🖌️
AD-RED-TEAM
  • Active Directory Red Team
  • PowerShell Basics
    • Tips And Tricks
  • I. Active Directory Enumeration
    • User Hunting Domain Enumeration
    • Forest and Domains
    • User Enumeration
    • Groups Enumeration
    • Computers/Server Enumeration
    • Shares Enumeration
    • GP And OU Enumeration
    • ACL Domain Enumeration
    • Trust Domain Enumeration
  • II. Local Privilege Escalation
    • Lateral Movement
    • PowerUp Exploits
  • III. Domain Privilege Escalation
    • Forest Persistence – DCShadow
    • Trust Abuse - MSSQL Servers
    • Priv Esc – Across Forest using krbtgt Ticket
    • Priv Esc - Across Trusts using Trust Tickets
    • Priv Esc – DNSAdmins
    • Priv Esc - Constrained Delegation
    • Priv Esc – Unconstrained Delegation
    • Priv Esc - Targeted Kerberoasting - Set SPN
    • Targeted Kerberoasting - AS-REPs
    • Priv Esc - Kerberoast
  • IV. Domain Persistence and Dominance
    • Persistence ACLs - Security Descriptors
    • Persistence ACLs- Rights Abuse
    • Persistence ACL - AdminSDHolder
    • Persistence – Custom SSP
    • Persistence - DSRM
    • Persistence - Skeleton Key
    • Persistence - Silver Ticket
    • Persistence - Golden Ticket
  • V. Cross Trust Attacks
  • VI. Forest Persistence and Dominance
  • VII. Defenses – Monitoring
  • VIII. Defenses and bypass – Architecture and Work Culture Changes
  • IX. Defenses and Bypass – Deception
  • X. Defenses and Bypass – PowerShell
  • New Server
    • Move Lat-AppLocker
    • Move Lat-Invoke-Command
Powered by GitBook
On this page
  • GPO Enumeration
  • PowerView
  • ActiveDirectoryPowerShell module
  • OU Enumeration
  • PowerView
  • ActiveDirectoryPowerShell module

Was this helpful?

  1. I. Active Directory Enumeration

GP And OU Enumeration

Group Policy provides the ability to manage configuration and changes easily and centrally in AD.

Allows configuration of, Security settings, Registry-based policy settings, Group policy preferences like startup/shutdown/log-on/logoff scripts settings, Software installation, GPO can be abused for various attacks like privesc, backdoors, persistence etc.

GPO Enumeration

PowerView

Get-NetGPO
Get-NetGPO | Select displayname
Get-NetGPO -ComputerName dcorpstudent1.dollarcorp.moneycorp.local

#Get GPO(s) which use Restricted Groups or groups.xml for interesting
users
Get-NetGPOGroup


#Get users which are in a local group of a machine using GPO
Find-GPOComputerAdmin –Computername dcorpstudent1.dollarcorp.moneycorp.local



#Get machines where the given user is member of a specific group
Find-GPOLocation -UserName student1 -Verbose

ActiveDirectoryPowerShell module

#Get list of GPO in current domain
Get-GPO -All
Get-GPResultantSetOfPolicy -ReportType Html -Path C:\Users\Administrator\report.html

gpresult /r
gpresult /r /v

OU Enumeration

PowerView

#Get OUs in a domain
Get-NetOU
Get-NetOU -FullData



#Get GPO applied on an OU. Read GPOname from gplink attribute from Get-NetOU
Get-NetGPO -GPOname "{AB306569-220D-43FF-B03B83E8F4EF8081}"

ActiveDirectoryPowerShell module

#Get OUs in a domain
Get-ADOrganizationalUnit -Filter * -Properties * 



#Get GPO applied on an OU. Read GPOname from gplink attribute from Get-NetOU
Get-GPO -Guid AB306569-220D-43FF-B03B-83E8F4EF8081
PreviousShares EnumerationNextACL Domain Enumeration

Last updated 4 years ago

Was this helpful?