Windows Powershell for purple teams

This is my Powershell Cheat Sheat for purple teams. Starting point for this blog is the excellenct Attacking and defending Active Directory course by Nikhil Mittal and my first machines over at HackTheBox. Feel free to get inspired. This list is also a moving target and will most likely grow with time and experience.

Generic Powershell Stuff

• Where does a Command come from?

  PS C:\> Get-Command Get-Command
  

• Silence errors

  $nh_oea = $ErrorActionPreference ; $ErrorActionPreference = "SilentlyContinue"
  

• Restore errors

  $ErrorActionPreference = $nh_oea
  

• Import AD-Modules

  Import-Module .\Microsoft.ActiveDirectory.Management.dll
  Import-Module .\ActiveDirectory\ActiveDirectory.psd1
  

Recon / Enumeration

• Get all admin groups of all domains in the forest (AD Modules)

  $nh_doms = (Get-ADForest).domains ; foreach ($nh_dom in $nh_doms) { "`n[*] " + $nh_dom ; (Get-ADGroup -Filter { Name -like "*admin*" } -Server $nh_dom).name | foreach { "[-] " $_ } } ; "`n"
  

• Enumerate Users (AD Modules)

  (Get-ADUser -Filter { Enabled -eq $true }).name
  

• Enumerate Computers (AD Modules)

  (Get-ADComputer -Filter *).name
  

• Get Domain Admins for all domains in the forest (AD Modules)

  $nh_doms = (Get-ADForest).domains ; foreach ($nh_dom in $nh_doms) { "`n[*] " + $nh_dom ; Get-ADGroupMember -Identity "Domain Admins" -Server $nh_dom | foreach { "[-] " + ($_).Name + " (" + ($_).ObjectClass + ")" } } ; "`n"
  

• Get Enterprise Admins for all domains in the forest (AD Modules)

  $nh_doms = (Get-ADForest).domains ; foreach ($nh_dom in $nh_doms) { "`n[*] " + $nh_dom ; Get-ADGroupMember -Identity "Enterprise Admins" -Server $nh_dom | foreach { "[-] " + ($_).Name + " (" + ($_).ObjectClass + ")" } } ; "`n"
  

• Find sensitive shares (PowerView)

  Invoke-ShareFinder -ExcludePrint -ExcludeStandard -ExcludeIPC
  

• Get all OU in Domain (AD modules)

  Get-ADOrganizationalUnit -Filter * | select Name, DistinguishedName
  

• List all Computers in OU foobar (AD modules)

  # -Filter does not work for OU
  (Get-ADComputer -Filter * | where { $_ -match "OU=foobar,DC=contoso,DC=local$" }).Name
  

• List all GPOs (PowerView)

  Get-NetGPO | select displayName, Name
  

• Get GPO for OU foobar (PowerView)

  (Get-NetOU foobar -FullData).gplink
  [LDAP://cn={3E04167E-C2B6-4A9A-8FB7-C811158DC97C},cn=policies,cn=system,DC=contoso,DC=local;0]
  Get-NetGPO -ADSpath 'cn={3E04167E-C2B6-4A9A-8FB7-C811158DC97C},cn=policies,cn=system,DC=contoso,DC=local'
  

• Get ACL for Administrator (PowerView)

  See description of ActiveDirectoryRights

  # Who, Where, What
  Get-ObjectACL -ADSPrefix 'CN=Administrator,CN=Users' | select IdentityReference, ObjectDN, ActiveDirectoryRights
  # literally the same
   Get-ObjectACL -SamAccountName Administrator | select IdentityReference, ObjectDN, ActiveDirectoryRights
  

• Who can modify User foobar? (PowerView)

  Get-ObjectACL -SamAccountName 'foobar' -ResolveGUIDs | `
        where -Value "GenericExecute", 
                        "GenericRead",
                        "ListChildren",
                        "ListObject",
                        "ReadControl",
                        "ReadProperty",
                        "Synchronize" `
            -CNotin ActiveDirectoryRights | `
        select IdentityReference, ObjectDN, ActiveDirectoryRights
  

• What can User foobar modify? (PowerView)

  Invoke-ACLScanner -ResolveGUIDS | ?{$_.IdentityReference -eq "foobar"}
  

  If empty result look for Group Memberships (PowerView, AD modules)

  foreach ($nh_idref in (Get-ADPrincipalGroupMembership -Identity foobar).SamAccountName) `
  { `
      Invoke-ACLScanner -ResolveGUIDs | `
          ?{$_.IdentityReference -match "$nh_idref"} | `
          select IdentityReference, ObjectDN, ActiveDirectoryRights `
  }
  

• What is my current domain (AD Modules)

  Get-ADDomain
  

• Get Domain Policy (PowerView)

  Get-DomainPolicy
  (Get-DomainPolicy)."System Access"
  (Get-DomainPolicy)."Kerberos Policy"  # Important for Golden Tickets / mimikatz
  

• Get Domain Controllers (AD Modules)

  Get-ADDomainController
  Get-ADDomainController -Domain foo -discover # works for parent / child domains
  

• Enumerate Users. Beware Users which haven’t change for a long time and have no bad passwords or low logoncounts

  Get-ADUser -Filter { Enabled -eq $true } -Properties * | `
      select name, `
      @{name='pwdlastset' ; expression={[datetime]::fromFileTime($_.pwdlastset)}}, `
      badpwdcount, `
      logoncount
  

• Search for User with built in Description

  Get-ADUser -Filter { Description -like '*built*' } -Properties Description | Select Name, Description
  

• Search Machines where foo is member of local Administrators group (Powerview)

  Find-LocalAdminAccess
  

Local Privilege Escalation

• PowerUp

  Invoke-AllChecks