PowerView

https://powersploit.readthedocs.io/en/latest/Recon/

Enumerating AD Users

Gather Domain Information

Get-Domain

Gather Domain SID

Get-DomainSID

Gather List DC's

Get-DomainController

Gather Domain Users

Get-DomainUser

Gather User Count

(Get-DomainUserr).count

Gather Most Important Users Information

Get-DomainUser -Identity harry.jones -Domain inlanefreight.local | Select-Object -Property name,samaccountname,description,memberof,whencreated,pwdlastset,lastlogontimestamp,accountexpires,admincount,userprincipalname,serviceprincipalname,mail,useraccountcontrol

Gather List of Users do not require Kerberos pre-authentication

Get-DomainUser -KerberosPreauthNotRequired -Properties samaccountname,useraccountcontrol,memberof

Gather Users With Kerberos Constrained Delegation

Get-DomainUser -TrustedToAuth -Properties samaccountname,useraccountcontrol,memberof

Gather Kerberos Unconstrained Delegation

Get-DomainUser -TrustedToAuth -Properties samaccountname,useraccountcontrol,memberof

Gather Domain (User) Descriptions

Get-DomainUser -Properties samaccountname,description | Where {$_.description -ne $null}

Gather Account(s) With SPN

Get-DomainUser -SPN -Properties samaccountname,memberof,serviceprincipalname

Gather Password Set Times

Get-DomainUser -Properties samaccountname,pwdlastset,lastlogon -Domain InlaneFreight.local | select samaccountname, pwdlastset, lastlogon | Sort-Object -Property pwdlastset

Enumerating AD Groups

Gather Groups

Get-DomainGroup -Properties Name

Gather More Information 1 Group

Get-DomainGroupMember -Identity '<Group name>'

Gather Security Groups

Find-ManagedSecurityGroups | select GroupName

Gather Security Operations Group

Get-DomainManagedSecurityGroup

Gather Local Groups


$sid = Convert-NameToSid <username>
$computers = Get-DomainComputer -Properties dnshostname | select -ExpandProperty dnshostname
foreach ($line in $computers) {Get-NetLocalGroupMember -ComputerName $line | ? {$_.SID -eq $sid}}

Enumerating AD Computers

Gather Most Useful Information

Get-DomainComputer -Properties dnshostname,operatingsystem,lastlogontimestamp,useraccountcontrol

Enumerating Domain ACLs

ForceChangePassword abused with Set-DomainUserPassword Add Members abused with Add-DomainGroupMember GenericAll abused with Set-DomainUserPassword or Add-DomainGroupMember GenericWrite abused with Set-DomainObject WriteOwner abused with Set-DomainObjectOwner WriteDACL abused with Add-DomainObjectACL AllExtendedRights abused with Set-DomainUserPassword or Add-DomainGroupMember

Gather ACLs With Built-In

 (Get-ACL "AD:$((Get-ADUser joe.evans).distinguishedname)").access  | ? {$_.ActiveDirectoryRights -match "WriteProperty" -or $_.Act
Rights -match "GenericAll"} | Select IdentityReference,ActiveDirectoryRights -Unique | ft -W

Gather ACL With PowerView

Get-DomainObjectAcl -Identity harry.jones -Domain inlanefreight.local -ResolveGUIDs

Gather ACL File Shares

 # list File Shares
Get-NetShare -ComputerName SQL01

# List Inside File Share
Get-PathAcl "\\SQL01\DB_backups"

Gather DCsync ACL

$dcsync = Get-ObjectACL "DC=inlanefreight,DC=local" -ResolveGUIDs | ? { ($_.ActiveDirectoryRights -match 'GenericAll') -or ($_.ObjectAceType -match 'Replication-Get')} | Select-Object -ExpandProperty SecurityIdentifier | Select -ExpandProperty value

# List Users who can DCSync
Convert-SidToName $dcsync

Enumerating Domain GPOs

Gather GPO Data

Get-DomainGPO | select displayname

Gather GPO of Computer

Get-DomainGPO -ComputerName WS01 | select displayname

Gather GPO Permissions

Get-DomainGPO | Get-ObjectAcl | ? {$_.SecurityIdentifier -eq 'S-1-5-21-2974783224-3764228556-2640795941-513'}

Enumerating Domain Trusts

Gather Trusts That Exists

Get-DomainTrust

Gather Trusts Current Domain

Get-DomainTrustMapping
PreviousWindows Lateral MovementNextPivoting, Tunneling and Forwarding

Last updated