Skip to content
Disclaimer: This material is provided for educational purposes and authorized security testing only. You are solely responsible for how you use the information. Do not use these techniques on systems without explicit permission from the owner. We do not encourage any kind of illegal or harmful activity

Active Directory PowerShell Module

The Active Directory PowerShell module provides cmdlets for administering and querying an AD environment from the command line.

  1. Load the Active Directory module:

    Import-Module ActiveDirectory

  2. Enumerate domain information:

    Get-ADDomain

  3. Enumerate users with Service Principal Names (SPNs):

    Get-ADUser -Filter {ServicePrincipalName -ne "$null"} -Properties ServicePrincipalName

  4. Check for trust relationships:

    Get-ADTrust -Filter *

  5. Enumerate groups:

    Get-ADGroup -Filter *

  6. Get detailed group information:

    Get-ADGroup -Identity "[GROUP]"

  7. Enumerate group members:

    Get-ADGroupMember -Identity "[GROUP]"

Using PowerView

PowerView is a powerful PowerShell tool designed to enhance situational awareness in an AD environment.

  1. Get information about a specific domain user:

    Get-DomainUser -Identity "[USERNAME]"

  2. Enumerate domain group members (recursive):

    Get-DomainGroupMember -Identity "Domain Admins" -Recurse

  3. Enumerate trust mappings:

    Get-DomainTrustMapping

  4. Test administrative access to a computer:

    Test-AdminAccess -ComputerName "[COMPUTERNAME]"

Using SharpView

SharpView is the .NET implementation of PowerView, providing similar functionality for AD enumeration.

  1. Get information about a specific domain user:

    .\SharpView.exe Get-DomainUser -Identity "[USERNAME]"

  2. Enumerate all domain users:

    .\SharpView.exe Get-DomainUser

Using Snaffler

Snaffler is a tool for locating sensitive data within an AD environment by enumerating network shares and directories.

  1. Execute Snaffler:
    .\Snaffler.exe -d "domain" -s -v data -o "output.log"

Using BloodHound

BloodHound is a tool for analyzing AD trust relationships and identifying potential attack paths.

  1. Run SharpHound to collect data:

    .\SharpHound.exe -c All --zipfilename "output.zip"

  2. Ingest the data into BloodHound.

  3. Open the BloodHound GUI.
  4. Click Upload Data.
  5. Select the zip file generated by SharpHound.
  6. Analyze the data using pre-built and custom queries.