Disclaimer: This material is provided for educational purposes and authorized security testing only.
You are solely responsible for how
you use the information. Do not use these techniques on systems without explicit permission from the owner.
We
do not encourage any kind of illegal or harmful activity
Enumerate Domain Information
-
Retrieve detailed information about a domain user
Get-DomainUser -Identity mmorgan -Domain inlanefreight.local | Select-Object -Property name, samaccountname, description, memberof, whencreated, pwdlastset, lastlogontimestamp, accountexpires, admincount, userprincipalname, serviceprincipalname, useraccountcontrol
-
List members of the "Domain Admins" group (including nested memberships)
Get-DomainGroupMember -Identity "Domain Admins" -Recurse
-
List trust relationships for the domain
-
Check administrative access to a specific machine
Test-AdminAccess -ComputerName ACADEMY-EA-MS01
-
Identify users with SPN property set (useful for Kerberoasting)
Get-DomainUser -SPN -Properties samaccountname, ServicePrincipalName
-
Enumerate local groups on a target
Get-NetLocalGroup -ComputerName <target>
-
Enumerate members of the local Administrators group on a target
Get-NetLocalGroupMember -ComputerName <target> -GroupName "Administrators"
-
Enumerate shares on a target
Get-NetShare -ComputerName <target>
-
Find reachable shares on domain machines
-
Search for files matching criteria on readable shares
Find-InterestingDomainShareFile
-
List all distributed file systems for the domain
-
Retrieve default domain or DC policy
Domain Information
-
Get current domain
-
Enumerate other domains
Get-NetDomain -Domain $DomainName
-
Get domain SID
-
Retrieve domain policy
Get-DomainPolicy
(Get-DomainPolicy)."system access"
(Get-DomainPolicy)."kerberos policy"
-
Get domain controllers
Get-NetDomainController
Get-NetDomainController -Domain $DomainName
-
Get detailed domain info
Enumerate Domain Users
-
Enumerate domain users
Get-NetUser
Get-NetUser -SamAccountName $user
Get-NetUser | select cn
Get-UserProperty
-
Check last password change
Get-UserProperty -Properties pwdlastset
-
Get specific attribute value
Find-UserField -SearchField Description -SearchTerm "wtver"
-
Enumerate users logged onto a machine
Get-NetLoggedon -ComputerName $ComputerName
-
Enumerate session information
Get-NetSession -ComputerName $ComputerName
-
Enumerate user locations
Find-DomainUserLocation -Domain $DomainName | Select-Object UserName, SessionFromName
Enumerate Domain Computers
-
Enumerate domain computers
Get-NetComputer -FullData
Get-NetComputer -Ping
-
Enumerate live machines
Enumerate Groups and Group Members
-
Enumerate group members
Get-NetGroupMember -GroupName "$GroupName" -Domain $DomainName
-
Get group members
Get-DomainGroup -Identity $GroupName | Select-Object -ExpandProperty Member
-
Enumerate GPO local group membership
Get-DomainGPOLocalGroup | Select-Object GPODisplayName, GroupName
-
Enumerate all groups
Enumerate Shares
-
Enumerate domain shares
-
Enumerate accessible domain shares
Find-DomainShare -CheckShareAccess
Enumerate Group Policies
-
Get group policies
-
Get group policy for a machine
Get-NetGPO -ComputerName $ComputerName
-
Get local admin group users
Find-GPOComputerAdmin -ComputerName $ComputerName
Enumerate OUs
- Enumerate organizational units
Get-NetOU -FullData
Get-NetGPO -GPOname $GPO_GUID
Enumerate ACLs
-
Get ACLs for a user
Get-ObjectAcl -SamAccountName $UserName -ResolveGUIDs
-
Get ACLs for a specific path
-
Search for interesting ACEs
Invoke-ACLScanner -ResolveGUIDs
Enumeration of Data
-
Enumerate domain trusts
Get-NetDomainTrust
Get-NetDomainTrust -Domain $DomainName
-
Enumerate forest trusts
Get-NetForestTrust
Get-NetForestDomain -Forest $ForestName
-
Get DNS zones and records
Get-DNSZone
Get-DNSRecord
-
Get all domain sites and subnets
Get-NetSite
Get-NetSubnet