PowerView
Domain enum
Get-Domain
Get-Domain -Domain moneycorp.local
Get-DomainSIDPolicy data will be important for password policies and Kerberos ticket information (needed for forging tickets, must match for OPSEC)
Get-DomainPolicyDataGet-DomainController
Get-DomainController -Domain moneycorp.localUsers enum
Get-DomainUser | select samaccountname
Get-DomainUser -Identity student1Properties of users are important. Check login counts to see who might be a HONEYPOT!!
Less than 5-10 logon counts
Last logon time
Bad password time (should be wrong at least once)
Get-DomainUser -Identity student1 -Properties *
Get-DomainUser -Properties samaccountname,logonCount,DescriptionGrep out a specific string
Get-DomainUser -LDAPFilter "Description=*built*" | Select name,DescriptionComputer enum
Get-DomainComputer | select cn
Get-DomainComputer | select -ExpandProperty dnshostnameGet-DomainComputer -OperatingSystem "*Server 2022*"
Get-DomainComputer -PingGroup enum
Get-DomainGroup | select Name
Get-DomainGroup -Domain <targetdomain>Get-DomainGroup *admin*
Get-DomainGroup -Name *admin* | select cnDomain Group Membership
Get-DomainGroupMember -Identity "Domain Admins" -Recurse
Get-DomainGroupMember -Identity "Domain Admins" -Recurse | select MemberName
Get-DomainGroupMember -Identity "Enterprise Admins" -Recurse -domain <domain>Get-DomainGroup -UserName "student1"
Get-DomainGroup -UserName "student1" | select nameLocal Group Membership
Get-NetLocalGroup -ComputerName dcorp-dc
Get-NetLocalGroupMember -ComputerName dcorp-dc -GroupName AdministratorsShares, Sensitive files and FileServers
Invoke-ShareFinder -VerboseInvoke-FileFinder -VerboseGet-NetFileServerLast updated