LHF (Low Hanging Fruits)
Accès Admin Local
Trouver toutes les machines sur le domaine où vous avez un accès administrateur local :
Find-LocalAdminAccess
RDP users
Invoke-UserHunter -GroupName "RDPUsers"
Ordinateurs
Tous les ordinateurs du domaine
Get-NetComputer
Get-NetComputer -fullData | select name,samaccountname, samaccounttype, operatingsystem
Tous les ordinateurs d’un domaine
Get-NetComputer -Domain <domain>
Utilisateurs
Tous les utilisateurs
Get-NetUser et Get-DomainUser sont presque équivalent (Get-DomainUser retourne plus d’infos) :
Get-NetUser
Get-DomainUser
Get-NetUser | select samaccountname, description, pwdlastset, logoncount, badpwdcount
Informations sur un utilisateur
Get-NetUser -UserName <username>
Utilisateurs Kerbroastable (ASREP-Roasting??)
Get-NetUser -Domain msp.local | Where-Object {$_.servicePrincipalName} | select name, samaccountname, serviceprincipalname | Export-CSV -NoTypeInformation kerberoastable.csv
Utilisateurs avec la preauthentication kerberos désactivé
Get-DomainUser -PreauthNotRequired
Get-DomainUser -UACFilter DONT_REQ_PREAUTH
Utilisateurs avec un SPN (probale compte de service)
Get-DomainUser -SPN
Comptes de service membre de "Domain Admins"
Get-DomainUser -SPN | ?{$_.memberof -match 'Domain Admins'}
Groupes
Tous les groupes d’un domaine
Get-NetGroup
Get-NetGroup -Domain <domain> | select name
Membres d’un groupe
Get-DomainGroupMember "<Group Name>" -Recurse
Domaine
Information sur le domaine courant
Get-Domain
Get-NetDomain
Information sur un domaine
Get-NetDomain -Domain <domaine>
Politiques
Get-DomainPolicy
Get-DomainPolicy -Domain <domaine>
Forêt
Get-NetForest
Get-ForestDomain
Shares
Autres
Identification de RBCD dans Active Directory
# Get all sids, all computer object ACLs, and find RBCD!!!
$usersid = get-domainuser | select -exp objectsid; "Got user SIDS"; $computeracls = Get-DomainComputer | select -exp dnshostname | get-domainobjectacl; "Got computer ACLs"; "Search through acls for RBCD..."; foreach ($acl in $computeracls) { foreach($sid in $usersid) { $acl | ?{$_.SecurityIdentifier -eq $sid -and ($_.ActiveDirectoryRights -Like '*GenericAll*' -or $_.ActiveDirectoryRights -Like '*GenericWrite*' -or $_.ActiveDirectoryRights -Like '*WriteOwner*')} } }
# Get all SIDS, all computer object ACLs, and find RBCD
$groupsid = $groups = Get-DomainGroup | Where-Object {$_.SamAccountName -ne "Domain Admins" -and $_.SamAccountName -ne "Account Operators" -and $_.SamAccountName -ne "Enterprise Admins" -and $_.SamAccountName -ne "Administrators" -and $_.SamAccountName -ne "DnsAdmins" -and $_.SamAccountName -ne "Schema Admins" -and $_.SamAccountName -ne "Key Admins" -and $_.SamAccountName -ne "Enterprise Key Admins" -and $_.SamAccountName -ne "Storage Replica Administrators"} | select -exp objectsid; "Got group SIDS"; $computeracls = Get-DomainComputer | select -exp dnshostname | get-domainobjectacl; "Got computer ACLs"; "Search through acls for RBCD..."; foreach ($acl in $computeracls) { foreach($sid in $groupsid) { $acl | ?{$_.SecurityIdentifier -eq $sid -and ($_.ActiveDirectoryRights -Like '*GenericAll*' -or $_.ActiveDirectoryRights -Like '*GenericWrite*' -or $_.ActiveDirectoryRights -Like '*WriteOwner*')} } }
# Get all computer object SIDS, all computer object ACLs, and find RBCD
$computersid = get-domaincomputer | select -exp objectsid; "Got computer SIDS"; $computeracls = Get-DomainComputer | select -exp dnshostname | get-domainobjectacl; "Got computer ACLs"; "Search through acls for RBCD..."; foreach ($acl in $computeracls) { foreach($sid in $computersid) { $acl | ?{$_.SecurityIdentifier -eq $sid -and($_.ActiveDirectoryRights -Like '*GenericAll*' -or $_.ActiveDirectoryRights -Like '*GenericWrite*' -or $_.ActiveDirectoryRights -Like '*WriteOwner*')} } }