Gnereral
Tools
. C:\AD\Tools\PowerView.ps1
AD module - MS singed
Import-Module C:\AD\Tools\ADModule-master\Microsoft.ActiveDirectory.Management.dll
Import-Module C:\AD\Tools\ADModule-master\ActiveDirectory\ActiveDirectory.psd1
BloodHound
BloodHound Versions:
# start db server
sudo neo4j console
# run bloodhound
bloodhound
SharpHound collector:
# PowerShell
. SharpHound.ps1
Invoke-BloodHound -CollectionMethod All
Invoke-BloodHound โSteatlh # Remove noisy collections like RDP,DCOM,PSRemote and Local Admin
Invoke-BloodHound -ExcludeDCs # Avoid MDI
# executable
SharpHound.exe
SharpHound.exe โ-steatlh # Remove noisy collections like RDP,DCOM,PSRemote and Local Admin
Domain
Get Current domain
Get-Domain
Get Object of another domain
Get-Domain -Domain moneycorp.local
Get domain SID for the current domain
Get-DomainSID
Get domain policy for the current domain
Get-DomainPolicyData
(Get-DomainPolicyData).systemaccess
Get domain policy for another domain
(Get-DomainPolicyData -domain moneycorp.local).systemaccess
Domain controller
Get domain controllers for the current domain
Get-DomainController
Get domain controllers for another domain
Get-DomainController -Domain moneycorp.local
Domain users
Get a list of users in the current domain
Get-DomainUser
Get-DomainUser -Identity student1
Get list of all properties for users in the current domain
Get-DomainUser -Identity student1 -Properties *
Get-DomainUser -Properties samaccountname,logonCount
Search for a particular string in a user's attributes
Get-DomainUser -LDAPFilter "Description=*built*" | Select name,Description
Get actively logged users on a computer (requires local admin privileges)
Get-NetLoggedon -ComputerName dcorp-adminsrv
Get locally logged users on a computer (requires remote registry)
Get-LoggedonLocal -ComputerName dcorp-adminsrv
Get the last logged user on a computer (requires admin privileges and remote registry)
Get-LastLoggedOn -ComputerName dcorp-adminsrv
Domain Computers
Get a list of computers in the current domain
Get-DomainComputer | select Name
Get-DomainComputer -OperatingSystem "*Server 2022*"
Get-DomainComputer -Ping
Domain Groups
Get all the groups
Get-DomainGroup | select Name
Get-DomainGroup -Domain <targetdomain>
Get all groups containing the word "admin" in group name
Get-DomainGroup *admin*
Get all the members of the Domain Admins group
Get-DomainGroupMember -Identity "Domain Admins" -Recurse
Get the group membership for a user
Get-DomainGroup -UserName "student1"
Group Policy
Get list of GPO in current domain
Get-DomainGPO
Get-DomainGPO -ComputerIdentity dcorp-student1
Get GPO(s) which use Restricted Groups
Get-DomainGPOLocalGroup
Get users which are in a local group of a machine using GPO
Get-DomainGPOComputerLocalGroupMapping -ComputerIdentity dcorp-student1
Get machines where the given user is member of a specific group
Get-DomainGPOUserLocalGroupMapping -Identity student1 -Verbose
Organization Units
Get OUs in a domain
# Get all domain OUs
Get-DomainOU
# Get all computers inside an OU
(Get-DomainOU -Identity StudentMachines).distinguishedname | %{Get-DomainComputer -SearchBase $_} | select name
Using Get-NetOU
# Get all computers inside an OU
(Get-NetOU -Identity StudentMachines).distinguishedname | %{Get-DomainComputer -SearchBase $_} | select name
# Get GPO applied on an OU
Get-NetOU -Identity "StudentMachines" | select gplink # Get GPO ID
Get-DomainGPO -Identity "{0D1CC23D-1F20-4EEE-AF64-D99597AE2A6E}" # Get GPO Info
Local Groups
List all the local groups on a machine (requires admin privileges)
Get-NetLocalGroup -ComputerName dcorp-dc
Get members of the local group "Administrators" on a machine (requires admin privileges)
Get-NetLocalGroupMember -ComputerName dcorp-dc -GroupName Administrators
Shares
Find shares on hosts in current domain.
Invoke-ShareFinder -Verbose
Find sensitive files on computers in the domain
Invoke-FileFinder -Verbose
Get all file servers of the domain
Get-NetFileServer
User Hunting
Find Local group members of RDP or WinRM of specific machine
Get-NetLocalGroupMember -ComputerName COMPUTER_NAME -GroupName "Remote Desktop Users"
Get-NetLocalGroupMember -ComputerName COMPUTER_NAME -GroupName "Remote Management Users"
Find all machines on the current domain where the current user has local admin access
# Very noisy
Find-LocalAdminAccess -Verbose
# Very noisy
# When SMB and RPC are blocked
# Load
. C:\AD\Tools\Find-WMILocalAdminAccess.ps1
# execute
Find-WMILocalAdminAccess
#Load
. C:\AD\Tools\Find-PSRemotingLocalAdminAccess.ps1
# execute
Find-PSRemotingLocalAdminAccess.ps1
Find machines where a domain admin has sessions
# Very noisy
Find-DomainUserLocation -Verbose
Find-DomainUserLocation -UserGroupIdentity "RDPUsers"
Find-DomainUserLocation -CheckAccess
Find-DomainUserLocation -Stealth # less noisy, targeting file servers
List sessions on remote machines (source)
# Doesnโt need admin access on remote machines.
# Uses Remote Registry and queries HKEY_USERS hive.
Invoke-SessionHunter -FailSafe
# Opsec friendly
Invoke-SessionHunter -NoPortScan -Targets C:\AD\Tools\servers.txt
Last updated
Was this helpful?