🖌️
AD-RED-TEAM
  • Active Directory Red Team
  • PowerShell Basics
    • Tips And Tricks
  • I. Active Directory Enumeration
    • User Hunting Domain Enumeration
    • Forest and Domains
    • User Enumeration
    • Groups Enumeration
    • Computers/Server Enumeration
    • Shares Enumeration
    • GP And OU Enumeration
    • ACL Domain Enumeration
    • Trust Domain Enumeration
  • II. Local Privilege Escalation
    • Lateral Movement
    • PowerUp Exploits
  • III. Domain Privilege Escalation
    • Forest Persistence – DCShadow
    • Trust Abuse - MSSQL Servers
    • Priv Esc – Across Forest using krbtgt Ticket
    • Priv Esc - Across Trusts using Trust Tickets
    • Priv Esc – DNSAdmins
    • Priv Esc - Constrained Delegation
    • Priv Esc – Unconstrained Delegation
    • Priv Esc - Targeted Kerberoasting - Set SPN
    • Targeted Kerberoasting - AS-REPs
    • Priv Esc - Kerberoast
  • IV. Domain Persistence and Dominance
    • Persistence ACLs - Security Descriptors
    • Persistence ACLs- Rights Abuse
    • Persistence ACL - AdminSDHolder
    • Persistence – Custom SSP
    • Persistence - DSRM
    • Persistence - Skeleton Key
    • Persistence - Silver Ticket
    • Persistence - Golden Ticket
  • V. Cross Trust Attacks
  • VI. Forest Persistence and Dominance
  • VII. Defenses – Monitoring
  • VIII. Defenses and bypass – Architecture and Work Culture Changes
  • IX. Defenses and Bypass – Deception
  • X. Defenses and Bypass – PowerShell
  • New Server
    • Move Lat-AppLocker
    • Move Lat-Invoke-Command
Powered by GitBook
On this page
  • Domain Enumeration - Groups
  • PowerView
  • The ActiveDirectoryPowerShell module

Was this helpful?

  1. I. Active Directory Enumeration

Groups Enumeration

Domain Enumeration - Groups

PowerView

#Get all the groups in the current domain
Get-NetGroup
Get-NetGroup –Domain <targetdomain>
Get-NetGroup –FullData


#Get all groups containing the word "admin" in group name
Get-NetGroup *admin*


#Get all the members of the Domain Admins group
Get-NetGroupMember -GroupName "Domain Admins" -Recurse
Get-NetGroupMember -GroupName "Domain Admins"
Get-NetGroupMember -GroupName "Enterprise Admins" -Domain moneycorp.local



#Get the group membership for a user:
Get-NetGroup –UserName "student1"


#List all the local groups on a machine (needs administrator privs on nondc machines
Get-NetLocalGroup -ComputerName dcorpdc.dollarcorp.moneycorp.local -ListGroups



#Get members of all the local groups on a machine (needs administrator
privs on non-dc machines)

Get-NetLocalGroup -ComputerName dcorpdc.dollarcorp.moneycorp.local -Recurse


#Get actively logged users on a computer (needs local admin rights on
the target)
Get-NetLoggedon –ComputerName <servername>



#Get locally logged users on a computer (needs remote registry on the
target - started by-default on server OS)
Get-LoggedonLocal -ComputerName dcorpdc.dollarcorp.moneycorp.local



#Get the last logged user on a computer (needs administrative rights and
remote registry on the target)
Get-LastLoggedOn –ComputerName <servername>

The ActiveDirectoryPowerShell module

#Get all the groups in the current domain
Get-ADGroup -Filter * | select Name
Get-ADGroup -Filter * -Properties *


#Get all groups containing the word "admin" in group name
Get-ADGroup -Filter 'Name -like "*admin*"' | select Name 


#Get all the members of the Domain Admins group
Get-ADGroupMember -Identity "Domain Admins" -Recursive


#Get the group membership for a user:
Get-ADPrincipalGroupMembership -Identity student1
PreviousUser EnumerationNextComputers/Server Enumeration

Last updated 4 years ago

Was this helpful?