Enumeration Flashcards
AD enumeration
PV: Return a given domain object
Get-NetDomain
AD: Return a given domain object
Get-ADDomain
PV: Get the Domain SID
Get-DomainSID
AD: Get the Domain SID
Get-ADDomain
(Get-ADDomain).DomainSID
PV: Get the Domain Policy
Get-DomainPolicy
PV: List the Domain Controllers
Get-NetDomainController
AD: List the Domain Controllers
Get-ADDomainController
PV: Get a list of users in the domain
Get-NetUser
AD: Get a list of users in the domain
Get-ADUser
PV: Get a list of user properties
Get-UserProperty
PV: Search user object fields for a given word
Find-UserField -SearchField -Search Term
PV: Get a list of computers in the domain
Get-NetComputer
AD: Get a list of computers in the domain
Get-ADComputer
PV: Get a list of all groups in the current domain
Get-NetGroup
AD: Get a list of all groups in the current domain
Get-ADGroup
PV: Get members of a domain group
Get-NetGroupMember
AD: Get members of a domain group
Get-ADGroupMember
PV: Get domain groups that the specified user is a member of
Get-NetGroup -UserName
AD: Get domain groups that the specified user is a member of
Get-ADPrincipalGroupMembership -Identity
PV: List the local groups on a machine
Get-NetLocalGroup -ListGroups
PV: Get actively logged on users. Needs admin on target
Get-NetLoggedOn
Get locally logged on users on a computer. Needs remote registry
Get-LoggedOnLocal
PV: Get the last logged on user on a computer
Get-LastLoggedOn
PV: Find shares on hosts
Invoke-ShareFinder
PV: Get all files servers in a domain
Get-NetFileServer
PV: Get a list of all current GPO in a domain
Get-NetGPO
Get the RSOP on the local machine
gpresult /R /V
PV: List all GPOs that set “restricted groups” or use groups.xml on target machines
Get-NetGPOGroup
PV: from a computer name or GPO list what users / groups are in the specified local group for the machine
Find-GPOComputerAdmin
PV: List machines where the given user is a member of a specific group
Find-GPOLocation
PV: Get a list of all OUs in a domain
Get-NetOU
AD: Get a list of all current OUs in a domain
Get-ADOrganizationalUnit
PV: List the ACLs associated with a specified object
Get-ObjectACL
PV: Search for interesting ACEs
Invoke-ACLScanner
PV: List domain trusts for the current domain
Get-DomainTrust
AD: List domain trusts for the current domain
Get-ADTrust
PV: Get details about the current forest
Get-NetForest
AD: Get details about the current forest
Get-AdForest
PV: List all of the domains in the current forest
Get-NetForestDomain
PV: List all global catalogs for the current forest
Get-NetForestCatalog
AD: List all global catalogs for the current forest
(Get-ADForest).GlobalCatalogs
PV: map trusts of a forest
Get-NetForestTrust
AD: map trusts of a forest
Get-ADTrust
PV: List all machines in the domain where the current user has local admin privs
Find-LocalAdminAccess
WMI: PV: List all machines in the domain where the current user has local admin privs
Find-WMILocalAdminAccess
PV: Find local admins on all machines in the domain
Invoke-EnumerateLocalAdmin
PV: Find computers where a domain admin has sessions
Invoke-UserHunter
PV: check whether we have local admin on localhost or specified hosts
Invoke-CheckLocalAdminAccess
