PowerView – Cheatsheet

LHF (Low Hanging Fruits)

Accès Admin Local

Trouver toutes les machines sur le domaine où vous avez un accès administrateur local :

Find-LocalAdminAccess
RDP users
Invoke-UserHunter -GroupName "RDPUsers"

Ordinateurs

Tous les ordinateurs du domaine
Get-NetComputer
Get-NetComputer -fullData | select name,samaccountname, samaccounttype, operatingsystem
Tous les ordinateurs d’un domaine
Get-NetComputer -Domain <domain>

Utilisateurs

Tous les utilisateurs

Get-NetUser et Get-DomainUser sont presque équivalent (Get-DomainUser retourne plus d’infos) :

Get-NetUser 
Get-DomainUser 
Get-NetUser | select samaccountname, description, pwdlastset, logoncount, badpwdcount

Informations sur un utilisateur

Get-NetUser -UserName <username>
Utilisateurs Kerbroastable (ASREP-Roasting??)
Get-NetUser -Domain msp.local | Where-Object {$_.servicePrincipalName} | select name, samaccountname, serviceprincipalname | Export-CSV -NoTypeInformation kerberoastable.csv
Utilisateurs avec la preauthentication kerberos désactivé
Get-DomainUser -PreauthNotRequired
Get-DomainUser -UACFilter DONT_REQ_PREAUTH
Utilisateurs avec un SPN (probale compte de service)
Get-DomainUser -SPN
Comptes de service membre de "Domain Admins"
Get-DomainUser -SPN | ?{$_.memberof -match 'Domain Admins'}

Groupes

Tous les groupes d’un domaine
Get-NetGroup
Get-NetGroup -Domain <domain> | select name
Membres d’un groupe
Get-DomainGroupMember "<Group Name>" -Recurse

Domaine

Information sur le domaine courant
Get-Domain
Get-NetDomain
Information sur un domaine
Get-NetDomain -Domain <domaine>
Politiques
Get-DomainPolicy
Get-DomainPolicy -Domain <domaine>

Forêt

Get-NetForest
Get-ForestDomain

Shares

Autres

Identification de RBCD dans Active Directory
# Get all sids, all computer object ACLs, and find RBCD!!!
$usersid = get-domainuser | select -exp objectsid; "Got user SIDS"; $computeracls = Get-DomainComputer | select -exp dnshostname | get-domainobjectacl; "Got computer ACLs"; "Search through acls for RBCD..."; foreach ($acl in $computeracls) { foreach($sid in $usersid) { $acl | ?{$_.SecurityIdentifier -eq $sid -and ($_.ActiveDirectoryRights -Like '*GenericAll*' -or $_.ActiveDirectoryRights -Like '*GenericWrite*' -or $_.ActiveDirectoryRights -Like '*WriteOwner*')} } }

# Get all SIDS, all computer object ACLs, and find RBCD
$groupsid = $groups = Get-DomainGroup | Where-Object {$_.SamAccountName -ne "Domain Admins" -and $_.SamAccountName -ne "Account Operators" -and $_.SamAccountName -ne "Enterprise Admins" -and $_.SamAccountName -ne "Administrators" -and $_.SamAccountName -ne "DnsAdmins" -and $_.SamAccountName -ne "Schema Admins" -and $_.SamAccountName -ne "Key Admins" -and $_.SamAccountName -ne "Enterprise Key Admins" -and $_.SamAccountName -ne "Storage Replica Administrators"} | select -exp objectsid; "Got group SIDS"; $computeracls = Get-DomainComputer | select -exp dnshostname | get-domainobjectacl; "Got computer ACLs"; "Search through acls for RBCD..."; foreach ($acl in $computeracls) { foreach($sid in $groupsid) { $acl | ?{$_.SecurityIdentifier -eq $sid -and ($_.ActiveDirectoryRights -Like '*GenericAll*' -or $_.ActiveDirectoryRights -Like '*GenericWrite*' -or $_.ActiveDirectoryRights -Like '*WriteOwner*')} } }

# Get all computer object SIDS, all computer object ACLs, and find RBCD
$computersid = get-domaincomputer | select -exp objectsid; "Got computer SIDS"; $computeracls = Get-DomainComputer | select -exp dnshostname | get-domainobjectacl; "Got computer ACLs"; "Search through acls for RBCD..."; foreach ($acl in $computeracls) { foreach($sid in $computersid) { $acl | ?{$_.SecurityIdentifier -eq $sid -and($_.ActiveDirectoryRights -Like '*GenericAll*' -or $_.ActiveDirectoryRights -Like '*GenericWrite*' -or $_.ActiveDirectoryRights -Like '*WriteOwner*')} } }