Elite

Users, Computer, Groups

Users Enumeration

## Users Enumeration
Get-NetUser

Get user in a Domain

Get-NetUser *admin* -Domain grey.wargrey.mon

Get Admins in a Domain

Get-NetUser -AdminCount 
Get-NetUser -AdminCount -Domain wargrey.mon

Filter by username

Get-DomainUser -Domain wargrey.mon | ?{$_.name -match "Grey Mon"}

Grab the cn (common-name) from the list of users

Get-NetUser | select cn

Get actively logged users on a computer (needs local admin rights on the target)

Get-NetLoggedon -ComputerName <servername>

List all properties

Get-UserProperty

Display when the passwords were set last time

Get-UserProperty -Properties pwdlastset

Display when the accounts were created

Get-UserProperty -Properties whencreated

Get the list of users

Get-ADUser -Filter *

Get the list of users with properties

Get-ADUser -Filter * -Properties *

List samaccountname and description for users

Get-ADUser -Filter * -Properties * | select Samaccountname, Description

Get the list of users from cn common-name

Get-ADUser -Filter * -Properties * | select cn

Get the list of users from name

Get-ADUser -Filter * -Properties * | select name

Displays when the password was set

Get-ADUser -Filter * -Properties * | select name,@{expression={[datetime]::fromFileTime($_.pwdlastset)}}

List samaccountname, lastlogon, pwdlastset

Get-NetUser | select samaccountname, lastlogon, pwdlastset
Get-NetUser | select samaccountname, lastlogon, pwdlastset | Sort-Object -Property lastlogon

Get list of usernames and their groups

Get-NetUser | select samaccountname, memberof

Get description field from the user

Find-UserField -SearchField Description -SearchTerm "built"
Get-netuser | Select-Object samaccountname, description

Get SID for users

WMIC.exe useraccount get name, sid

Basic user enabled info

Get-NetUser -UACFilter NOT_ACCOUNTDISABLE | select samaccountname, description, pwdlastset, logoncount, badpwdcount

Find users with sidHistory set

Get-NetUser -LDAPFilter '(sidHistory=*)'

Find local admin access on domain machines

Find all machines on the current domain where the current user has local admin access

Find-LocalAdminAccess -Verbose

This can also be done with remote administration tools like WMI and PowerShell remoting.

  • Useful when ports (RPC and SMB) used by Find-LocalAdminAccess are blocked.

Find-WMILocalAdminAccess.ps1
Find-PSRemotingLocalAdminAccess.ps1

Kerberoasting Enumeration

ASREPRoastable users

Get-NetUser -PreauthNotRequired

Kerberoastable users

Get-NetUser -SPN
Get-NetComputer -SPN

Kerberospolicy

(Get-DomainPolicyData).kerberospolicy

Groups Information

List groups and their details

Get-NetGroup | select samaccountname, admincount, description

Get AdminSDHolders

Get-DomainObjectAcl -SearchBase 'CN=AdminSDHolder,CN=System,DC=wargrey,DC=mon' | %{ $_.SecurityIdentifier } | Convert-SidToName

Computer Enumeration

Basic computer enumeration

Get-NetComputer
Get-ADComputer -Filter *

Get Computer name and OS

Get-NetComputer | select samaccountname, operatingsystem
Get-NetComputer -Domain wargrey.mon | select samaccountname, operatingsystem

Get computers with specific OS

Get-NetComputer -OperatingSystem "*Server 2016*"

DCs appear but aren't useful for privilege escalation

Get-NetComputer -Unconstrained | select samaccountname

Find computers with Constrained Delegation

Get-NetComputer -TrustedToAuth | select samaccountname

Find machine accounts in privileged groups

Get-DomainGroup -AdminCount | Get-DomainGroupMember -Recurse | ?{$_.MemberName -like '*'}
Get-NetGroupMember -Identity "Domain Admins" -Recurse | select MemberName

List all the local groups on a machine (needs admin privileges on non-DC machines)

Get-NetlocalGroup -Computername <computername> -ListGroups

Get members of all the local groups on a machine (needs admin privileges on non-DC machines)

Get-NetlocalGroup -Computername <computername> -Recurse

Get actively logged users on a computer (needs local admin privileges)

Get-NetLoggedon -Computername <computername>

Get locally logged users on a computer (needs remote registry rights on the target)

Get-LoggedonLocal -Computername <computername>

Get the last logged users on a computer (needs admin rights and remote registry on the target)

Get-LastLoggedOn -ComputerName <computername>

Get computer operating system and other important info

Get-ADComputer -Filter * -Property PrimaryGroupID
Get-ADComputer -Filter {PrimaryGroupID -eq "<number>"} -Properties OperatingSystem, OperatingSystemVersion, OperatingSystemServicePack, PasswordLastSet, LastLogonDate, ServicePrincipalName, TrustedForDelegation, TrustedtoAuthForDelegation

Find computers where a domain admin (or specified user/group) has sessions

Find-DomainUserLocation -Verbose
Find-DomainUserLocation -UserGroupIdentity “RDPUsers”

Find computers where a domain admin session is available and current user has admin access

  • Uses Test-AdminAccess.

#Find-DomainUserLocation -CheckAccess

Find computers (File Servers and Distributed File servers) where a domain admin session is available

#Find-DomainUserLocation -Stealth

Shares Enumeration

Search readable shares

Find-DomainShare -CheckShareAccess

Groups and Members Enumeration

Basic group enumeration

Get-NetGroup
Get-NetLocalGroup

Get all groups containing "admin" in the group name

Get-NetGroup *Admin*
Get-NetGroupMember 'Domain Admins' -Recurse
Get-NetGroupMember 'Administrator' -Recurse
Get-NetGroupMember 'Remote Desktop Users' -Recurse
Get-NetGroupMember 'Remote Desktop' -Recurse

Get all members of the "Domain Admins" group

Get-NetGroupMember -GroupName "Domain Admins" -Recurse

Query the root domain for "Enterprise Admins"

Get-NetGroupMember -GroupName "Enterprise Admins" –Domain wargrey.mon

Get group membership for user "grey"

Get-NetGroup -UserName "grey"

List all group members in the "Users" group with full data

Get-NetGroup -GroupName "Users" -Fulldata

Get all groups that contain "admin" in the group name

Get-ADGroup -Filter 'Name -like "*admin*"' | select Name

Get all members of the "Domain Admins" group

Get-ADGroupMember -Identity "Domain Admins" -Recursive

Get group membership for "grey"

Get-ADPrincipalGroupMembership -Identity grey

Get computers and their Operating Systems

Get-ADComputer -Filter * | select Name
Get-ADComputer -Filter 'OperatingSystem -like "*Server 2016*"' -Properties OperatingSystem | select Name, OperatingSystem

Test connectivity for each computer in the domain

Get-ADComputer -Filter * -Properties DNSHostName | %{Test-Connection -Count 1 -ComputerName $_.DNSHostName}

Enumerate Domain Groups

#Get all the groups in the current domain
Get-DomainGroup | select Name
Get-DomainGroup –Domain <targetdomain>
Get-ADGroup -Filter * | select Name
Get-ADGroup -Filter * -Properties *
#Get all groups containing the word "admin" in group name
Get-DomainGroup *admin*
Get-ADGroup -Filter 'Name -like "*admin*"' | select Name

#Get all the members of the Domain Admins group
Get-DomainGroupMember -Identity "Domain Admins" -Recurse
Get-ADGroupMember -Identity "Domain Admins" -Recursive

#Get the group membership for a user:
Get-DomainGroup –UserName "grey"
Get-ADPrincipalGroupMembership -Identity grey

#Get Group admins
Get-NetGroup "*admins*" | Get-NetGroupMember -Recurse | ?{$_.MemberName -Like "*.*"}

#Get Clients on Host Domain
Get-NetGroup -ComputerName PDC
Get-NetGroup -ComputerName dc02
PreviousAD EnumerationNextBloodHound Enumeration

Last updated