- General
- Powerview Domain
- Powerview Users, groups and computers
- Powerview Shares
- Powerview GPO
- Powerview OU
- Powerview ACL
- Powerview Domain Trust
- Powerview Nession
- Bloodhound
- C# version of powerview https://github.com/tevora-threat/SharpView
- https://github.com/PowerShellMafia/PowerSploit/blob/master/Recon/PowerView.ps1
. ./PowerView.ps1
Get-Domain
Get-Domain -Domain <DOMAIN NAME>
Get-DomainSID
Get-DomainPolicy
Get-DomainPolicyData
(Get-DomainPolicy)."System Access"
net accounts /domain
Get-DomainController
Get-DomainController | select-object Name
Get-DomainUser
Get-DomainUser -Username <USERNAME>
Get-DomainUser | select samaccountname
Get-DomainUser | select samaccountname, lastlogon, pwdlastset
Get-DomainUser | select samaccountname, lastlogon, pwdlastset | Sort-Object -Property lastlogon
Get-DomainUser | select samaccountname, memberof
Get-Userproperty -Properties pwdlastset
Find-UserField -SearchField Description -SearchTerm "built"
Get-DomainUser | Select-Object samaccountname,description
Get-DomainComputer
Get-DomainComputer -FullData
Get-DomainComputer -Computername <COMPUTERNAME> -FullData
Get-DomainComputer -OperatingSystem "*<VERSION*"
Get-DomainComputer -fulldata | select samaccountname, operatingsystem, operatingsystemversion
Get-DomainGroup
Get-DomainGroup -Domain <DOMAIN>
Get-DomainGroup -GroupName *admin*
Get-DomainGroupMember -Groupname "<GROUP>" -Recurse
Get-DomainGroup -Username <SAMACCOUNTNAME>
Get-NetLocalGroup -Computername <COMPUTERNAME> -ListGroups
Get-NetLocalGroupMember -Computername <COMPUTERNAME> -Recurse
Get-NetLocalGroupMember -ComputerName <COMPUTERNAME -GroupName <GROUPNAME>
Get-NetLoggedon -Computername <COMPUTERNAME>
Get-LoggedonLocal -Computername <COMPUTERNAME>
Get-LastLoggedOn -ComputerName <COMPUTERNAME>
Invoke-ShareFinder -Verbose
Invoke-ShareFinder -ExcludeStandard -ExcludePrint -ExcludeIPC
Invoke-FileFinder -Verbose
Get-NetFileServer
Get-DomainGPO
Get-DomainGPO -Computername <COMPUTERNAME>
Get-DomainGPOLocalGroup
Get-DomainGPOComputerLocalGroupMapping -ComputerIdentity <COMPUTERNAME>
Get-DomainGPOUserLocalGroupMapping -Identity <SAMACCOUNTNAME> -Verbose
- Read name from gplink attribute from
Get-DomainOU
Get-DomainGPO -Identity '{<ID>}'
(Get-DomainOU).distinguishedname | %{Get-DomainComputer -SearchBase $_} | Get-DomainGPOComputerLocalGroupMapping
(Get-DomainOU -Identity 'OU=Mgmt,DC=us,DC=techcorp,DC=local').distinguishedname | %{GetDomainComputer -SearchBase $_} | GetDomainGPOComputerLocalGroupMapping
Get-DomainOu -Fulldata
Get-DomainOu <OU> | %{Get-DomainComputer -ADSPath $_}
Get-DomainObjectAcl -Identity <SAMACCOUNTNAME> -ResolveGUIDS
Get-DomainObjectAcl -ADSprefix ‘CN=Administrator,CN=Users’ -Verbose
Get-DomainObjectAcl -Searchbase "LDAP://CN=Domain Admins,CN=Users,DC=us,DC=techcorp,DC=local" -ResolveGUIDs -Verbose
Get-PathAcl -Path "\\<DC>\sysvol"
Find-InterestingDomainAcl -ResolveGUIDs
Find-InterestingDomainAcl -ResolveGUIDs | select IdentityReference, ObjectDN, ActiveDirectoryRights | fl
#New Powerview
Find-InterestingDomainAcl -ResolveGUIDs | select IdentityReferenceName, ObjectDN, ActiveDirectoryRights | fl
Find-InterestingDomainAcl | Where-Object {$_.IdentityReference –eq [System.Security.Principal.WindowsIdentity]::GetCurrent().Name}
Get-DomainTrust
Get-Forest
Get-ForestDomain
Get-forestDomain -Forest <FOREST NAME>
Get-ForestGlobalCatalog
Get-ForestGlobalCatalog -Forest <FOREST NAME>
Get-ForestTrust
Get-ForestTrust -Forest <FOREST NAME>
Get-ForestDomain -Verbose | Get-DomainTrust
- Enumerates all machines and queries the domain for users of a specified group (default Domain Admins). Then finds domain machines where those users are logged into.
Find-DomainUserLocation | select UserName, SessionFromName
Get-NetSession
https://github.com/BloodHoundAD/BloodHound
cd Ingestors
. ./sharphound.ps1
Invoke-Bloodhound -CollectionMethod all -Verbose
Invoke-Bloodhound -CollectionMethod LoggedOn -Verbose
#Copy neo4j-community-3.5.1 to C:\
#Open cmd
cd C:\neo4j\neo4j-community-3.5.1-windows\bin
neo4j.bat install-service
neo4j.bat start
#Browse to BloodHound-win32-x64
Run BloodHound.exe
#Change credentials and login