Windows Powershell for purple teams

📆: 12 Jul 2020
🏷: Security, Windows

This is my Powershell Cheat Sheat for purple teams. Starting point for this blog is the excellenct Attacking and defending Active Directory course by Nikhil Mittal and my first machines over at HackTheBox. Feel free to get inspired. This list is also a moving target and will most likely grow with time and experience.

Generic Powershell Stuff

Where does a Command come from?
```
PS C:\> Get-Command Get-Command
```

Silence errors

$nh_oea = $ErrorActionPreference ; $ErrorActionPreference = "SilentlyContinue"

Restore errors
```
$ErrorActionPreference = $nh_oea
```

Import AD-Modules

Import-Module .\Microsoft.ActiveDirectory.Management.dll
Import-Module .\ActiveDirectory\ActiveDirectory.psd1

Recon / Enumeration

Get all admin groups of all domains in the forest (AD Modules)

$nh_doms = (Get-ADForest).domains ; foreach ($nh_dom in $nh_doms) { "`n[*] " + $nh_dom ; (Get-ADGroup -Filter { Name -like "*admin*" } -Server $nh_dom).name | foreach { "[-] " $_ } } ; "`n"

Enumerate Users (AD Modules)

(Get-ADUser -Filter { Enabled -eq $true }).name

Enumerate Computers (AD Modules)
```
(Get-ADComputer -Filter *).name
```

Get Domain Admins for all domains in the forest (AD Modules)

$nh_doms = (Get-ADForest).domains ; foreach ($nh_dom in $nh_doms) { "`n[*] " + $nh_dom ; Get-ADGroupMember -Identity "Domain Admins" -Server $nh_dom | foreach { "[-] " + ($_).Name + " (" + ($_).ObjectClass + ")" } } ; "`n"

Get Enterprise Admins for all domains in the forest (AD Modules)

$nh_doms = (Get-ADForest).domains ; foreach ($nh_dom in $nh_doms) { "`n[*] " + $nh_dom ; Get-ADGroupMember -Identity "Enterprise Admins" -Server $nh_dom | foreach { "[-] " + ($_).Name + " (" + ($_).ObjectClass + ")" } } ; "`n"

Find sensitive shares (PowerView)

Invoke-ShareFinder -ExcludePrint -ExcludeStandard -ExcludeIPC

Get all OU in Domain (AD modules)

Get-ADOrganizationalUnit -Filter * | …

Full article →