https://powersploit.readthedocs.io/en/latest/Recon/
Enumerating AD Users
Gather Domain Information
Gather Domain SID
Gather List DC's
Gather Domain Users
Gather User Count
Copy ( Get-DomainUserr ).count Gather Most Important Users Information
Copy Get-DomainUser -Identity harry.jones -Domain inlanefreight.local | Select-Object -Property name,samaccountname,description,memberof,whencreated,pwdlastset,lastlogontimestamp,accountexpires,admincount,userprincipalname,serviceprincipalname,mail,useraccountcontrol Gather List of Users do not require Kerberos pre-authentication
Copy Get-DomainUser - KerberosPreauthNotRequired - Properties samaccountname , useraccountcontrol , memberof Gather Users With Kerberos Constrained Delegation
Copy Get-DomainUser - TrustedToAuth - Properties samaccountname , useraccountcontrol , memberof
Gather Kerberos Unconstrained Delegation
Copy Get-DomainUser - TrustedToAuth - Properties samaccountname , useraccountcontrol , memberof Gather Domain (User) Descriptions
Copy Get-DomainUser - Properties samaccountname , description | Where { $_.description -ne $null } Gather Account(s) With SPN
Copy Get-DomainUser - SPN - Properties samaccountname , memberof , serviceprincipalname Gather Password Set Times
Copy Get-DomainUser -Properties samaccountname,pwdlastset,lastlogon -Domain InlaneFreight.local | select samaccountname, pwdlastset, lastlogon | Sort-Object -Property pwdlastset Enumerating AD Groups
Gather Groups
Copy Get-DomainGroup - Properties Name Gather More Information 1 Group
Copy Get-DomainGroupMember - Identity '<Group name>' Gather Security Groups
Copy Find-ManagedSecurityGroups | select GroupName Gather Security Operations Group
Copy Get-DomainManagedSecurityGroup Gather Local Groups
Copy
$sid = Convert-NameToSid < username >
$computers = Get-DomainComputer - Properties dnshostname | select - ExpandProperty dnshostname
foreach ($line in $computers) { Get-NetLocalGroupMember - ComputerName $line | ? { $_.SID -eq $sid}} Enumerating AD Computers
Gather Most Useful Information
Copy Get-DomainComputer - Properties dnshostname , operatingsystem , lastlogontimestamp , useraccountcontrol Enumerating Domain ACLs
ForceChangePassword abused with Set-DomainUserPassword Add Members abused with Add-DomainGroupMember GenericAll abused with Set-DomainUserPassword or Add-DomainGroupMember GenericWrite abused with Set-DomainObject WriteOwner abused with Set-DomainObjectOwner WriteDACL abused with Add-DomainObjectACL AllExtendedRights abused with Set-DomainUserPassword or Add-DomainGroupMember
Gather ACLs With Built-In
Copy (Get-ACL "AD:$((Get-ADUser joe.evans).distinguishedname)").access | ? {$_.ActiveDirectoryRights -match "WriteProperty" -or $_.Act
Rights -match "GenericAll" } | Select IdentityReference , ActiveDirectoryRights - Unique | ft - W Gather ACL With PowerView
Copy Get-DomainObjectAcl - Identity harry.jones - Domain inlanefreight.local - ResolveGUIDs Gather ACL File Shares
Copy # list File Shares
Get-NetShare - ComputerName SQL01
# List Inside File Share
Get-PathAcl "\\SQL01\DB_backups" Gather DCsync ACL
Copy $dcsync = Get-ObjectACL "DC=inlanefreight,DC=local" -ResolveGUIDs | ? { ($_.ActiveDirectoryRights -match 'GenericAll') -or ($_.ObjectAceType -match 'Replication-Get')} | Select-Object -ExpandProperty SecurityIdentifier | Select -ExpandProperty value
# List Users who can DCSync
Convert-SidToName $dcsync Enumerating Domain GPOs
Gather GPO Data
Copy Get-DomainGPO | select displayname Gather GPO of Computer
Copy Get-DomainGPO - ComputerName WS01 | select displayname Gather GPO Permissions
Copy Get-DomainGPO | Get-ObjectAcl | ? { $_.SecurityIdentifier -eq 'S-1-5-21-2974783224-3764228556-2640795941-513' } Enumerating Domain Trusts
Gather Trusts That Exists
Gather Trusts Current Domain
Copy Get-DomainTrustMapping 