADUser -Filter * -Properties *
Get-ADUser -Identity student1 -Properties *

Get list of all properties for users in the current domain

Get-ADUser -Filter * -Properties * | select -First 1 | Get-Member -MemberType *Property | select Name
Get-ADUser -Filter * -Properties * | select name,logoncount,@{expression={[datetime]::fromFileTime($_.pwdlastset)}}

Search for a particular string in a user's attributes

Get-ADUser -Filter 'Description -like "*built*"' -Properties Description | select name,Desc

Domain Computers

Get a list of computers in the current domain

Get-DomainComputer | select Name
Get-DomainComputer -OperatingSystem "*Server 2022*"
Get-DomainComputer -Ping

Get a list of computers in the current domain

Get-ADComputer -Filter * | select Name
Get-ADComputer -Filter * -Properties *
Get-ADComputer -Filter 'OperatingSystem -like "*Server 2022*"' -Properties OperatingSystem | select Name,OperatingSystem
Get-ADComputer -Filter * -Properties DNSHostName | %{TestConnection -Count 1 -ComputerName $_.DNSHostName}

Domain Groups

Get all the groups

Get-DomainGroup | select Name
Get-DomainGroup -Domain <targetdomain>

Get all groups containing the word "admin" in group name

Get-DomainGroup *admin*

Get all the members of the Domain Admins group

Get-DomainGroupMember -Identity "Domain Admins" -Recurse

Get the group membership for a user

Get-DomainGroup -UserName "student1"

Get all the groups

Get-ADGroup -Filter * | select Name 
Get-ADGroup -Filter * -Properties *

Get all groups containing the word "admin" in group name

Get-ADGroup -Filter 'Name -like "*admin*"' | select Name

Get all the members of the Domain Admins group

Get-ADGroupMember -Identity "Domain Admins" -Recursive

Get the group membership for a user

Get-ADPrincipalGroupMembership -Identity student1

Group Policy

Get list of GPO in current domain

Get-DomainGPO
Get-DomainGPO -ComputerIdentity dcorp-student1

Get GPO(s) which use Restricted Groups

Get-DomainGPOLocalGroup

Get users which are in a local group of a machine using GPO

Get-DomainGPOComputerLocalGroupMapping -ComputerIdentity dcorp-student1

Get machines where the given user is member of a specific group

Get-DomainGPOUserLocalGroupMapping -Identity student1 -Verbose

Organization Units

Get OUs in a domain

# Get all domain OUs
Get-DomainOU

# Get all computers inside an OU
(Get-DomainOU -Identity StudentMachines).distinguishedname | %{Get-DomainComputer -SearchBase $_} | select name

Using Get-NetOU

# Get all computers inside an OU
(Get-NetOU -Identity StudentMachines).distinguishedname | %{Get-DomainComputer -SearchBase $_} | select name

# Get GPO applied on an OU 
Get-NetOU -Identity "StudentMachines" | select gplink # Get GPO ID
Get-DomainGPO -Identity "{0D1CC23D-1F20-4EEE-AF64-D99597AE2A6E}" # Get GPO Info

Get OUs in a domain

Get-ADOrganizationalUnit -Filter * -Properties *

Local Groups

List all the local groups on a machine (requires admin privileges)

Get-NetLocalGroup -ComputerName dcorp-dc

Get members of the local group "Administrators" on a machine (requires admin privileges)

Get-NetLocalGroupMember -ComputerName dcorp-dc -GroupName Administrators

Find shares on hosts in current domain.

Invoke-ShareFinder -Verbose

Find sensitive files on computers in the domain

Invoke-FileFinder -Verbose

Get all file servers of the domain

Get-NetFileServer

User Hunting

Find Local group members of RDP or WinRM of specific machine

Get-NetLocalGroupMember -ComputerName COMPUTER_NAME -GroupName "Remote Desktop Users"
Get-NetLocalGroupMember -ComputerName COMPUTER_NAME -GroupName "Remote Management Users"

Find all machines on the current domain where the current user has local admin access

# Very noisy
Find-LocalAdminAccess -Verbose

# Very noisy
# When SMB and RPC are blocked

# Load
. C:\AD\Tools\Find-WMILocalAdminAccess.ps1
# execute
Find-WMILocalAdminAccess

#Load
. C:\AD\Tools\Find-PSRemotingLocalAdminAccess.ps1
# execute
Find-PSRemotingLocalAdminAccess.ps1

Find machines where a domain admin has sessions

# Very noisy
Find-DomainUserLocation -Verbose
Find-DomainUserLocation -UserGroupIdentity "RDPUsers"
Find-DomainUserLocation -CheckAccess 
Find-DomainUserLocation -Stealth # less noisy, targeting file servers

List sessions on remote machines (source)

# Doesn’t need admin access on remote machines. 
# Uses Remote Registry and queries HKEY_USERS hive.
Invoke-SessionHunter -FailSafe

# Opsec friendly
Invoke-SessionHunter -NoPortScan -Targets C:\AD\Tools\servers.txt

Last updated 2 months ago

# PowerShell . SharpHound.ps1 Invoke-BloodHound -CollectionMethod All Invoke-BloodHound –Steatlh # Remove noisy collections like RDP,DCOM,PSRemote and Local Admin Invoke-BloodHound -ExcludeDCs # Avoid MDI # executable SharpHound.exe SharpHound.exe –-steatlh # Remove noisy collections like RDP,DCOM,PSRemote and Local Admin

Get-ADUser -Filter * -Properties * | select -First 1 | Get-Member -MemberType *Property | select Name Get-ADUser -Filter * -Properties * | select name,logoncount,@{expression={[datetime]::fromFileTime($_.pwdlastset)}}

Get-ADComputer -Filter * | select Name Get-ADComputer -Filter * -Properties * Get-ADComputer -Filter 'OperatingSystem -like "*Server 2022*"' -Properties OperatingSystem | select Name,OperatingSystem Get-ADComputer -Filter * -Properties DNSHostName | %{TestConnection -Count 1 -ComputerName $_.DNSHostName}

# Get all computers inside an OU (Get-NetOU -Identity StudentMachines).distinguishedname | %{Get-DomainComputer -SearchBase $_} | select name # Get GPO applied on an OU Get-NetOU -Identity "StudentMachines" | select gplink # Get GPO ID Get-DomainGPO -Identity "{0D1CC23D-1F20-4EEE-AF64-D99597AE2A6E}" # Get GPO Info

# Very noisy Find-LocalAdminAccess -Verbose # Very noisy # When SMB and RPC are blocked # Load . C:\AD\Tools\Find-WMILocalAdminAccess.ps1 # execute Find-WMILocalAdminAccess #Load . C:\AD\Tools\Find-PSRemotingLocalAdminAccess.ps1 # execute Find-PSRemotingLocalAdminAccess.ps1

# Very noisy Find-DomainUserLocation -Verbose Find-DomainUserLocation -UserGroupIdentity "RDPUsers" Find-DomainUserLocation -CheckAccess Find-DomainUserLocation -Stealth # less noisy, targeting file servers

# Doesn’t need admin access on remote machines. # Uses Remote Registry and queries HKEY_USERS hive. Invoke-SessionHunter -FailSafe # Opsec friendly Invoke-SessionHunter -NoPortScan -Targets C:\AD\Tools\servers.txt

Gnereral

Tools

BloodHound

Domain

Domain controller

Domain users

Domain Computers

Domain Groups

Group Policy

Organization Units

Local Groups

Shares

User Hunting

Gnereral

Tools

BloodHound

Domain

Domain controller

Domain users

Domain Computers

Domain Groups

Group Policy

Organization Units

Local Groups

Shares

User Hunting