Professional Documents
Culture Documents
Version 1.3. Created by Will Schroeder (@harmj0y) and released under the Creative Commons v3 "Attribution" License.
Get-DomainGroup will enumerate group objects Find users in groups Get-DomainForeignUser Only return shares from -ComputerSearchBase
themselves on a given domain through LDAP. outside of the given machines in a given OU “ldap://OU=…”
Return all groups with -Identity *admin* domain (outgoing Find-InterestingFile will recursively search a given
“admin” in the name access) local/UNC path for files matching specific criteria.
Return all groups a -MemberIdentity <X> Find groups w/ Get- Search a specific UNC path -Path \\SERVER\Share
particular user/group is a users outside of the DomainForeignGroupMember
given domain –Domain target.domain.com Only return files with the -Include
part of
(incoming access) specified search terms in term1,term2,term3
Return privileged groups -AdminCount their names
All Verb–Domain* functions also accept –Domain <X> to
Return groups with a -GroupScope Only return office docs -OfficeDocs
query the specified information from a foreign domain.
particular scope [DomainLocal/Global/
User-Hunting Only return files accessed -LastAccessTime (Get-
Universal]
within the last week Date).AddDays(-7)
Get-DomainGroupMember will enumerate the members Find-DomainUserLocation (old Invoke-UserHunter) will
of a specific group on a given domain through LDAP. use LDAP queries and API calls to locate users on the Local Admin Enumeration
domain. Note: default behavior searches for “Domain Get-NetLocalGroupMember will enumerate the local
Specified group name -Identity “Domain Admins” and touches every machine on the domain! users/groups from localhost or a remote machine.
Admins”
Specifies one or more user -UserIdentity <X> Enumerate local admins -ComputerName <X>
Recursively resolve the -Recurse identifies to hunt for from hostname (or IP)
members of any results
that are groups Specifies hosts to -ComputerName X,Y Use an alternate group -GroupName "Remote
enumerate for session besides local admins Desktop Users"
If you’re not sure of the object type, you can use Get- information
DomainObject. Get-DomainObjectACL will return the Uses the WinNT service -Method [WinNT/API]
ACLs associated with a specific active directory object. Species one or more -UserGroupIdentity <X> provider (default) or
The –ResolveGUIDs flag resolves ACE GUIDs to their groups to query for users Win32 API calls
display names. to hunt for
Misc. Functions
Show all results (i.e. don’t -ShowAll
Domain [Trusts] Return domain OUs Get-DomainOU
filter by user targets)
Info on the current Get-Forest Return domain GPOs Get-DomainGPO
forest Hunt using only session -Stealth
information from file Find likely file servers Get-DomainFileServer
Enumerate all Get-ForestDomain based on user properties
servers/DCs
domains in the
Check if the current user -CheckAccess Enumerate shares on a Get-NetShare <X>
current forest
has local admin access to specific machine
Get all forest trusts Get-ForestTrust
computers where target Enumerate shares on a Get-NetSession <X>
for the current
users are found specific machine
forest
Info on the current Get-Domain Data Mining Enumerate RDP sessions Get-NetRDPSession <X>
domain Find-DomainShare (old Invoke-ShareFinder) will use (and source IPs)
LDAP queries and API calls to search for open shares on More Information
Get all domain Get-DomainTrust
the domain. Note: default behavior touches every
trusts (à la nltest Recent PowerView update: http://bit.ly/2rseIm6
machine on the domain!
/trusted_domains) PowerView Tricks - http://bit.ly/2tDBAQi
Recursively map all Get-DomainTrustMapping Only return shares the -CheckShareAccess
current user can read http://www.harmj0y.net/blog/tag/powerview/
domain trusts
https://specterops.io
Version 1.3. Created by Will Schroeder (@harmj0y) and released under the Creative Commons v3 "Attribution" License.