PowerView

Domain enum

You can enumerate other domains in the Forest as well

Get-Domain
Get-Domain -Domain moneycorp.local
Get-DomainSID

Policy data will be important for password policies and Kerberos ticket information (needed for forging tickets, must match for OPSEC)

Get-DomainPolicyData

Get-DomainController
Get-DomainController -Domain moneycorp.local

Users enum

Get-DomainUser | select samaccountname
Get-DomainUser -Identity student1

Properties of users are important. Check login counts to see who might be a HONEYPOT!!

Less than 5-10 logon counts
Last logon time
Bad password time (should be wrong at least once)

Get-DomainUser -Identity student1 -Properties *
Get-DomainUser -Properties samaccountname,logonCount,Description

Grep out a specific string

Get-DomainUser -LDAPFilter "Description=*built*" | Select name,Description

Computer enum

Computer objects and Computers are different things

Check the logon count to find out

Get-DomainComputer | select cn,logoncount

Get-DomainComputer | select cn
Get-DomainComputer | select -ExpandProperty dnshostname

Get-DomainComputer -OperatingSystem "*Server 2022*"
Get-DomainComputer -Ping

Group enum

Get-DomainGroup | select Name
Get-DomainGroup -Domain <targetdomain>

Need to specify the domain for Enterprise Admins and others to show

Get-DomainGroup -Name *admin* -Domain <domain> -properties name

Get-DomainGroup *admin*
Get-DomainGroup -Name *admin* | select cn

Domain Group Membership

Helpful to rename the local machine Administrators for post enumeration

SID will be the same for domain Admin

ALSO having a target user in multiple groups helps with privileges to other objects down the road

Get-DomainGroupMember -Identity "Domain Admins" -Recurse
Get-DomainGroupMember -Identity "Domain Admins" -Recurse | select MemberName
Get-DomainGroupMember -Identity "Enterprise Admins" -Recurse -domain <domain>

Get-DomainGroup -UserName "student1"
Get-DomainGroup -UserName "student1" | select name

Local Group Membership

You can view local groups on Domain Controllers but need local Admin on other remote computers to list them

Get-NetLocalGroup -ComputerName dcorp-dc
Get-NetLocalGroupMember -ComputerName dcorp-dc -GroupName Administrators

Shares, Sensitive files and FileServers

Invoke-ShareFinder -Verbose

Invoke-FileFinder -Verbose

Get-NetFileServer

PreviousExecuting PowerShell NextActiveDirectory Module - OPSEC

Last updated 1 year ago

hashtagDomain enum

hashtagUsers enum

hashtagComputer enum

hashtagGroup enum

hashtagDomain Group Membership

hashtagLocal Group Membership

hashtagShares, Sensitive files and FileServers

Domain enum

Users enum

Computer enum

Group enum

Domain Group Membership

Local Group Membership

Shares, Sensitive files and FileServers