This is my Powershell Cheat Sheat for purple teams. Starting point for this blog is the excellenct Attacking and defending Active Directory course by Nikhil Mittal and my first machines over at HackTheBox. Feel free to get inspired. This list is also a moving target and will most likely grow with time and experience.

Generic Powershell Stuff

• Where does a Command come from?

  PS C:\> Get-Command Get-Command
  

• Silence errors

  $nh_oea = $ErrorActionPreference ; $ErrorActionPreference = "SilentlyContinue"
  

• Restore errors

  $ErrorActionPreference = $nh_oea
  

• Import AD-Modules

  Import-Module .\Microsoft.ActiveDirectory.Management.dll
  Import-Module .\ActiveDirectory\ActiveDirectory.psd1
  

Recon / Enumeration

• Get all admin groups of all domains in the forest (AD Modules)

  $nh_doms = (Get-ADForest).domains ; foreach ($nh_dom in $nh_doms) { "`n[*] " + $nh_dom ; (Get-ADGroup -Filter { Name -like "*admin*" } -Server $nh_dom).name | foreach { "[-] " $_ } } ; "`n"
  

• Enumerate Users (AD Modules)

  (Get-ADUser -Filter { Enabled -eq $true }).name
  

• Enumerate Computers (AD Modules)

  (Get-ADComputer -Filter *).name
  

• Get Domain Admins for all domains in the forest (AD Modules)

  $nh_doms = (Get-ADForest).domains ; foreach ($nh_dom in $nh_doms) { "`n[*] " + $nh_dom ; Get-ADGroupMember -Identity "Domain Admins" -Server $nh_dom | foreach { "[-] " + ($_).Name + " (" + ($_).ObjectClass + ")" } } ; "`n"
  

• Get Enterprise Admins for all domains in the forest (AD Modules)

  $nh_doms = (Get-ADForest).domains ; foreach ($nh_dom in $nh_doms) { "`n[*] " + $nh_dom ; Get-ADGroupMember -Identity "Enterprise Admins" -Server $nh_dom | foreach { "[-] " + ($_).Name + " (" + ($_).ObjectClass + ")" } } ; "`n"
  

• Find sensitive shares (PowerView)

  Invoke-ShareFinder -ExcludePrint -ExcludeStandard -ExcludeIPC
  

• Get all OU in Domain (AD modules)

  Get-ADOrganizationalUnit -Filter * | …

Lately I started thinking about my future and whether I should keep my self employed or if I should finally start working on being either self-employed or start my own company. Yeah, interesting timing in such uncertain economic times but I guess they’ll stay uncertain no matter what. As I am starting a new day job mid September I’m going to explore the situation most probably by starting working on public engagements on yeswehack.

This means a slight change in direction, heading more for the redteam but my dayjob hopefully gives me enough blueteam and I hope and I can make a lasting impression there increasing their security stance.

But first I need some organizational stuff cleared like tax, insurance and also I need all of that greenlit by my current and future employer.

Why the change of pace? Mostly due to the experience at my current day job which has been for years now, pretty unpleasant. Also a lot of guys kept asking all those years why I didn’t quit and start a business of my own. Seems like others deem me to be fit for the task.

Another piece of the puzzle has been the OSCP and virtual hacking lab and chit chat with other redteamers and it seems that I am holding myself up ok. Sure enough, I am by no means standing out of the crowd but at the very least this means I am also not standing out in a bad way.

My family also plays a part in this. I hope to be an inspiration for my brother who’s lately been struggling with life. I hope to be an idol to my son showing him not to be afraid of taking matters into your own hand and hopefully laying a foundation for him.

But one step at a time. One step at a time.

Wasn’t much going on lately. First work kept me busy, then COVID19 came along and with it homeschooling next to having to work. So for me, COVID19 kept me even more busy. Which feels strange because a lot of people seem to have a lot of spare time at their hands. Still I managed to migrate my stuff to a new ESXi machine, upgraded my systems, fiddled with prometheus, telegraf, grafana and rabbitmq, bought myself a new switch and moved from bitbucket to sourcehut.

Oh, and I got myself a nice treat and bought a Huwaei Matebook X which also triggered a move from Xmonad to sdorfehs and a locally patched version of sdorfehs-bar

Finally certified. Too bad I haven’t found the time to tackle the Advanced+ certification but there are enough machines left in the lab and I am pretty sure that I will revisit the lab for the Advanced+ certification, too.

I had a lot of fun in the lab and the guys were quick to respond whenever problems with or questions arised (mind you: not to the individual machines).

I can warm heartedly recommend them. Can’t say too much about the Courseware though as I didn’t have to rely on it. But the few things I saw seemed to be ok.

I will use this post to publish my progress while working on virtual hacking lab. It does not have the same reputation as OSCP but I do enjoy the lab and am very pleased with the lab material and dashboard. Also support is quick and nice if you need it (not for clues, of course!). The lab is also regularily expanded. All of this for a fraction of the price tag called for OSCP.

Without any further ado here are the machines I have rooted so far: